PF blocking Pass rules

From: sam <sam.wun_at_tech-21.com.hk>
Date: Wed, 04 May 2005 21:31:16 +0800
Hi,

I don't know what happened, I just setup an internal LAN firewall using 
PF (v3.6). The PF firewall has defaultrouter setup to the external 
firewall (facing the internet).
All  my PCs have default gateway setup to the PF firewall. When I start 
downloading an iso file from some wetsite, the first 13% was fine, then 
PF firewall suddenly start blocking the traffic from my PC to the 
external website where I am downloading the file. After a while (about 6 
minutes), my download resumed, and stop for 5 mintues, then resumed....

Here  are the running rules loaded into the memory in the PF firewall:
root_at_intgw2:/usr/local/etc# pfctl -sr
block drop in log all
pass quick on xl0 proto pfsync all
pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state
pass in on fxp1 inet proto carp from 10.3.254.250 to any keep state
pass in on fxp0 inet proto tcp from 10.1.0.0/16 to any flags S/SA keep state
pass in on fxp0 proto tcp from any to any port 13:156 flags S/SA keep state
pass in on fxp0 proto tcp from any to any port 1024:60000 flags S/SA 
keep state
pass in on fxp0 proto udp from any to any port 1024:60000 keep state
pass in on fxp0 inet proto udp from 10.1.0.0/16 to any keep state
pass in on fxp0 inet proto tcp from any to 255.255.255.255 keep state
pass in on fxp0 inet proto udp from any to 255.255.255.255 keep state
pass in on fxp0 inet proto tcp from any to 10.1.255.255 keep state
pass in on fxp0 inet proto udp from any to 10.1.255.255 keep state
pass in on fxp1 proto udp from any to any port 13:156 keep state
pass in on fxp1 proto udp from any to any port 1024:60000 keep state
pass in on fxp1 inet proto tcp from any to 255.255.255.255 keep state
pass in on fxp1 inet proto udp from any to 255.255.255.255 keep state
pass in on fxp1 inet proto tcp from any to 10.3.255.255 keep state
pass in on fxp1 inet proto udp from any to 10.3.255.255 keep state
pass out quick on fxp0 all keep state
pass out quick on fxp1 all keep state

Some of the block evens are logged as followed:
....
000017 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4156 > 
195.141.40.21.80: F 0:0(0) ack 1 win 64800
300869 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4154 > 
195.141.40.21.80: F 0:0(0) ack 1 win 64800
100417 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4153 > 
195.141.40.21.80: F 0:0(0) ack 1 win 64800
200569 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4152 > 
195.141.14.21.80: F 0:0(0) ack 1 win 64800
....

How can I change the PF rule to fix this problem?

Thanks
Sam.
Received on Wed May 04 2005 - 11:31:50 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:33 UTC