WAN out blocked TCP:a TCP:PA

webroy

Hi Guys,

I have a pfsense box 2.1 running.

I have a WAN connection BRIDGED with my DMZ.

In my firewall logs i see a lot of WAN out connections being blocked… Most of them are customers using for example IMAP or MYSQL

I have allow rules in WAN and DMZ to allow trafic but he keeps on blocking..

any ideas?

phil.davis

TCP:A means it is an ACKnowledge packet. If the corresponding state has been closed in the firewall (one end or the other has done a FIN, or there has been no activity for a bit and the state has been timed out or…) and then the ACK comes along later, it will be blocked.
The firewall only really uses the rules to establish states. So SYN packets are processed by the rules and if "pass" then a state is established. Later traffic that matches the state is all passed automagically.
Any other TCP-flagged packet is always dropped if it does not match a state.
If the users are not experiencing any problems, then bits and pieces of traffic blocked like this is "normal".

webroy

I had customers complaining. When i added a rule in floating which said WAN out allow it works better… is that a oke rule?

Spix

I have the same "problem", a lot of TCP:A in the logs. What can I do about those?

KOM

Are you experiencing any problems, or are you just concerned about log spam?  Blocked ACKs on an open interface are usually indicative of out of state traffic.

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

If they really bug you, you can craft rules without logging that will not report those.