Firewall blocking some packets of length 0 and length 1, but why?
-
Hi,
I have a very simple pfSense configuration (pfSense 2.1.2). One WAN interface with public ip, one LAN interface and one server in the LAN. I've only added one NAT rule with linked rule to pass from any source, on TCP port 3555 to my server in LAN on TCP port 3555. No other rules, just what came default with pfSense installation. So I want all traffic on 3555 TCP to be passed to the server in the LAN.
I have a custom server software running and listening on 3555. All is fine, clients from "outside" are connected, service is working. However occasionally I'm seeing these in logs as blocked:
…
00:00:00.275878 rule 3/0(match): block in on em1: (tos 0x0, ttl 108, id 7124, offset 0, flags [DF], proto TCP (6), length 40)
[various-public-IP].62781 > [my-server-LAN-ip].3555: Flags [F.], cksum 0xe330 (correct), seq 897757125, ack 4009713048, win 255, length 0
00:00:00.305176 rule 3/0(match): block in on em1: (tos 0x0, ttl 108, id 7287, offset 0, flags [DF], proto TCP (6), length 40)
[various-public-IP].62780 > [my-server-LAN-ip].3555: Flags [F.], cksum 0x3be1 (correct), seq 487330448, ack 2845310972, win 255, length 0
00:00:00.680105 rule 3/0(match): block in on em1: (tos 0x0, ttl 108, id 7523, offset 0, flags [DF], proto TCP (6), length 40)
[various-public-IP].62781 > [my-server-LAN-ip].3555: Flags [F.], cksum 0xe330 (correct), seq 897757125, ack 4009713048, win 255, length 0
00:00:01.170425 rule 3/0(match): block in on em1: (tos 0x0, ttl 108, id 9952, offset 0, flags [DF], proto TCP (6), length 40)
[various-public-IP].3289 > [my-server-LAN-ip].3555: Flags [F.], cksum 0x5f9b (correct), seq 4243766898, ack 1132699377, win 255, length 0
00:00:00.093845 rule 3/0(match): block in on em1: (tos 0x0, ttl 108, id 7877, offset 0, flags [DF], proto TCP (6), length 40)
[various-public-IP].62780 > [my-server-LAN-ip].3555: Flags [F.], cksum 0x3be1 (correct), seq 487330448, ack 2845310972, win 255, length 0…
...Moreover, I'm also seeing these being blocked from my server in LAN to the "outside" (is any kind of outgoing traffic blocked by default?)
...
00:00:00.156141 rule 3/0(match): block in on em0: (tos 0x0, ttl 128, id 8713, offset 0, flags [DF], proto TCP (6), length 41)
[my-server-LAN-ip].3555 > [various-public-IP].54075: Flags [.], cksum 0x6a0f (correct), ack 1998288961, win 260, length 1
00:00:00.571782 rule 3/0(match): block in on em0: (tos 0x0, ttl 128, id 8714, offset 0, flags [DF], proto TCP (6), length 41)
[my-server-LAN-ip].3555 > [various-public-IP].54016: Flags [.], cksum 0x006d (correct), ack 2288525514, win 260, length 1
00:00:00.156276 rule 3/0(match): block in on em0: (tos 0x0, ttl 128, id 8715, offset 0, flags [DF], proto TCP (6), length 41)
[my-server-LAN-ip].3555 > [various-public-IP].54075: Flags [.], cksum 0x6a0f (correct), ack 1998288961, win 260, length 1
…Can you help me understand these log entries? What are these length0 and length1 packets?
Thank you very much for any help and sorry if the question is "noob-like" ... ;)
Edit: The rule that triggered this action is:
@3 block drop in log inet all label "Default deny rule IPv4"
Edit: hmm, can someone confirm that this is what I'm seeing:
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection ?