Impossible block microsoft or akamai packet tcp:s

goofydxp

impossible to block this packet, there isn't the rule name that log this packet in system log.
The destination is windows domain always. Microsoft jump rule filter?
Can anybody give me information about this ? my version is 1.2.3
The first rule is passs from lan to any port 80-443 and log is enabled
second rule block from lan to any, but in one day i always find log as this.

Jun 17 05:27:45 LAN 10.10.20.57:1754 77.67.22.170:52525 TCP:S
  Jun 17 05:27:42 LAN 10.10.20.57:1753 77.67.22.170:50702 TCP:S
  Jun 17 05:27:38 LAN 10.10.20.57:1752 77.67.22.170:65118 TCP:S
  Jun 17 05:27:34 LAN 10.10.20.57:1751 77.67.22.170:63357 TCP:S
  Jun 17 05:27:29 LAN 10.10.20.57:1750 77.67.22.170:61751 TCP:S
  Jun 17 05:27:26 LAN 10.10.20.57:1749 77.67.22.170:60322 TCP:S

goofydxp

i insert also raw mode log, can anybody help me to undestand this raw mode?

Jun 17 13:42:38 pf: 965697 rule 77.543.287.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 16076, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.1877 > 77.67.22.171.58539: S, cksum 0xe322 (correct), 1361764249:1361764249(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 17 13:42:37 pf: 746127 rule 77.543.287.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 30089, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.1876 > 77.67.22.171.57563: S, cksum 0x7f23 (correct), 2850877095:2850877095(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 17 13:42:36 pf: 763344 rule 77.543.287.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 728, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.1875 > 77.67.22.171.56639: S, cksum 0x5284 (correct), 960532368:960532368(0) win 65535 <mss 1460,nop,nop,sackok="">Act Time If Source Destination Proto
  Jun 17 13:42:38 LAN 10.10.21.64:1877 77.67.22.171:58539 TCP:S
  Jun 17 13:42:37 LAN 10.10.21.64:1876 77.67.22.171:57563 TCP:S
  Jun 17 13:42:36 LAN 10.10.21.64:1875 77.67.22.171:56639 TCP:S
  Jun 17 13:42:35 LAN 10.10.21.64:1874 77.67.22.171:55934 TCP:S
  Jun 17 13:42:35 LAN 10.10.21.64:1873 77.67.22.171:55224 TCP:S</mss></mss></mss>

jimp

Those may actually be from the FTP proxy.

goofydxp

if you intend
Disable the userland FTP-Proxy application
now i check this option in lan and in opt1, tomorrow i will see the log and i will notify if this is the solution. Thanks.

goofydxp

with FTP Helper Checked in lan and in opt1 (3th NIC)

always try to contact microsoft site but this time is blocked :)

now the log is changed, can you explain this message?

Blocked Jun 17 18:18:29 LAN 10.10.21.64:4679 207.46.16.233:80 TCP:S

the rule that triggered this action is:

@178 pass in quick on vr0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"

THANKS

goofydxp

ok as the previouse post i confirm that now the packet microsoft are stopped, seem that the packet use ftp helper to bypass rule block ftp and other port.
So now with ftp helper disable the packer are in sytem log as blocked, before with ftp helper unchecked (enabled) the packet pass all list of block rule. May be a bug?
Now the situation is i can block microsoft packet, with ftp helper checked (disabled), but i can not use now filezilla in lan client !!!!!! :-[
I'm waiting for solution in specified new post!

jimp

You seem to have misunderstood my last message, though it was a bit brief so I should have explained it better:

The packets you are trying to block are legitimate connections required for FTP to work. These connections are allowed by the FTP proxy so that active FTP can work for external FTP sites.

Nothing is being bypassed, it is being allowed on purpose so that FTP functions. The IPs in question are the FTP servers you are connecting to.

goofydxp

HELP MEEEEEE :)

i've not ftp proxy in my lan, i've only client with filezilla client, i create rule to pass from lan (alias ip lan list) to any ftp site (alias port destination) , i create second rule to stop all from any to any in lan interface (vr0).
Ftp helper is unchecked in lan and wan (enabled) without i can read list folder with ftp client filezilla and other.
But now i read in system log this, and if i click in icon act i read in message box no rule name! Why no rule name? why packet microsoft pass block any to any rule and not logged with rule name?

The rule that triggered this action is:

pass  Jun 22 08:42:46 LAN 10.10.21.64:2842 77.67.22.170:59702 TCP:S
pass  Jun 22 08:42:45 LAN 10.10.21.64:2841 77.67.22.170:58522 TCP:S
pass  Jun 22 08:42:44 LAN 10.10.21.64:2840 77.67.22.170:57589 TCP:S

raw mode

Jun 22 08:42:46 pf: 1. 033757 rule 77.545.108.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 3035, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.2842 > 77.67.22.170.59702: S, cksum 0xfae9 (correct), 463140115:463140115(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 22 08:42:45 pf: 979078 rule 77.545.108.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 10477, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.2841 > 77.67.22.170.58522: S, cksum 0x1144 (correct), 3449237849:3449237849(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 22 08:42:44 pf: 871623 rule 77.545.108.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 17824, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.2840 > 77.67.22.170.57589: S, cksum 0xe526 (correct), 2448202951:2448202951(0) win 65535</mss></mss>

jimp

Those are still dynamically added rules. Do you have UPnP enabled? Sure you don't have the FTP proxy enabled on any interface? What packages are you using?

If you can catch one as it happens, go to Diagnostics > Command and run:
pfctl -vvsr

and

pfctl -vvsT

goofydxp

yes it happens again, akamay microsoft packet found and no rule name.

Jun 22 16:00:57 pf: 936200 rule 77.545.131.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 30083, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.10.3730 > 77.67.22.171.55274: S, cksum 0x8bb4 (correct), 1338457637:1338457637(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 22 16:00:57 pf: 1. 027930 rule 77.545.131.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 5574, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.10.3729 > 77.67.22.171.54494: S, cksum 0x3902 (correct), 693418583:693418583(0) win 65535 <mss 1460,nop,nop,sackok="">command executed and now? what i need to check ? after my last block all rule, the other automatic rule has 0 packet and 0 byte

@179 block drop in log quick on vr0 from localsubnet:1to any label "USER_RULE: 200 localsubnet blocco lo sconosciuto e lo loggo"
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]
@180 pass in quick on vr0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]
@181 pass in quick on vr0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]
@182 pass in quick on dc0 inet proto tcp from any port = ftp-data to (dc0:1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]
@183 pass in quick on msk0 inet proto tcp from any to 127.0.0.1 port = 8022 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]
@184 pass in quick on msk0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]
@185 anchor "imspector" all
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]
@186 anchor "miniupnpd" all
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]
@187 block drop in log quick all label "Default deny rule"
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]
@188 block drop out log quick all label "Default deny rule"
  [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
  [ Inserted: uid 0 pid 15987 ]</localsubnet:1></mss></mss>

jimp

Before you chase anything else, the other questions still need answering:

Do you have UPnP enabled?

Is the FTP Proxy enabled on any other interface? (Such as WAN)

What other packages and services do you have enabled?

goofydxp

uPnp disabled, on windows machine work on different port that we have seen in log

ftp helper is enabled only in lan because without i can't use filezilla client

i'have not FTP Proxy server in my lan and in pfsense firewall

standard package normal installalation, There are no packages currently installed.

thanks jimp for your support

jimp

FTP helper is the FTP proxy. They are the same thing. That is what is allowing those packets.

goofydxp

and my rule block any to any is first of all !!!

I tried to disable ftp helper,create specific rule to open  destination port only to specific client, but is impossible to read list of folder ftp server !

So is possible enable ftp helper only to an alias (ip list of client that can use ftp) ?

:(