If this sequence of packet headers is valid: SYN, SYN+ACK, ACK ( the 3-way handshake), then why is the default flag filter S/SA?
I am having some difficulty in determining why NATed connections through a newly setup PF based router/firewall to a particular host drop. The one thing that stands out in the Wireshark trace is that immediately, or very shortly, before the connection lost is noticed by the user we see this sort of packet arrive from that host:
We have changed the PF filter rules for that host to include:
I am trying to understand why these packets are sent to begin with. The remote host is not supposed to be establishing connections with us, we are supposed to be connecting to them. I am not aware of any reason why the remote host would find it necessary to set up a new connection. In any case, the target is a NATed internal IP which indicate the connection must already exist.
I am having some difficulty in determining why NATed connections through a newly setup PF based router/firewall to a particular host drop. The one thing that stands out in the Wireshark trace is that immediately, or very shortly, before the connection lost is noticed by the user we see this sort of packet arrive from that host:
Code:
32090 11:25:12.360147379 999.999.28.164 192.168.8.92 TCP 66 2148 → 51682 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=128We have changed the PF filter rules for that host to include:
modulate state flags S/S, but this has not stopped the connection failures. It did reduce the incidence a great deal however. I am trying to understand why these packets are sent to begin with. The remote host is not supposed to be establishing connections with us, we are supposed to be connecting to them. I am not aware of any reason why the remote host would find it necessary to set up a new connection. In any case, the target is a NATed internal IP which indicate the connection must already exist.
