Log shows TCP:FA, TCP:FPA blocked from LAN

sprior · Aug 16, 2011, 2:40 AM

My pfSense 2.0 RC3 logs are showing a fair number of connections blocked from the LAN to the Internet with TCP:FA, and TCP:FPA as the protocol.
Are these the things that are discussed in the Definitive Guide section 6.10.4. "Why do I sometimes see blocked log entries for
legitimate connections?" or are they likely something else? If they are to be ignored, is there a way to prevent them from being logged?

Thanks

jimp · Aug 18, 2011, 3:14 PM

Those are exactly what are discussed there.

It's out-of-state traffic, either from expired states or from asymmetric routing.

You can't disable logging of that specific kind of traffic without disabling logging for the default deny rule.

If the traffic is going to/from a locally routed subnet, you could check the box under System > Advanced on the Firewall/NAT tab to skip firewall rules for directly connected networks.

sprior · Aug 19, 2011, 4:21 AM

Thanks for the confirmation.

warp · Oct 28, 2011, 7:13 PM

Hi jimp,

@jimp:

You can't disable logging of that specific kind of traffic without disabling logging for the default deny rule.

If the traffic is going to/from a locally routed subnet, you could check the box under System > Advanced on the Firewall/NAT tab to skip firewall rules for directly connected networks.

I'm not sure if I get it how to disable that kind of logging.
Do you mean to check that box:

Bypass firewall rules for traffic on the same interface

If I'm wrong so please help

Thx
warp

jimp · Oct 28, 2011, 7:19 PM

That's the box.

warp · Oct 30, 2011, 7:16 PM

@jimp:

That's the box.

Thanks jimp,

Hm, I have changed that setting few days ago but I still see a lot of them in the firewall log:


block	Oct 30 18:37:01 	LAN 	192.168.1.254:3128 	192.168.1.225:49377 	TCP:FPA
block	Oct 30 18:36:26 	LAN 	192.168.1.254:3128 	192.168.1.225:49372 	TCP:FPA
block	Oct 30 18:25:51 	LAN 	192.168.1.79:61485 	192.168.1.254:3128 	TCP:RA
block	Oct 30 18:25:51 	LAN 	192.168.1.79:61484 	192.168.1.254:3128 	TCP:RA

I admit, I'm confused now ???

Did I forget some other settings?

warp

katmai · Sep 1, 2012, 6:26 PM

sorry to bump this topic, but i too am having this issue.

i have 2 front end servers, and a pfsense box that has an nginx server as load balancer.

i see a lot of these connections dropped myself.

WAN my_wan_ip:80 71.104.x.x:50741 TCP:FA
WAN my_wan_ip:80 71.104.x.x:50734 TCP:FA
WAN my_wan_ip:80 71.104.x.x:50732 TCP:FA
WAN my_wan_ip:80 85.138.x.x:50089 TCP:FA
WAN my_wan_ip:80 80.82.x.x:9220 TCP:FA

i added a rule to pass all the traffic from my wan ip to any external, but this doesn't seem to fix anything. i also tried ticking that box - bypass rules for traffic on the same interface, but the issue is still there.

i am not sure if it has any impact on the traffic, because the sites are working all okay.

any insight would be awesome.

jimp · Sep 4, 2012, 5:43 PM

Re-read the whole thread again, those are harmless, and the reason has been explained.

The doc wiki post referred to in the OP of the thread is here:
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

katmai · Sep 4, 2012, 6:10 PM

thanks a bunch. now i know not to worry about them.

is it possible to disable those firewall messages then? just to see the normal blocked connections?

jimp · Sep 4, 2012, 6:12 PM

Not easily, no.

If you craft a rule and edit the advanced options and set just the right TCP flags, maybe, but I'm not certain that would really help or if it might hurt.