Hi everyone,
I'm running a FreeBSD system as a transparent network bridge, and for some reason pf keeps dropping SYN,ACK packets from certain hosts, even though as far as I see it, it shouldn't filter anything. This is my minimal ruleset:
And this is what the internal interface sees:
Server does not send a handshake, so far so normal. But on the external interface, the SYN,ACKs are arriving:
This behavior seems to be consistent when talking to 185.60.115.40:443 (Blizzard's login services), even tested across several ISPs. Equally consistent is that pfctl -d makes the problem disappear. So it's obviously something with the pf rules, what am I doing wrong?
I'm running a FreeBSD system as a transparent network bridge, and for some reason pf keeps dropping SYN,ACK packets from certain hosts, even though as far as I see it, it shouldn't filter anything. This is my minimal ruleset:
Code:
int_if="em0"
ext_if="re0"
pass all
And this is what the internal interface sees:
Code:
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.0.186 185.60.115.40 TCP 66 51580→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
2 0.251249 192.168.0.186 185.60.115.40 TCP 66 51581→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
3 3.002033 192.168.0.186 185.60.115.40 TCP 66 [TCP Retransmission] 51580→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
4 3.251273 192.168.0.186 185.60.115.40 TCP 66 [TCP Retransmission] 51581→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
5 9.002851 192.168.0.186 185.60.115.40 TCP 62 [TCP Retransmission] 51580→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
6 9.251569 192.168.0.186 185.60.115.40 TCP 62 [TCP Retransmission] 51581→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
7 56.431146 192.168.0.186 185.60.115.40 TCP 66 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
8 56.683067 192.168.0.186 185.60.115.40 TCP 66 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
9 59.431187 192.168.0.186 185.60.115.40 TCP 66 [TCP Retransmission] 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
10 59.683348 192.168.0.186 185.60.115.40 TCP 66 [TCP Retransmission] 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
11 65.431610 192.168.0.186 185.60.115.40 TCP 62 [TCP Retransmission] 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
12 65.684462 192.168.0.186 185.60.115.40 TCP 62 [TCP Retransmission] 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
Server does not send a handshake, so far so normal. But on the external interface, the SYN,ACKs are arriving:
Code:
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.0.186 185.60.115.40 TCP 66 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
2 0.036503 185.60.115.40 192.168.0.186 TCP 62 443→51608 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
3 0.251913 192.168.0.186 185.60.115.40 TCP 66 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
4 0.285579 185.60.115.40 192.168.0.186 TCP 62 443→51609 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
5 3.000028 192.168.0.186 185.60.115.40 TCP 66 [TCP Spurious Retransmission] 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
6 3.033958 185.60.115.40 192.168.0.186 TCP 62 [TCP Previous segment not captured] [TCP Port numbers reused] 443→51608 [SYN, ACK] Seq=258238357 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
7 3.252161 192.168.0.186 185.60.115.40 TCP 66 [TCP Spurious Retransmission] 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
No. Time Source Destination Protocol Length Info
8 3.285407 185.60.115.40 192.168.0.186 TCP 62 [TCP Previous segment not captured] [TCP Port numbers reused] 443→51609 [SYN, ACK] Seq=448165782 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
9 9.000445 192.168.0.186 185.60.115.40 TCP 62 [TCP Spurious Retransmission] 51608→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
10 9.033202 185.60.115.40 192.168.0.186 TCP 62 [TCP Retransmission] [TCP Port numbers reused] 443→51608 [SYN, ACK] Seq=3508529389 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
11 9.253297 192.168.0.186 185.60.115.40 TCP 62 [TCP Spurious Retransmission] 51609→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
No. Time Source Destination Protocol Length Info
12 9.286976 185.60.115.40 192.168.0.186 TCP 62 [TCP Previous segment not captured] [TCP Port numbers reused] 443→51609 [SYN, ACK] Seq=1638706863 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
This behavior seems to be consistent when talking to 185.60.115.40:443 (Blizzard's login services), even tested across several ISPs. Equally consistent is that pfctl -d makes the problem disappear. So it's obviously something with the pf rules, what am I doing wrong?