Blocked packed even if rules allow traffic?



  • Hi all,
    my pfsense box performs port forwarding on a network card in order to redirect traffic on SMTP and POP ports to a mailserver behind it. Moreover, some ports related to e-mail are forwarded to an anti-spam machine, so that my rules are:

    
    rdr on re2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023
    rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = http -> XX.XX.XX.140
    rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = ssh -> XX.XX.XX.140
    rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = pop3 -> XX.XX.XX.140
    rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = 2525 -> XX.XX.XX.140
    rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = 8080 -> XX.XX.XX.139
    rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = smtp -> XX.XX.XX.139
    
    

    Moreover, I've set a simple rule that allows traffic from the subnet to the external world, and to allow POP3 and SMTP to my machines:

    
    pass in quick on re2 inet proto tcp from any to XX.XX.XX.136/29 port = pop3 flags S/SA keep state label "USER_RULE: POP Ingresso"
    pass in quick on re2 inet proto udp from any to XX.XX.XX.136/29 port = pop3 keep state label "USER_RULE: POP Ingresso"
    pass in quick on re2 inet proto tcp from any to XX.XX.XX.136/29 port = smtp flags S/SA keep state label "USER_RULE: SMTP Ingresso"
    pass in quick on re2 inet proto udp from any to XX.XX.XX.136/29 port = smtp keep state label "USER_RULE: SMTP Ingresso"
    pass in log quick on re2 inet from XX.XX.XX.136/29 to any flags S/SA keep state label "USER_RULE: Traffico in uscita"
    pass in quick on re2 proto tcp from any to <mailserver>port = http flags S/SA keep state label "USER_RULE: NAT Redirection per WebMail"
    pass in quick on re2 proto tcp from any to <mailserver>port = ssh flags S/SA keep state label "USER_RULE: NAT Accesso SSH verso il mailserver"
    pass in quick on re2 proto tcp from any to <mailserver>port = pop3 flags S/SA keep state label "USER_RULE: NAT Servizio per scaricare la posta (POP)"
    pass in quick on re2 proto tcp from any to <mailserver>port = 2525 flags S/SA keep state label "USER_RULE: NAT Invio di posta autenticato"
    pass in quick on re2 proto tcp from any to <antispam>port = 8080 flags S/SA keep state label "USER_RULE: NAT Accesso Web (Tomcat) al server antispam"
    pass in quick on re2 proto tcp from any to <antispam>port = smtp flags S/SA keep state label "USER_RULE: Posta consegnata tramite SMTP"</antispam></antispam></mailserver></mailserver></mailserver></mailserver> 
    

    However, sometimes in the logs I find packets dropped with the following log row:

    
    Jun 7 14:06:23  WANTEL  	XX.XX.XX.139:36875  	YY.123.184.5:25  	TCP:R
    Jun 7 14:06:22 	WANTEL 	XX.XX.XX.139:35925 	YY.129.90.46:25 	TCP:R
    Jun 7 14:06:22 	WANTEL 	XX.XX.XX.139:42402 	YY.115.64.5:25 	TCP:A
    
    

    The reason for dropping these packets is the default deny rule, but I cannot understand why the firewall is dropping those packets since I've a kind of pass all rule from my network to anything on port 25. Maybe I miss something in the SMTP protocol.
    Any clue?





  • Thanks for the explaination.
    Could rasising the state size reduce this noise or does it not matter?


Locked