Reusing TCP ports



  • Hi,
    setup:
    Cisco–--->LAN pfs1 1.2.3 WAN ---->OPTx pfs2 1.2 OPTy----->
    For some reason sometimes Cisco (not managed by me) sends SYN packets with source:destination IP/ports already presented in pf active connections table (there is a state for this combination).
    pfs1 passes these packets through, pfs2 drops them without any notification in logs.
    Question please:

    1. what would be correct behavior?
    2. how can I make pfs2 to pass these packets without upgrading to 1.2.3?
    3. is it 100% that upgrade will fix this?

    Thanks,
    Evgeny.


  • Rebel Alliance Developer Netgate

    A SYN packet should create a new state, it shouldn't be blocked as long as it matches a pass rule, regardless of whether or not a state currently exists.

    You could try adjusting the firewall optimization settings on the 1.2.3 box to be more aggressive in the removal of states, and/or adjust the 1.2 box to be conservative.



  • @jimp:

    A SYN packet should create a new state, it shouldn't be blocked as long as it matches a pass rule, regardless of whether or not a state currently exists.

    How do you see it? If the state exists, how do you create new one with the same IPs-ports? two exactly the same states int state table?


  • Rebel Alliance Developer Netgate

    It should re-use the existing state when there is one, or create a new one if one doesn't exist.

    I was talking about on the second firewall, you said it was being dropped there. A packet with TCP SYN wouldn't be dropped. A state would be created for it in that case, as long as it hit a pass rule and not a block rule. Either way it should be logged if the rule is set to log.

    Have you checked with tcpdump to see if that traffic is actually making it to the second firewall?



  • Yes weird thing is I saw the packets coming to pfSense and not coming out of another interface. It was happening to only this particular SYN packets with duplicated (already existent states).
    I'll try to double check but it seems remote side has fixed the issue.


Locked