Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    WAN out blocked TCP:a TCP:PA

    Firewalling
    4
    5
    1738
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      webroy last edited by

      Hi Guys,

      I have a pfsense box 2.1 running.

      I have a WAN connection BRIDGED with my DMZ.

      In my firewall logs i see a lot of WAN out connections being blocked… Most of them are customers using for example IMAP or MYSQL

      I have allow rules in WAN and DMZ to allow trafic but he keeps on blocking..

      any ideas?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        TCP:A means it is an ACKnowledge packet. If the corresponding state has been closed in the firewall (one end or the other has done a FIN, or there has been no activity for a bit and the state has been timed out or…) and then the ACK comes along later, it will be blocked.
        The firewall only really uses the rules to establish states. So SYN packets are processed by the rules and if "pass" then a state is established. Later traffic that matches the state is all passed automagically.
        Any other TCP-flagged packet is always dropped if it does not match a state.
        If the users are not experiencing any problems, then bits and pieces of traffic blocked like this is "normal".

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • W
          webroy last edited by

          I had customers complaining. When i added a rule in floating which said WAN out allow it works better… is that a oke rule?

          1 Reply Last reply Reply Quote 0
          • S
            Spix last edited by

            I have the same "problem", a lot of TCP:A in the logs. What can I do about those?

            1 Reply Last reply Reply Quote 0
            • KOM
              KOM last edited by

              Are you experiencing any problems, or are you just concerned about log spam?  Blocked ACKs on an open interface are usually indicative of out of state traffic.

              https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

              If they really bug you, you can craft rules without logging that will not report those.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post