Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall Blocking TCP:S

    Firewalling
    3
    6
    4904
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      webroy last edited by

      Hi Guys,

      I have a PFsense 2.1 .

      I have a WAN interface Bridged with My DMZ interface.

      My Firewall rules are in the WAN interface. ( DMZ is allow all )

      In the firewall rules i allow port 80 , but i am getting a lot of these blocks in the logs

      TCP:S and TCP:FA

      In system advanced firewall i added this rule : Bypass firewall rules for traffic on the same interface

      In the firewall rules TCP FLags I enabled and disabled any flags to see if it has made a difference…

      Can anyone help me out here?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        https://forum.pfsense.org/index.php/topic,60660.msg326700.html#msg326700

        https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • W
          webroy last edited by

          Hi yes i read those posts, and wanted to check out the docs but:

          There is currently no text in this page. You can search for this page title in other pages, or search the related logs.

          When you have a allow rule and in advanced checked the TCP flags it should allow them right?

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            Those would explain FA blocks, what do you mean there is no text in this page.. Those above links work fine for me.

            If your blocking S packets you don't have a rule to allow the traffic would be my guess.  You say you have a bridge between wan and dmz.  So is the traffic hitting the bridge interface or your wan interface?

            What rules do you have on your bridge?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • W
              webroy last edited by

              jimp refers to a docs in the forum topic:

              That is part of a connection teardown. It's not blocking any user data.
              http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F <– this link does work

              My Traffic is hitting the WAN section . Where my rules are.

              I Will check it out by disabling some rules

              Thanks

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                this link works fine
                https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

                So FAs yeah normally mean out of state issue.. But Syn should be allowed if your firewall rules/forwards allow for it.

                So post up your rules and or forwards and lets take a look see.


                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post