Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP:FA & TCP:RA Blocks from VPN Provider address

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 4 Posters 692 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4o4rh
      last edited by 4o4rh

      My log is full of blocks from the internal address of my VPN provider (expressvpn) per the two samples below.

      10.118.x.x:8090 10.118.x.x:10735 TCP:FA
      10.118.x.x:8090 10.118.x.x:25582 TCP:RA
      10.118.x.x:8090 10.118.0.238:11544 TCP:A

      Do these need to pass? if so, how do i get them to pass?

      1 Reply Last reply Reply Quote 0
      • 4
        4o4rh
        last edited by

        no one knows what this is?

        M 1 Reply Last reply Reply Quote 0
        • M
          MoonKnight @4o4rh
          last edited by

          @gwaitsi said in TCP:FA & TCP:RA Blocks from VPN Provider address:

          no one knows what this is?

          They represent the TCP flags, indeed. RFC 793, 3.1:

          Control Bits: 6 bits (from left to right):
          
              URG: Urgent Pointer field significant
              ACK: Acknowledgment field significant
              PSH: Push Function
              RST: Reset the connection
              SYN: Synchronize sequence numbers
              FIN: No more data from sender
          

          And additions:

          NS: ECN-nonce - concealment protection. RFC 3540
          CWR: Congestion window reduced. RFC 3168
          ECE: ECN-Echo. RFC 3168
          

          From this we can deduce:

          TCP:RA = RST, ACK
          TCP:FA = FIN, ACK
          TCP:PA = PSH, ACK
          TCP:S = SYN
          TCP:SEC = SYN, ECE, CWR
          

          --- 24.11 ---
          Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
          Kingston DDR4 2666MHz 16GB ECC
          2 x HyperX Fury SSD 120GB (ZFS-mirror)
          2 x Intel i210 (ports)
          4 x Intel i350 (ports)

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by kiokoman

            If reply traffic such as TCP:A, TCP:SA, or TCP:RA is shown as blocked in the logs, the problem could be asymmetric routing or they are packets arriving after firewall has removed the connection state
            https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            bingo600B 1 Reply Last reply Reply Quote 0
            • bingo600B
              bingo600 @kiokoman
              last edited by bingo600

              @kiokoman said in TCP:FA & TCP:RA Blocks from VPN Provider address:

              If reply traffic such as TCP:A, TCP:SA, or TCP:RA is shown as blocked in the logs, the problem could be asymmetric routing or they are packets arriving after firewall has removed the connection state
              https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets

              +1 for "removed connection states"

              I see lots of ie. TCP-443 RA or FA (to misc. Web addresses) on my pfSense, They happens when i open the lid on my laptop , and wake it up.
              All the Amazon-AWS & Google sh.. stuff tries to resume , but the states has timed out on the pfSense a loooong time ago.

              /Bingo

              If you find my answer useful - Please give the post a 👍 - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.