Out of State Packets

KOM

At least weekly, we get a question from someone who is confused by blocked packets that should not be blocked by their existing rules.  It's out of state packets, of course.  The question is, why are they out of state?  In a lot of logs I've seen, the OoS packet is a Fin/ACK (TCP:FA).  Is the state being dropped in the middle of the TCP teardown?

jimp

Without a full packet capture of an affected connection it's hard to say.

Likely the connection was being torn down and pf removed the state before the far side sent the FIN+ACK. IIRC various keep-alive techniques on servers and clients make that a bigger issue on HTTP/HTTPS.

KOM

That's what I was suspecting.  The state was being dropped as soon as pfSense got the initial ACK response from Destination, instead of waiting for the full sequence to complete.  I imagine that this behaviour is part of the FreeBSD TCP/IP stack and can't be easily modified, but it bugs me and causes confusion with new users.

jimp

: pfctl -st | grep tcp
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s

From that, before the FIN+ACK was received it would be in the finwait state I think. If 45 seconds elapsed before the server sent back a FIN+ACK, the state would be removed.

The info here is a bit dated but still has some relevance: http://httpd.apache.org/docs/2.0/misc/fin_wait_2.html

KOM

Good stuff.  Thanks a lot, Jim!