Blocked packed even if rules allow traffic?
-
Hi all,
my pfsense box performs port forwarding on a network card in order to redirect traffic on SMTP and POP ports to a mailserver behind it. Moreover, some ports related to e-mail are forwarded to an anti-spam machine, so that my rules are:rdr on re2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023 rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = http -> XX.XX.XX.140 rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = ssh -> XX.XX.XX.140 rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = pop3 -> XX.XX.XX.140 rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = 2525 -> XX.XX.XX.140 rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = 8080 -> XX.XX.XX.139 rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = smtp -> XX.XX.XX.139
Moreover, I've set a simple rule that allows traffic from the subnet to the external world, and to allow POP3 and SMTP to my machines:
pass in quick on re2 inet proto tcp from any to XX.XX.XX.136/29 port = pop3 flags S/SA keep state label "USER_RULE: POP Ingresso" pass in quick on re2 inet proto udp from any to XX.XX.XX.136/29 port = pop3 keep state label "USER_RULE: POP Ingresso" pass in quick on re2 inet proto tcp from any to XX.XX.XX.136/29 port = smtp flags S/SA keep state label "USER_RULE: SMTP Ingresso" pass in quick on re2 inet proto udp from any to XX.XX.XX.136/29 port = smtp keep state label "USER_RULE: SMTP Ingresso" pass in log quick on re2 inet from XX.XX.XX.136/29 to any flags S/SA keep state label "USER_RULE: Traffico in uscita" pass in quick on re2 proto tcp from any to <mailserver>port = http flags S/SA keep state label "USER_RULE: NAT Redirection per WebMail" pass in quick on re2 proto tcp from any to <mailserver>port = ssh flags S/SA keep state label "USER_RULE: NAT Accesso SSH verso il mailserver" pass in quick on re2 proto tcp from any to <mailserver>port = pop3 flags S/SA keep state label "USER_RULE: NAT Servizio per scaricare la posta (POP)" pass in quick on re2 proto tcp from any to <mailserver>port = 2525 flags S/SA keep state label "USER_RULE: NAT Invio di posta autenticato" pass in quick on re2 proto tcp from any to <antispam>port = 8080 flags S/SA keep state label "USER_RULE: NAT Accesso Web (Tomcat) al server antispam" pass in quick on re2 proto tcp from any to <antispam>port = smtp flags S/SA keep state label "USER_RULE: Posta consegnata tramite SMTP"</antispam></antispam></mailserver></mailserver></mailserver></mailserver>
However, sometimes in the logs I find packets dropped with the following log row:
Jun 7 14:06:23 WANTEL XX.XX.XX.139:36875 YY.123.184.5:25 TCP:R Jun 7 14:06:22 WANTEL XX.XX.XX.139:35925 YY.129.90.46:25 TCP:R Jun 7 14:06:22 WANTEL XX.XX.XX.139:42402 YY.115.64.5:25 TCP:A
The reason for dropping these packets is the default deny rule, but I cannot understand why the firewall is dropping those packets since I've a kind of pass all rule from my network to anything on port 25. Maybe I miss something in the SMTP protocol.
Any clue? -
Probably this:
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F -
Thanks for the explaination.
Could rasising the state size reduce this noise or does it not matter?