Inbound/outbound connections showing up in filter log, but not actually blocked
-
Hi everyone,
I just finished setting up a new pfSense router and getting everything tuned the way I like it, but one thing I can't fix is a large amount of logs showing blocked connections. It's driving me absolute bonkers. I don't believe this is related to asymmetric routing as I have only one gateway interface, and it's definitely not caused by packets being sent via a second connection such as 3G/4G because these devices are either hardwired into the network over CAT 5 runs (in the case of my VLAN 1 and VLAN 99 connections) or connected via WiFi and don't have any other form of connection (in the case of my VLAN 10 connections). What's even more confusing is why, despite having no rules that block outbound traffic (ie from the gateway address itself) there are entries in the filter log with my WAN address being blocked.
My network topology is relatively simple: my cable modem connects via a Cat 5 cable to the pfSense box, which in turn connects via two LAGG'd SFP+ cables to a 24 port SFP+ switch. From this switch, also connected via two LAGG'd SFP+ cables, I have a downstream switch. Off of the downstream switch, I have all of the devices plugged in either directly (Cat 5 / Cat 6) or indirectly via a UniFi access point. I can create a mockup in Paint if that helps, but I hope my description above is clear.
For all blocks, the trigger information (received by clicking the X on the firewall logs, as well as checking /var/log/filter.log itself) is:
(for my WAN IP block) @6(1000000104) block drop out log inet all label "Default deny rule IPv4"
(for the other blocks) @5(1000000103) block drop in log inet all label "Default deny rule IPv4"I find it problematic because (from how I understand it) by default pfSense maintains the state table and allows traffic for related communications (i.e. reply traffic to already-initiated outbound connections) but it's not allowing this related traffic for some connections. I've tried manually opening tabs and streaming video and whatnot and I can't duplicate it manually... Perhaps another brain smarter than I could point me into the right direction to troubleshoot this further.
Thank you for your time!
Here's a screenshot of what I'm seeing in the filter log:
And screenshots of the relevant firewall rules pages:
WAN
VLAN 1 - LAN
VLAN 10 - IOT
VLAN 99 - MGMT
-
What TCP flags are shown on the Firewall logs page for those entries?
It's probably just expired states.
https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.htmlSteve
-
Hi Stephen,
The flags appear to be exclusively "DF". There's a couple non-DF flags in there but it isn't related (I'm actively blocking that).
[2.4.4-RELEASE][admin@pf01.redacted.domain]/root: clog -f /var/log/filter.log | grep block | grep 443 Apr 19 08:53:19 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,36185,0,DF,6,tcp,75,192.168.1.105,172.217.6.10,51924,443,23,FPA,1660390495:1660390518,319963016,702,,nop;nop;TS Apr 19 08:53:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,55399,0,DF,6,tcp,75,192.168.1.105,172.217.8.202,59276,443,23,FPA,3546562290:3546562313,921644773,735,,nop;nop;TS Apr 19 08:53:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,47747,0,DF,6,tcp,75,192.168.1.105,172.217.6.10,43716,443,23,FPA,4109370859:4109370882,2373014404,818,,nop;nop;TS Apr 19 08:53:39 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,37505,0,DF,6,tcp,52,192.168.1.105,172.217.8.202,52567,443,0,FA,4038883282,1423088366,796,,nop;nop;TS Apr 19 08:53:42 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,42645,0,DF,6,tcp,52,192.168.1.105,172.217.6.106,38989,443,0,FA,1929687408,3927036186,840,,nop;nop;TS Apr 19 08:53:47 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,23947,0,DF,6,tcp,52,192.168.1.105,172.217.8.202,58256,443,0,FA,322221783,1669205594,710,,nop;nop;TS Apr 19 08:57:50 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,1571,0,DF,6,tcp,40,192.168.1.107,162.125.3.7,52176,443,0,RA,3272999766,2290590407,0,, Apr 19 08:59:58 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,12629,0,DF,6,tcp,40,192.168.1.107,162.125.33.7,52649,443,0,RA,3230952164,3333389677,0,, Apr 19 09:04:53 pf01 filterlog: 5,,,1000000103,lagg0.99,match,block,in,4,0x0,,64,26759,0,DF,6,tcp,71,192.168.99.10,184.29.92.39,46546,443,31,PA,3093251152:3093251183,3507680837,221,, Apr 19 09:04:53 pf01 filterlog: 5,,,1000000103,lagg0.99,match,block,in,4,0x0,,64,26760,0,DF,6,tcp,40,192.168.99.10,184.29.92.39,46546,443,0,RA,3093251183,3507680837,221,, Apr 19 09:06:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62259,0,DF,6,tcp,93,192.168.1.112,52.94.229.76,44528,443,53,PA,2188942642:2188942695,4150483591,1552,, Apr 19 09:06:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62260,0,DF,6,tcp,40,192.168.1.112,52.94.229.76,44528,443,0,FA,2188942695,4150483591,1552,, Apr 19 09:06:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62261,0,DF,6,tcp,40,192.168.1.112,52.94.229.76,44528,443,0,FA,2188942695,4150483591,1552,, Apr 19 09:06:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62262,0,DF,6,tcp,93,192.168.1.112,52.94.229.76,44528,443,53,FPA,2188942642:2188942695,4150483591,1552,, Apr 19 09:06:23 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62263,0,DF,6,tcp,93,192.168.1.112,52.94.229.76,44528,443,53,FPA,2188942642:2188942695,4150483591,1552,, Apr 19 09:06:23 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62264,0,DF,6,tcp,93,192.168.1.112,52.94.229.76,44528,443,53,FPA,2188942642:2188942695,4150483591,1552,, Apr 19 09:06:25 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62265,0,DF,6,tcp,93,192.168.1.112,52.94.229.76,44528,443,53,FPA,2188942642:2188942695,4150483591,1552,, Apr 19 09:06:29 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62266,0,DF,6,tcp,93,192.168.1.112,52.94.229.76,44528,443,53,FPA,2188942642:2188942695,4150483591,1552,, Apr 19 09:06:38 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62267,0,DF,6,tcp,93,192.168.1.112,52.94.229.76,44528,443,53,FPA,2188942642:2188942695,4150483591,1552,, Apr 19 09:06:53 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62268,0,DF,6,tcp,93,192.168.1.112,52.94.229.76,44528,443,53,FPA,2188942642:2188942695,4150483591,1552,, Apr 19 09:07:24 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,62269,0,DF,6,tcp,93,192.168.1.112,52.94.229.76,44528,443,53,FPA,2188942642:2188942695,4150483591,1552,, Apr 19 09:09:19 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,12671,0,DF,6,tcp,40,192.168.1.145,162.125.8.3,18645,443,0,RA,3199088398,1095563371,0,, Apr 19 09:10:33 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,42160,0,DF,6,tcp,93,192.168.1.108,52.46.129.41,50203,443,53,PA,168436197:168436250,3516227041,1597,, Apr 19 09:10:33 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,42161,0,DF,6,tcp,40,192.168.1.108,52.46.129.41,50203,443,0,RA,168436250,3516227041,1597,, Apr 19 09:10:35 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10382,0,DF,6,tcp,40,192.168.1.145,162.125.34.137,18657,443,0,RA,2693918466,1045638687,0,, Apr 19 09:11:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,65185,0,DF,6,tcp,93,192.168.1.112,52.46.129.41,34728,443,53,PA,3216995097:3216995150,1899603044,1552,, Apr 19 09:11:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,65186,0,DF,6,tcp,40,192.168.1.112,52.46.129.41,34728,443,0,RA,3216995150,1899603044,1552,, Apr 19 09:20:35 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,5,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:36 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,6,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:36 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,7,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:37 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,8,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,9,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:44 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:54 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,11,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,RA,712943748,3052209911,0,, Apr 19 09:26:25 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,12691,0,DF,6,tcp,40,192.168.1.145,162.125.8.3,18677,443,0,RA,2477374283,779340964,0,, Apr 19 09:32:52 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,1924,0,DF,6,tcp,40,192.168.1.145,162.125.8.7,18646,443,0,RA,1728625244,2193897445,0,, Apr 19 09:38:36 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,16149,0,DF,6,tcp,40,192.168.1.149,77.234.44.63,52286,443,0,RA,3415216431,1032829101,0,, Apr 19 09:44:13 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,2146,0,DF,6,tcp,40,192.168.1.107,162.125.3.3,52974,443,0,RA,2249920473,302419058,0,, Apr 19 09:44:57 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,992,0,DF,6,tcp,40,192.168.1.107,162.125.34.6,52984,443,0,RA,335855209,3459061176,0,, Apr 19 09:48:17 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,25965,0,DF,6,tcp,40,192.168.1.107,54.210.107.85,52681,443,0,FA,3568112539,980436427,252,, Apr 19 09:48:18 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,25966,0,DF,6,tcp,40,192.168.1.107,54.210.107.85,52681,443,0,FA,3568112539,980436427,252,, Apr 19 09:48:18 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,25967,0,DF,6,tcp,40,192.168.1.107,54.210.107.85,52681,443,0,FA,3568112539,980436427,252,, Apr 19 09:48:19 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,25968,0,DF,6,tcp,40,192.168.1.107,54.210.107.85,52681,443,0,FA,3568112539,980436427,252,, Apr 19 09:48:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,25969,0,DF,6,tcp,40,192.168.1.107,54.210.107.85,52681,443,0,FA,3568112539,980436427,252,, Apr 19 09:48:28 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,25970,0,DF,6,tcp,40,192.168.1.107,54.210.107.85,52681,443,0,FA,3568112539,980436427,252,, Apr 19 09:48:37 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,25971,0,DF,6,tcp,40,192.168.1.107,54.210.107.85,52681,443,0,RA,3568112540,980436427,0,, Apr 19 09:55:39 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63848,0,DF,6,tcp,75,192.168.1.105,172.217.8.170,44923,443,23,PA,3546009566:3546009589,3115884803,773,,nop;nop;TS Apr 19 09:55:39 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63849,0,DF,6,tcp,52,192.168.1.105,172.217.8.170,44923,443,0,FA,3546009589,3115884803,773,,nop;nop;TS Apr 19 09:55:39 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63850,0,DF,6,tcp,75,192.168.1.105,172.217.8.170,44923,443,23,FPA,3546009566:3546009589,3115884803,773,,nop;nop;TS Apr 19 09:55:39 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1257,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,41734,443,23,PA,3547025071:3547025094,3632276228,796,,nop;nop;TS Apr 19 09:55:39 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1258,0,DF,6,tcp,52,192.168.1.105,172.217.4.202,41734,443,0,FA,3547025094,3632276228,796,,nop;nop;TS Apr 19 09:55:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1259,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,41734,443,23,FPA,3547025071:3547025094,3632276228,796,,nop;nop;TS Apr 19 09:55:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63851,0,DF,6,tcp,75,192.168.1.105,172.217.8.170,44923,443,23,FPA,3546009566:3546009589,3115884803,773,,nop;nop;TS Apr 19 09:55:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1260,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,41734,443,23,FPA,3547025071:3547025094,3632276228,796,,nop;nop;TS Apr 19 09:55:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63852,0,DF,6,tcp,75,192.168.1.105,172.217.8.170,44923,443,23,FPA,3546009566:3546009589,3115884803,773,,nop;nop;TS Apr 19 09:55:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1261,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,41734,443,23,FPA,3547025071:3547025094,3632276228,796,,nop;nop;TS Apr 19 09:57:38 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63853,0,DF,6,tcp,75,192.168.1.105,172.217.8.170,44923,443,23,FPA,3546009566:3546009589,3115884803,773,,nop;nop;TS Apr 19 09:57:39 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1262,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,41734,443,23,FPA,3547025071:3547025094,3632276228,796,,nop;nop;TS Apr 19 09:59:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63854,0,DF,6,tcp,75,192.168.1.105,172.217.8.170,44923,443,23,FPA,3546009566:3546009589,3115884803,773,,nop;nop;TS Apr 19 09:59:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1263,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,41734,443,23,FPA,3547025071:3547025094,3632276228,796,,nop;nop;TS Apr 19 09:59:42 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,58931,0,DF,6,tcp,93,192.168.1.112,52.46.133.39,60832,443,53,PA,3616234412:3616234465,3689093043,1552,, Apr 19 09:59:42 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,58932,0,DF,6,tcp,40,192.168.1.112,52.46.133.39,60832,443,0,RA,3616234465,3689093043,1552,, Apr 19 09:59:51 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,39730,0,DF,6,tcp,52,192.168.1.147,172.217.0.10,37854,443,0,FA,1661163801,3190386071,8652,,nop;nop;TS Apr 19 09:59:51 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,39731,0,DF,6,tcp,52,192.168.1.147,172.217.0.10,37854,443,0,FA,1661163801,3190386071,8652,,nop;nop;TS Apr 19 09:59:52 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,39732,0,DF,6,tcp,52,192.168.1.147,172.217.0.10,37854,443,0,FA,1661163801,3190386071,8652,,nop;nop;TS Apr 19 09:59:53 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,39733,0,DF,6,tcp,52,192.168.1.147,172.217.0.10,37854,443,0,FA,1661163801,3190386071,8652,,nop;nop;TS Apr 19 09:59:55 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,39734,0,DF,6,tcp,52,192.168.1.147,172.217.0.10,37854,443,0,FA,1661163801,3190386071,8652,,nop;nop;TS Apr 19 09:59:58 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18794,0,DF,6,tcp,521,192.168.1.147,172.217.4.196,39876,443,469,PA,514241952:514242421,3736383970,7204,,nop;nop;TS Apr 19 09:59:58 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18795,0,DF,6,tcp,89,192.168.1.147,172.217.4.196,39876,443,37,PA,514242421:514242458,3736383970,7204,,nop;nop;TS Apr 19 09:59:58 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18796,0,DF,6,tcp,52,192.168.1.147,172.217.4.196,39876,443,0,FA,514242458,3736383970,7204,,nop;nop;TS Apr 19 09:59:58 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18797,0,DF,6,tcp,558,192.168.1.147,172.217.4.196,39876,443,506,FPA,514241952:514242458,3736383970,7204,,nop;nop;TS Apr 19 09:59:58 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18798,0,DF,6,tcp,558,192.168.1.147,172.217.4.196,39876,443,506,FPA,514241952:514242458,3736383970,7204,,nop;nop;TS Apr 19 09:59:58 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,39735,0,DF,6,tcp,52,192.168.1.147,172.217.0.10,37854,443,0,FA,1661163801,3190386071,8652,,nop;nop;TS Apr 19 09:59:59 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18799,0,DF,6,tcp,558,192.168.1.147,172.217.4.196,39876,443,506,FPA,514241952:514242458,3736383970,7204,,nop;nop;TS Apr 19 10:00:01 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18800,0,DF,6,tcp,558,192.168.1.147,172.217.4.196,39876,443,506,FPA,514241952:514242458,3736383970,7204,,nop;nop;TS Apr 19 10:00:05 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18801,0,DF,6,tcp,558,192.168.1.147,172.217.4.196,39876,443,506,FPA,514241952:514242458,3736383970,7204,,nop;nop;TS Apr 19 10:00:07 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,39736,0,DF,6,tcp,52,192.168.1.147,172.217.0.10,37854,443,0,FA,1661163801,3190386071,8652,,nop;nop;TS Apr 19 10:00:13 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18802,0,DF,6,tcp,558,192.168.1.147,172.217.4.196,39876,443,506,FPA,514241952:514242458,3736383970,7204,,nop;nop;TS Apr 19 10:00:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,39737,0,DF,6,tcp,52,192.168.1.147,172.217.0.10,37854,443,0,FA,1661163801,3190386071,8652,,nop;nop;TS Apr 19 10:00:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18803,0,DF,6,tcp,558,192.168.1.147,172.217.4.196,39876,443,506,FPA,514241952:514242458,3736383970,7204,,nop;nop;TS Apr 19 10:00:53 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,39738,0,DF,6,tcp,52,192.168.1.147,172.217.0.10,37854,443,0,FA,1661163801,3190386071,8652,,nop;nop;TS Apr 19 10:00:57 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,18804,0,DF,6,tcp,558,192.168.1.147,172.217.4.196,39876,443,506,FPA,514241952:514242458,3736383970,7204,,nop;nop;TS Apr 19 10:02:26 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63855,0,DF,6,tcp,75,192.168.1.105,172.217.8.170,44923,443,23,FPA,3546009566:3546009589,3115884803,773,,nop;nop;TS Apr 19 10:04:24 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,2164,0,DF,6,tcp,40,192.168.1.107,162.125.3.3,53149,443,0,RA,4066275935,4006723141,0,, Apr 19 10:04:26 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,1581,0,DF,6,tcp,40,192.168.1.107,162.125.3.7,52842,443,0,RA,3017880439,1720826631,0,, Apr 19 10:04:53 pf01 filterlog: 5,,,1000000103,lagg0.99,match,block,in,4,0x0,,64,38262,0,DF,6,tcp,71,192.168.99.10,23.62.24.162,38698,443,31,PA,2499579118:2499579149,4185481698,234,, Apr 19 10:04:53 pf01 filterlog: 5,,,1000000103,lagg0.99,match,block,in,4,0x0,,64,38263,0,DF,6,tcp,40,192.168.99.10,23.62.24.162,38698,443,0,RA,2499579149,4185481698,234,, Apr 19 10:04:59 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,12723,0,DF,6,tcp,40,192.168.1.145,162.125.8.3,18721,443,0,RA,3817398293,3349674056,0,, Apr 19 10:05:33 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,9330,0,DF,6,tcp,93,192.168.1.108,52.94.229.215,57060,443,53,PA,1115663033:1115663086,2842682937,1597,, Apr 19 10:05:33 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,9331,0,DF,6,tcp,40,192.168.1.108,52.94.229.215,57060,443,0,RA,1115663086,2842682937,1597,, Apr 19 10:07:30 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,3860,0,DF,6,tcp,40,192.168.1.145,162.125.33.7,18724,443,0,RA,1254807070,1219719183,0,, Apr 19 10:10:24 pf01 filterlog: 69,,,11000,lagg0.1,match,block,in,6,0x00,0x896ba,1,UDP,17,664,fe80::f460:f9a1:4fd1:efac,ff02::c,53443,3702,664 Apr 19 10:10:24 pf01 filterlog: 69,,,11000,lagg0.1,match,block,in,6,0x00,0x896ba,1,UDP,17,664,fe80::f460:f9a1:4fd1:efac,ff02::c,53443,3702,664 Apr 19 10:10:24 pf01 filterlog: 69,,,11000,lagg0.1,match,block,in,6,0x00,0x896ba,1,UDP,17,664,fe80::f460:f9a1:4fd1:efac,ff02::c,53443,3702,664 Apr 19 10:10:25 pf01 filterlog: 69,,,11000,lagg0.1,match,block,in,6,0x00,0x896ba,1,UDP,17,664,fe80::f460:f9a1:4fd1:efac,ff02::c,53443,3702,664 Apr 19 10:10:27 pf01 filterlog: 69,,,11000,lagg0.1,match,block,in,6,0x00,0x896ba,1,UDP,17,664,fe80::f460:f9a1:4fd1:efac,ff02::c,53443,3702,664 Apr 19 10:10:29 pf01 filterlog: 69,,,11000,lagg0.1,match,block,in,6,0x00,0x896ba,1,UDP,17,664,fe80::f460:f9a1:4fd1:efac,ff02::c,53443,3702,664 Apr 19 10:10:32 pf01 filterlog: 69,,,11000,lagg0.1,match,block,in,6,0x00,0x896ba,1,UDP,17,664,fe80::f460:f9a1:4fd1:efac,ff02::c,53443,3702,664 Apr 19 10:10:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1264,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,41734,443,23,FPA,3547025071:3547025094,3632276228,796,,nop;nop;TS Apr 19 10:14:04 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63856,0,DF,6,tcp,75,192.168.1.105,172.217.8.170,44923,443,23,FPA,3546009566:3546009589,3115884803,773,,nop;nop;TS Apr 19 10:14:07 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1265,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,41734,443,23,FPA,3547025071:3547025094,3632276228,796,,nop;nop;TS Apr 19 10:20:35 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,7360,0,DF,6,tcp,40,192.168.1.145,35.169.45.146,18703,443,0,FA,3081865100,2640464857,254,, Apr 19 10:20:35 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,7361,0,DF,6,tcp,40,192.168.1.145,35.169.45.146,18703,443,0,FA,3081865100,2640464857,254,, Apr 19 10:20:36 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,7362,0,DF,6,tcp,40,192.168.1.145,35.169.45.146,18703,443,0,FA,3081865100,2640464857,254,, Apr 19 10:20:37 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,7363,0,DF,6,tcp,40,192.168.1.145,35.169.45.146,18703,443,0,FA,3081865100,2640464857,254,, Apr 19 10:20:39 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,7364,0,DF,6,tcp,40,192.168.1.145,35.169.45.146,18703,443,0,FA,3081865100,2640464857,254,, Apr 19 10:20:44 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,7365,0,DF,6,tcp,40,192.168.1.145,35.169.45.146,18703,443,0,FA,3081865100,2640464857,254,, Apr 19 10:20:54 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,7366,0,DF,6,tcp,40,192.168.1.145,35.169.45.146,18703,443,0,RA,3081865101,2640464857,0,, Apr 19 10:26:02 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,34180,0,DF,6,tcp,93,192.168.1.109,54.239.31.37,35495,443,53,PA,861729608:861729661,375903338,1597,, Apr 19 10:26:02 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,34181,0,DF,6,tcp,40,192.168.1.109,54.239.31.37,35495,443,0,RA,861729661,375903338,1597,, Apr 19 10:36:16 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10405,0,DF,6,tcp,40,192.168.1.145,162.125.34.137,18771,443,0,RA,2798735422,4277157062,0,, Apr 19 10:36:32 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,29543,0,DF,6,tcp,93,192.168.1.108,52.94.232.206,44628,443,53,PA,2958637773:2958637826,3498376073,1597,, Apr 19 10:36:32 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,29544,0,DF,6,tcp,40,192.168.1.108,52.94.232.206,44628,443,0,RA,2958637826,3498376073,1597,, Apr 19 10:42:24 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,35512,0,DF,6,tcp,52,192.168.1.105,13.249.142.94,59027,443,0,RA,1420825652,3392895766,843,,nop;nop;TS Apr 19 10:44:28 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,63857,0,DF,6,tcp,75,192.168.1.105,172.217.8.170,44923,443,23,FPA,3546009566:3546009589,3115884803,773,,nop;nop;TS Apr 19 10:44:33 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,1266,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,41734,443,23,FPA,3547025071:3547025094,3632276228,796,,nop;nop;TS Apr 19 10:44:46 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,12753,0,DF,6,tcp,40,192.168.1.145,162.125.8.3,18756,443,0,RA,1323600127,2677356883,0,, Apr 19 10:44:48 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,1934,0,DF,6,tcp,40,192.168.1.145,162.125.8.7,18722,443,0,RA,1245209191,406705642,0,, Apr 19 10:45:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24212,0,DF,6,tcp,71,192.168.1.109,52.46.129.109,53474,443,31,PA,3491819339:3491819370,1745286678,1557,, Apr 19 10:45:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24213,0,DF,6,tcp,40,192.168.1.109,52.46.129.109,53474,443,0,RA,3491819370,1745286678,1557,, Apr 19 10:45:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,17224,0,DF,6,tcp,71,192.168.1.109,52.119.164.214,56888,443,31,PA,719015433:719015464,1044144075,1643,, Apr 19 10:45:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,17225,0,DF,6,tcp,40,192.168.1.109,52.119.164.214,56888,443,0,RA,719015464,1044144075,1643,, Apr 19 10:45:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,22262,0,DF,6,tcp,93,192.168.1.109,52.46.156.47,49010,443,53,PA,178326054:178326107,1863589565,1597,, Apr 19 10:45:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,22263,0,DF,6,tcp,40,192.168.1.109,52.46.156.47,49010,443,0,RA,178326107,1863589565,1597,, Apr 19 10:48:04 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,59255,0,DF,6,tcp,93,192.168.1.112,54.239.25.214,56924,443,53,PA,2562878128:2562878181,3160832254,1552,, Apr 19 10:48:04 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,59256,0,DF,6,tcp,40,192.168.1.112,54.239.25.214,56924,443,0,RA,2562878181,3160832254,1552,, Apr 19 10:48:18 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10391,0,DF,6,tcp,40,192.168.1.107,34.192.34.151,53520,443,0,FA,3627494868,1394828315,254,, Apr 19 10:48:18 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10392,0,DF,6,tcp,40,192.168.1.107,34.192.34.151,53520,443,0,FA,3627494868,1394828315,254,, Apr 19 10:48:18 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10393,0,DF,6,tcp,40,192.168.1.107,34.192.34.151,53520,443,0,FA,3627494868,1394828315,254,, Apr 19 10:48:20 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10394,0,DF,6,tcp,40,192.168.1.107,34.192.34.151,53520,443,0,FA,3627494868,1394828315,254,, Apr 19 10:48:22 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10395,0,DF,6,tcp,40,192.168.1.107,34.192.34.151,53520,443,0,FA,3627494868,1394828315,254,, Apr 19 10:48:28 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10396,0,DF,6,tcp,40,192.168.1.107,34.192.34.151,53520,443,0,FA,3627494868,1394828315,254,, Apr 19 10:48:37 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10397,0,DF,6,tcp,40,192.168.1.107,34.192.34.151,53520,443,0,RA,3627494869,1394828315,0,, Apr 19 10:54:07 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,3881,0,DF,6,tcp,40,192.168.1.145,162.125.33.7,18790,443,0,RA,2993563747,2310357220,0,, Apr 19 11:02:59 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,47416,0,DF,6,tcp,40,192.168.1.108,52.94.229.76,32797,443,0,RA,2326041478,1002070612,1597,, Apr 19 11:04:53 pf01 filterlog: 5,,,1000000103,lagg0.99,match,block,in,4,0x0,,64,60994,0,DF,6,tcp,71,192.168.99.10,184.27.220.38,54540,443,31,PA,2099522859:2099522890,2558016647,234,, Apr 19 11:04:53 pf01 filterlog: 5,,,1000000103,lagg0.99,match,block,in,4,0x0,,64,60995,0,DF,6,tcp,40,192.168.99.10,184.27.220.38,54540,443,0,RA,2099522890,2558016647,234,, Apr 19 11:06:25 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43909,0,DF,6,tcp,93,192.168.1.112,52.46.156.47,34150,443,53,PA,243620888:243620941,2380431208,1552,, Apr 19 11:06:25 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43910,0,DF,6,tcp,40,192.168.1.112,52.46.156.47,34150,443,0,FA,243620941,2380431208,1552,, Apr 19 11:06:25 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43911,0,DF,6,tcp,40,192.168.1.112,52.46.156.47,34150,443,0,FA,243620941,2380431208,1552,, Apr 19 11:06:25 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43912,0,DF,6,tcp,93,192.168.1.112,52.46.156.47,34150,443,53,FPA,243620888:243620941,2380431208,1552,, Apr 19 11:06:26 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43913,0,DF,6,tcp,93,192.168.1.112,52.46.156.47,34150,443,53,FPA,243620888:243620941,2380431208,1552,, Apr 19 11:06:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43914,0,DF,6,tcp,93,192.168.1.112,52.46.156.47,34150,443,53,FPA,243620888:243620941,2380431208,1552,, Apr 19 11:06:29 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43915,0,DF,6,tcp,93,192.168.1.112,52.46.156.47,34150,443,53,FPA,243620888:243620941,2380431208,1552,, Apr 19 11:06:33 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43916,0,DF,6,tcp,93,192.168.1.112,52.46.156.47,34150,443,53,FPA,243620888:243620941,2380431208,1552,, Apr 19 11:06:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43917,0,DF,6,tcp,93,192.168.1.112,52.46.156.47,34150,443,53,FPA,243620888:243620941,2380431208,1552,, Apr 19 11:06:55 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,13235,0,DF,6,tcp,40,192.168.1.107,162.125.3.3,53498,443,0,RA,471382548,898156486,0,, Apr 19 11:06:56 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43918,0,DF,6,tcp,93,192.168.1.112,52.46.156.47,34150,443,53,FPA,243620888:243620941,2380431208,1552,, Apr 19 11:07:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43919,0,DF,6,tcp,93,192.168.1.112,52.46.156.47,34150,443,53,FPA,243620888:243620941,2380431208,1552,, Apr 19 11:11:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,17614,0,DF,6,tcp,52,192.168.1.105,52.20.100.104,49892,443,0,RA,987888288,1718967918,843,,nop;nop;TS Apr 19 11:11:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,7829,0,DF,6,tcp,52,192.168.1.105,13.249.142.94,57838,443,0,RA,625460532,3650676301,843,,nop;nop;TS Apr 19 11:12:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43499,0,DF,6,tcp,75,192.168.1.105,172.217.4.42,38958,443,23,PA,380412386:380412409,2033415441,840,,nop;nop;TS Apr 19 11:12:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24432,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,42524,443,23,PA,2286843029:2286843052,1141848893,702,,nop;nop;TS Apr 19 11:12:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24433,0,DF,6,tcp,52,192.168.1.105,172.217.4.202,42524,443,0,FA,2286843052,1141848893,702,,nop;nop;TS Apr 19 11:12:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24434,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,42524,443,23,FPA,2286843029:2286843052,1141848893,702,,nop;nop;TS Apr 19 11:12:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43500,0,DF,6,tcp,75,192.168.1.105,172.217.4.42,38958,443,23,PA,380412386:380412409,2033415441,840,,nop;nop;TS Apr 19 11:12:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19633,0,DF,6,tcp,75,192.168.1.105,172.217.0.10,38202,443,23,PA,599470979:599471002,3588342700,796,,nop;nop;TS Apr 19 11:12:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19634,0,DF,6,tcp,52,192.168.1.105,172.217.0.10,38202,443,0,FA,599471002,3588342700,796,,nop;nop;TS Apr 19 11:12:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24435,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,42524,443,23,FPA,2286843029:2286843052,1141848893,702,,nop;nop;TS Apr 19 11:12:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43501,0,DF,6,tcp,75,192.168.1.105,172.217.4.42,38958,443,23,PA,380412386:380412409,2033415441,840,,nop;nop;TS Apr 19 11:12:28 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19635,0,DF,6,tcp,75,192.168.1.105,172.217.0.10,38202,443,23,FPA,599470979:599471002,3588342700,796,,nop;nop;TS Apr 19 11:12:28 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19636,0,DF,6,tcp,75,192.168.1.105,172.217.0.10,38202,443,23,FPA,599470979:599471002,3588342700,796,,nop;nop;TS Apr 19 11:12:28 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24436,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,42524,443,23,FPA,2286843029:2286843052,1141848893,702,,nop;nop;TS Apr 19 11:12:28 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43502,0,DF,6,tcp,75,192.168.1.105,172.217.4.42,38958,443,23,PA,380412386:380412409,2033415441,840,,nop;nop;TS Apr 19 11:12:29 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19637,0,DF,6,tcp,75,192.168.1.105,172.217.0.10,38202,443,23,FPA,599470979:599471002,3588342700,796,,nop;nop;TS Apr 19 11:12:30 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24437,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,42524,443,23,FPA,2286843029:2286843052,1141848893,702,,nop;nop;TS Apr 19 11:12:30 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43503,0,DF,6,tcp,75,192.168.1.105,172.217.4.42,38958,443,23,PA,380412386:380412409,2033415441,840,,nop;nop;TS Apr 19 11:12:31 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19638,0,DF,6,tcp,75,192.168.1.105,172.217.0.10,38202,443,23,FPA,599470979:599471002,3588342700,796,,nop;nop;TS Apr 19 11:12:33 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24438,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,42524,443,23,FPA,2286843029:2286843052,1141848893,702,,nop;nop;TS Apr 19 11:12:34 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43504,0,DF,6,tcp,75,192.168.1.105,172.217.4.42,38958,443,23,PA,380412386:380412409,2033415441,840,,nop;nop;TS Apr 19 11:12:34 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19639,0,DF,6,tcp,75,192.168.1.105,172.217.0.10,38202,443,23,FPA,599470979:599471002,3588342700,796,,nop;nop;TS Apr 19 11:12:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24439,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,42524,443,23,FPA,2286843029:2286843052,1141848893,702,,nop;nop;TS Apr 19 11:14:26 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43505,0,DF,6,tcp,75,192.168.1.105,172.217.4.42,38958,443,23,PA,380412386:380412409,2033415441,840,,nop;nop;TS Apr 19 11:14:27 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19640,0,DF,6,tcp,75,192.168.1.105,172.217.0.10,38202,443,23,FPA,599470979:599471002,3588342700,796,,nop;nop;TS Apr 19 11:14:41 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24440,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,42524,443,23,FPA,2286843029:2286843052,1141848893,702,,nop;nop;TS Apr 19 11:14:42 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43506,0,DF,6,tcp,75,192.168.1.105,172.217.4.42,38958,443,23,PA,380412386:380412409,2033415441,840,,nop;nop;TS Apr 19 11:14:42 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19641,0,DF,6,tcp,75,192.168.1.105,172.217.0.10,38202,443,23,FPA,599470979:599471002,3588342700,796,,nop;nop;TS Apr 19 11:15:08 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,24441,0,DF,6,tcp,75,192.168.1.105,172.217.4.202,42524,443,23,FPA,2286843029:2286843052,1141848893,702,,nop;nop;TS Apr 19 11:15:10 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,43507,0,DF,6,tcp,75,192.168.1.105,172.217.4.42,38958,443,23,PA,380412386:380412409,2033415441,840,,nop;nop;TS Apr 19 11:15:11 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,19642,0,DF,6,tcp,75,192.168.1.105,172.217.0.10,38202,443,23,FPA,599470979:599471002,3588342700,796,,nop;nop;TS
-
Apologies, the TCP flags appear to be FA, RA, or FPA. I called out the IPv4 flags above.
Here's a breakdown I did of one of the log entries:
Apr 19 08:53:19 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,64,36185,0,DF,6,tcp,75,192.168.1.105,172.217.6.10,51924,443,23,FPA,1660390495:1660390518,319963016,702,,nop;nop;TS # Common fields rule number: 5 sub rule number: anchor: tracker: 1000000103 real interface: lagg0.1 reason for entry: match action taken: block direction: in ip version: 4 # IPv4 fields tos: 0x0 ecn: ttl: 64 di: 36185 offset: 0 flags: DF protocol id: 6 protocol text: tcp # IPv4 or IPv6 length: 75 source ip: 192.168.1.105 destination ip: 172.217.6.10 # For TCP and UDP on IPv4 or IPv6 source port: 51924 destination port: 443 data length: 23 # TCP Only tcp flags: FPA sequence number: 1660390495:1660390518 ack: 319963016 window: 702 urg: options: nop;nop;TS
FPA would be FIN+PSH+ACK. From what I gather, it looks like either out-of-state traffic or asymmetric routing but this is all traffic going out from LAN to WAN, there's only a single route out, and even after either clearing my states table or leaving it going for days and rebooting the client device or pfSense, the logs keep coming in.
-
Yes, that is all traffic blocked because the state has closed. The internal client is replying to a FIN or RESET but after the firewall has closed the state.
Those are not causing an issue but you could try increasing the state timeout lengths to prevent it. First try setting the 'Firewall Optimization Options' to Conservative in System > Advanced > Firewall&NAT.If that is some odd application running on the internal client it may just be behaving oddly, replying waaay outside the accepted norms for timing. If so it might be more harmful to increase the timeouts sufficiently to pass those.
You could also add a pass rule with sloppy states and the relevant TCP flags set if it is that concerning.It is probably just a cosmetic issue.
Steve
-
@stephenw10 Thanks, it's more just to suppress the noise in the firewall logs, as I didn't believe it was anything of security concern. As it's happening on multiple clients ranging from Windows 10 computers and Android phones to Google Chromecast devices, I think it's not bound to an application behaving oddly. I've changed the firewall setting as recommended and will give it some time to reflect the change and see how things are from there. Failing that, I'll consider adding a firewall rules to effectively suppress the noise.
-
Out of curiosity why are you blocking bogon on your internal interfaces? In what scenario would there be bogon on your own networks... And even if there was how would they ever be allowed since default is deny, and your rules should be set to only allow the "net" or downstream networks that use that interface.
Lots of such blocks can also be a sign of duplicated traffic.. I would sniff on pfsense interface where your seeing such blocks to see if your seeing lots of duplication..
If client sends say close more than once, and the firewall closes the state on the first copy, then the 2nd would be blocked because the state has been closed.
If you notice lot of those look to be duplicate
Apr 19 09:20:36 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,6,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:36 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,7,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:37 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,8,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:40 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,9,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,, Apr 19 09:20:44 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,10,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,FA,712943747,3052209911,252,,
Those are all same IP and source and dest ports..
So clients sends FA, no response.. Retran, Retran - nothing, So he finally sends R
Apr 19 09:20:54 pf01 filterlog: 5,,,1000000103,lagg0.1,match,block,in,4,0x0,,128,11,0,DF,6,tcp,40,192.168.1.145,54.156.212.69,18617,443,0,RA,712943748,3052209911,0,,
You would really need to be sniffing at client and server here to understand what is going... Why did the client never see the answer? Did the server send it? Did it not get to the client lost in transit somewhere, etc.
To be honest if your seeing loads of these, I wouldn't just blow it off and not log it - but look deeper to WHY... it could be pointing to a flaw somewhere in your connectivity.. These are always to outside IPs? Is your pfsense behind a NAT to the internet? etc. etc..
In a normal close you would see this..
Might help if you could track specific connections while you sniffing and watching your state table on pfsense to see how the states move through their "states" fin_wait, fin_wait2
Also is there anything that could be resetting your states on pfsense - this could cause floods of such traffic!!
-
Out of curiosity why are you blocking bogon on your internal interfaces?
You make an excellent point. I have always operated with the "if someone plugs a device in and tries to manually set their IP address to something they shouldn't be using" mindset, but my firewall rules are tight enough that it's a non-issue. I've addressed this.
Regarding my initial issue -- So a (not) funny thing happened today, and I still can't explain the end result. I had originally installed pfSense on a Sandisk Cruzer Fit USB drive, which ran fine for the past month. Coming home, I found pfSense in a loop trying to write data (errors along the lines of CAM status: Auto-Sense Retrieval Failed populating the screen); in short, the drive was toast. I always make it a habit to back up the configuration file after pfSense is pretty much squared away, so restoring wasn't terribly difficult. This time, to an SSD. After the installation finished and I imported the backed-up configuration file and got everything back the way it was, I'm now seeing a drastic reduction in FIN/ACK and RST/ACK packets; the issue is virtually nonexistent.
Here's an updated screenshot with a couple quality of life modifications: (CSS blurred WAN IP/hostname, TCP flags next to block/pass icon, 50 line limit instead of 20, reversed order of filter log):
What remains seems to come in short bursts, exactly like you mentioned. Here's another example of one of those bursts where there's several sequential FIN/ACK blocks:
You would really need to be sniffing at client and server here to understand what is going...
I may run a packet trace to see if I can isolate the problem on one of our Android phones, but doing that from the client side will prove all but impossible for some of the devices (namely an Echo Dot and a Roku stick, both of which don't have any ability to run a packet capture themselves). I did noticed though that the connections that are being logged all seem to be to Amazon (from the Echo Dot) or Dropbox (from the Roku stick); this makes me wonder if there's just some weirdness in one of their internal apps. As stephenw10 mentioned,
If that is some odd application running on the internal client it may just be behaving oddly, replying waaay outside the accepted norms for timing.
I appreciate your pointers and the advice you've given. As such, I think it's safe to considered this resolved. I'll tackle the remainder on the sidelines, now that it's (for an unknown reason) a much more manageable volume to deal with.
Thank you both for your help.
-
Well you don't actually have to sniff on the client... Sniffing on lan side and wan side should help you find the problem... You really want to capture a few full stream or conversations.
So you see the syn and syn,ack of the start all the data moving ack, ack ack, etc.. Then the close with fin,ack from both sides and acks..
its quite possible the echo send fin,ack - but amazon never sends back ack to that - so it causes a burst of noise like.. I don't log default block rule.. Unless I am troubleshooting something... I have 3 echo devices.. So I could turn on logging to see if notice any such burst of FA and RA being logged.
Do you have pfsense set to reset states on loss of wan? That could cause lots of bursts of this on little blip on your wan connection..
system, advanced, misc