PF PF eats SYN,ACK from certain servers

Hi everyone,

I'm running a FreeBSD system as a transparent network bridge, and for some reason pf keeps dropping SYN,ACK packets from certain hosts, even though as far as I see it, it shouldn't filter anything. This is my minimal ruleset:

Code:
int_if="em0"
ext_if="re0"

pass all

And this is what the internal interface sees:
Code:
No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       192.168.0.186         185.60.115.40         TCP      66     51580→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      2 0.251249       192.168.0.186         185.60.115.40         TCP      66     51581→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      3 3.002033       192.168.0.186         185.60.115.40         TCP      66     [TCP Retransmission] 51580→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      4 3.251273       192.168.0.186         185.60.115.40         TCP      66     [TCP Retransmission] 51581→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      5 9.002851       192.168.0.186         185.60.115.40         TCP      62     [TCP Retransmission] 51580→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      6 9.251569       192.168.0.186         185.60.115.40         TCP      62     [TCP Retransmission] 51581→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      7 56.431146      192.168.0.186         185.60.115.40         TCP      66     51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      8 56.683067      192.168.0.186         185.60.115.40         TCP      66     51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      9 59.431187      192.168.0.186         185.60.115.40         TCP      66     [TCP Retransmission] 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
     10 59.683348      192.168.0.186         185.60.115.40         TCP      66     [TCP Retransmission] 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
     11 65.431610      192.168.0.186         185.60.115.40         TCP      62     [TCP Retransmission] 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
     12 65.684462      192.168.0.186         185.60.115.40         TCP      62     [TCP Retransmission] 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

Server does not send a handshake, so far so normal. But on the external interface, the SYN,ACKs are arriving:
Code:
No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       192.168.0.186         185.60.115.40         TCP      66     51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      2 0.036503       185.60.115.40         192.168.0.186         TCP      62     443→51608 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      3 0.251913       192.168.0.186         185.60.115.40         TCP      66     51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      4 0.285579       185.60.115.40         192.168.0.186         TCP      62     443→51609 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      5 3.000028       192.168.0.186         185.60.115.40         TCP      66     [TCP Spurious Retransmission] 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      6 3.033958       185.60.115.40         192.168.0.186         TCP      62     [TCP Previous segment not captured] [TCP Port numbers reused] 443→51608 [SYN, ACK] Seq=258238357 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      7 3.252161       192.168.0.186         185.60.115.40         TCP      66     [TCP Spurious Retransmission] 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      8 3.285407       185.60.115.40         192.168.0.186         TCP      62     [TCP Previous segment not captured] [TCP Port numbers reused] 443→51609 [SYN, ACK] Seq=448165782 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
      9 9.000445       192.168.0.186         185.60.115.40         TCP      62     [TCP Spurious Retransmission] 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
     10 9.033202       185.60.115.40         192.168.0.186         TCP      62     [TCP Retransmission] [TCP Port numbers reused] 443→51608 [SYN, ACK] Seq=3508529389 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
     11 9.253297       192.168.0.186         185.60.115.40         TCP      62     [TCP Spurious Retransmission] 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

No.     Time           Source                Destination           Protocol Length Info
     12 9.286976       185.60.115.40         192.168.0.186         TCP      62     [TCP Previous segment not captured] [TCP Port numbers reused] 443→51609 [SYN, ACK] Seq=1638706863 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1

This behavior seems to be consistent when talking to 185.60.115.40:443 (Blizzard's login services), even tested across several ISPs. Equally consistent is that pfctl -d makes the problem disappear. So it's obviously something with the pf rules, what am I doing wrong?
 
Back
Top