PF blocking Pass rules

sam sam.wun at tech-21.com.hk
Wed May 4 06:31:50 PDT 2005 

Hi,

I don't know what happened, I just setup an internal LAN firewall using 
PF (v3.6). The PF firewall has defaultrouter setup to the external 
firewall (facing the internet).
All  my PCs have default gateway setup to the PF firewall. When I start 
downloading an iso file from some wetsite, the first 13% was fine, then 
PF firewall suddenly start blocking the traffic from my PC to the 
external website where I am downloading the file. After a while (about 6 
minutes), my download resumed, and stop for 5 mintues, then resumed....

Here  are the running rules loaded into the memory in the PF firewall:
root at intgw2:/usr/local/etc# pfctl -sr
block drop in log all
pass quick on xl0 proto pfsync all
pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state
pass in on fxp1 inet proto carp from 10.3.254.250 to any keep state
pass in on fxp0 inet proto tcp from 10.1.0.0/16 to any flags S/SA keep state
pass in on fxp0 proto tcp from any to any port 13:156 flags S/SA keep state
pass in on fxp0 proto tcp from any to any port 1024:60000 flags S/SA 
keep state
pass in on fxp0 proto udp from any to any port 1024:60000 keep state
pass in on fxp0 inet proto udp from 10.1.0.0/16 to any keep state
pass in on fxp0 inet proto tcp from any to 255.255.255.255 keep state
pass in on fxp0 inet proto udp from any to 255.255.255.255 keep state
pass in on fxp0 inet proto tcp from any to 10.1.255.255 keep state
pass in on fxp0 inet proto udp from any to 10.1.255.255 keep state
pass in on fxp1 proto udp from any to any port 13:156 keep state
pass in on fxp1 proto udp from any to any port 1024:60000 keep state
pass in on fxp1 inet proto tcp from any to 255.255.255.255 keep state
pass in on fxp1 inet proto udp from any to 255.255.255.255 keep state
pass in on fxp1 inet proto tcp from any to 10.3.255.255 keep state
pass in on fxp1 inet proto udp from any to 10.3.255.255 keep state
pass out quick on fxp0 all keep state
pass out quick on fxp1 all keep state

Some of the block evens are logged as followed:
....
000017 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4156 > 
195.141.40.21.80: F 0:0(0) ack 1 win 64800
300869 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4154 > 
195.141.40.21.80: F 0:0(0) ack 1 win 64800
100417 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4153 > 
195.141.40.21.80: F 0:0(0) ack 1 win 64800
200569 rule 0/0(match): block in on fxp0: IP 10.1.184.15.4152 > 
195.141.14.21.80: F 0:0(0) ack 1 win 64800
....

How can I change the PF rule to fix this problem?

Thanks
Sam.

More information about the freebsd-pf mailing list