Hello,
We are using 2.1.5-RELEASE on amd64.
We have noticed a very strange problem.
We've got a floating rule for our DMZ web servers, giving full access to
TCP/443 to these servers from hosts coming from any interface, including
our WAN.
With such a rule, we are seeing packets coming from WAN (not sure if
this also happens from other interfaces, but so far we have only seen it
from WAN) and destined to a DMZ server's TCP/443 port, and which are 0
bytes long, are dropped, as can be seen in our syslog server :
--- CUT ---
Aug 13 14:18:51 10.10.3.252 pf: 202.171.79.25.45659 >
194.254.189.17.443: Flags [S], cksum 0xf8e3 (correct), seq 3639296608,
win 29200, options [mss 1402,sackOK,TS val 4223950 ecr 0,nop,wscale 7],
length 0
Aug 13 14:18:51 10.10.3.252 pf: 202.171.79.25.45660 >
194.254.189.17.443: Flags [S], cksum 0xd48d (correct), seq 3583011339,
win 29200, options [mss 1402,sackOK,TS val 4223955 ecr 0,nop,wscale 7],
length 0
Aug 13 14:18:55 10.10.3.252 pf: 202.171.79.25.45657 >
194.254.189.17.443: Flags [S], cksum 0x7952 (correct), seq 1019566704,
win 29200, options [mss 1402,sackOK,TS val 4224888 ecr 0,nop,wscale 7],
length 0
--- CUT ---
Setting the "Quick" checkbox or not for this floating rule doesn't
change anything.
Rejected packets always seem to come after around 15 minutes of packets
which flow perfectly correctly. We think this problem might be related
to keep alive packets : pfSense "seems" to drop the existing states
after 15 minutes and rejects batches of around 20 to 30 packets over the
course of 1 to 3 minutes (maybe due to the number of different HTTPS
connections made to the web server to retrieve all the webpage's
contents)
If, in addition to the floating rule (but probably we could as well
delete it), we put an interface based rule doing exactly the same thing,
i.e. allowing full access to TCP/443, then all is fine and no packet is
dropped. NB : instead of opening to all we've only tested the interface
based rule with the above client address (202.171.79.25), meaning that
if anyone of you tests the following URL (https://webmail.univ-nc.nc),
you may experience the dropped packets problem.
Any idea of what could be wrong ?
Thanks in advance for any help.
bye
--
Jérôme Alet - <jerome.a...@univ-nc.nc> - Direction du Système
d'Information
Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX
Tél : +687 290081 Fax : +687 254829
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
