127.0.0.1:3129 TCP:FA and TCP:RA spamming the firewall
-
I am using the newest version of pfsense for a few networks.
Recently I get the messages in the screenshot on the network that's used for mobile phone devices.On that network, the ssl interception is active as a transparent proxy. Port 3129 is the one the squid uses for that.
What am I reading here?
I tried to allow all traffic from 127.0.0.1 Port 3129, both on the interface and as a floating rule.
But both rules seem to be ignored, that traffic is still logged as blocked.Can anyone clarify why that happens?
-
Those are out of state.. Se the RA and FA.. Which means Reset Ack and Fin Ack..
-
Do you have logging enabled for the default deny rules (set at Status->System Logs->Settings->Log firewall default blocks)? You should turn it off if you do because it will only log useless noise such as this case.
What you're seeing is really useless noise because the blocked packets are the final RST and FIN packets that are supposed be part of a TCP connection tear-down but the standard is muddy and some implementations send unnecessary packets and some don't. Also the packets might be lost or delayed and that could cause retransmissions and by the time the packets finally arrive the state has already been destroyed on the firewall and they are logged as out of state packets.
-
Thanks for the info so far. So that means ssl should work despite those messages obviously.
Guess I just have to rely on my colleagues to tell me if something is not working.Yes I have enabled default logging since I don't think I captured everything I need to allow yet. Will disable that now.
Thanks for quick help. -
It is interesting that it's from localhost
