Strange log entries - left arrow and/or lo0 in source port
-
I have a 2 minute burst of log entries that look strange, can't make sense of them. The If column shows a left arrow followed by "lo0". Here is the first one in clog format (the first half of the burst all comes from lo0):
Mar 4 12:27:58 pfsense pf: 00:51:51.507531 rule 6/0(match): block out on lo0: (tos 0x0, ttl 63, id 65008, offset 0, flags [DF], proto TCP (6), length 89) Mar 4 12:27:58 pfsense pf: 192.168.1.101.54202 > 74.125.193.84.443: Flags [P.], cksum 0xde64 (correct), ack 3009453081, win 237, options [nop,nop,TS val 39273655 ecr 612224437], length 37192.168.1.101 is my own personal laptop running Lubuntu, and that dest address is one of the google servers (sometimes it is a citrix server). Not sure why this was dropped. A few of the log entries comes from another LAN computer running XP.
The last half of the burst comes from interface WAN instead of lo0, but again with that left arrow. Here is the last in the burst:
Mar 4 12:29:40 pfsense pf: 00:00:00.615988 rule 6/0(match): block out on em0: (tos 0x0, ttl 63, id 65218, offset 0, flags [DF], proto TCP (6), length 116) Mar 4 12:29:40 pfsense pf: 192.168.0.3.14686 > 74.125.193.84.443: Flags [FP.], cksum 0x5086 (correct), seq 2148938274:2148938338, ack 3009453081, win 237, options [nop,nop,TS val 39299217 ecr 612224437], length 64Maybe if I knew what that left arrow was about, it would help. Haven't been able to dig up that info anywhere yet.
Common items: Always TCP/IP:FPA or PA; always rule 6, always a left arrow in the interface. Rule 6 is:
@6 block drop out log inet all label "Default deny rule IPv4" [ Evaluations: 7426 Packets: 131 Bytes: 14965 States: 0 ] [ Inserted: uid 0 pid 35217 ] -
The left arrow indicates, as the logs show, it's blocked in the outbound direction.
That's probably out-of-state traffic. Traffic that was part of a connection but then the state was removed.
