Port 3128 has been block in LAN…what happen?
-
I think this has nothing to do with routing problems.
I have these log, too just with port 80 (tranparent proxy).Jim-p posted in other threads that this a behaviour of SPI (Stateful Packet Inspection) firewalls. The firewall only allows packets/traffic if there is an active state in the firewall table. If there isn't any traffic for a firewall state the the firewall reset this state. if then the website is answering to this "old" connection then the firewall is blocking this because there is no active state in the firewall anymore.
Perhaps this will help you:
http://en.wikipedia.org/wiki/Stateful_firewall -
I think this has nothing to do with routing problems.
I have these log, too just with port 80 (tranparent proxy).Jim-p posted in other threads that this a behaviour of SPI (Stateful Packet Inspection) firewalls. The firewall only allows packets/traffic if there is an active state in the firewall table. If there isn't any traffic for a firewall state the the firewall reset this state. if then the website is answering to this "old" connection then the firewall is blocking this because there is no active state in the firewall anymore.
Perhaps this will help you:
http://en.wikipedia.org/wiki/Stateful_firewallNice one….so this happens when user open a browser/80 port traffic, then he/she leave it idle for long time? is that what it mean? Thanks
-
I think this has nothing to do with routing problems.
I have these log, too just with port 80 (tranparent proxy).Jim-p posted in other threads that this a behaviour of SPI (Stateful Packet Inspection) firewalls. The firewall only allows packets/traffic if there is an active state in the firewall table. If there isn't any traffic for a firewall state the the firewall reset this state. if then the website is answering to this "old" connection then the firewall is blocking this because there is no active state in the firewall anymore.
Perhaps this will help you:
http://en.wikipedia.org/wiki/Stateful_firewallNice one….so this happens when user open a browser/80 port traffic, then he/she leave it idle for long time? is that what it mean? Thanks
Yes, this is how I understad it from the text and from reading in the forum.
And port 3128 is squid because squid opend the connection for the user. -
This can also be caused by asymmetric routing as JimP said in the post I linked to.
If, for instance, you have outgoing http requests going via Squid but incoming replies going directly to the client then pfSense will see those replies unrequested, no state exists for them, and will block them.
This should never happen if you have Squid configured correctly.Steve
-
This can also be caused by asymmetric routing as JimP said in the post I linked to.
If, for instance, you have outgoing http requests going via Squid but incoming replies going directly to the client then pfSense will see those replies unrequested, no state exists for them, and will block them.
This should never happen if you have Squid configured correctly.Steve
Of yourse you are right! But I think this would mean that the client cannot browse the web (correctly).
But browsing the web works - as far as I understand him. -
I agree. I can't see how this would happen, I can't even think of a way to do it deliberately! ::)
However since it seems to be related to Squid it probably shouldn't be ruled out completely.Steve
Edit: Perhaps with multiwan, do you have more than one WAN?
-
I agree. I can't see how this would happen, I can't even think of a way to do it deliberately! ::)
However since it seems to be related to Squid it probably shouldn't be ruled out completely.Steve
Edit: Perhaps with multiwan, do you have more than one WAN?
The firewall rules are showing just the default gateway ( * ) and no gateway group.
-
The firewall rules are showing just the default gateway ( * ) and no gateway group.
Good point!
Well if it's not a multiwan with squid setup, which seems to be a common source of problems then I would suggest:
Squid setup incorrectly?
Bad web application?
Something really obscure!Steve
-
Take a look at this thread and the first few posts of "cmb"
-
Useful post.
It doesn't answer the original question though.
The firewall is blocking FIN ACK packets, perhaps legitemately. Why?
It looks like the clients are sending FIN ACK packets to Squid expecting an ACK packet in return but are being blocked.
Since this is only used for gracefully finishing a TCP session the clients are still able to see webpages.
Odd that more Squid users aren't complaining. :-\Steve
-
Squid may be closing the connections early, and pf may be removing the states due to that. The blocks you are seeing are just traffic that arrives after the state has already been removed. Not really necessary for normal operation, people wouldn't even notice that in most cases.
