WAN out blocked TCP:a TCP:PA

  • Hi Guys,

    I have a pfsense box 2.1 running.

    I have a WAN connection BRIDGED with my DMZ.

    In my firewall logs i see a lot of WAN out connections being blocked… Most of them are customers using for example IMAP or MYSQL

    I have allow rules in WAN and DMZ to allow trafic but he keeps on blocking..

    any ideas?

  • TCP:A means it is an ACKnowledge packet. If the corresponding state has been closed in the firewall (one end or the other has done a FIN, or there has been no activity for a bit and the state has been timed out or…) and then the ACK comes along later, it will be blocked.
    The firewall only really uses the rules to establish states. So SYN packets are processed by the rules and if "pass" then a state is established. Later traffic that matches the state is all passed automagically.
    Any other TCP-flagged packet is always dropped if it does not match a state.
    If the users are not experiencing any problems, then bits and pieces of traffic blocked like this is "normal".

  • I had customers complaining. When i added a rule in floating which said WAN out allow it works better… is that a oke rule?

  • I have the same "problem", a lot of TCP:A in the logs. What can I do about those?

  • Are you experiencing any problems, or are you just concerned about log spam?  Blocked ACKs on an open interface are usually indicative of out of state traffic.


    If they really bug you, you can craft rules without logging that will not report those.