TCP:FA Blocks to port 80
-
My firewall logs occasionally show bursts of 30 or more BLOCK actions where the source is a Linux machine on my LAN and the destination is an IP on my cable provider's network, presumably another customer. The destination is port 80 and the proto is TCP:FA
I don't understand why I am seeing these: it looks like they should be allowed by the default LAN to any rule. I also don't know why I am getting them in the first place, so I am glad that pfSense is showing them.
I guess the answer lies in the FA flags. They seem to be remnants of a closed connection?
I don't do any peer-to-peer networking and I don't use my ISP DNS.
Can anyone enlighten me?
-
If your host didn't initiate the connection and/or the firewall (pfsense) sees no signs of an active connection to that other host, then it is merely doing its job, and blocking those connections. That's what a stateful firewall does.
-
My wife's Android does this all of the time.
The blocked TCP:FA packets are from IPs to which the cell phone is actively connected. The device must be rotating through connections. Both sides must be closing the connection, then one side decides to send one last TCP:FA after both have already sent TCP:F.
This is the only device on my network that I know to be Linux based and is the only device that does this, and it does it all the time when in use.
-
Wifi clients moving around cause a lot of weird traffic, since packets get lost mid air. I'm assuming that's what's happening with your android as well. By the time the two hosts (wifi client + server) finally agree that a connection must be closed/opened, the firewall has lost track of the active connections.
-
I typically get these blocks when a host in the LAN wakes up from standby and apparently tries to finish old connections that the firewall has already forgotten long before. This happens with OS X boxes in my case also on other ports (mail servers for example). I believe this is not OS specific.
-
So, just to be clear, we've agreed that those blocks are happening because pfsense is doing its job as a stateful firewall and blocking connections it doesn't have a record of being in progress, regardless of OS.