Out of State Packets

  • At least weekly, we get a question from someone who is confused by blocked packets that should not be blocked by their existing rules.  It's out of state packets, of course.  The question is, why are they out of state?  In a lot of logs I've seen, the OoS packet is a Fin/ACK (TCP:FA).  Is the state being dropped in the middle of the TCP teardown?

  • Rebel Alliance Developer Netgate

    Without a full packet capture of an affected connection it's hard to say.

    Likely the connection was being torn down and pf removed the state before the far side sent the FIN+ACK. IIRC various keep-alive techniques on servers and clients make that a bigger issue on HTTP/HTTPS.

  • That's what I was suspecting.  The state was being dropped as soon as pfSense got the initial ACK response from Destination, instead of waiting for the full sequence to complete.  I imagine that this behaviour is part of the FreeBSD TCP/IP stack and can't be easily modified, but it bugs me and causes confusion with new users.

  • Rebel Alliance Developer Netgate

    : pfctl -st | grep tcp
    tcp.first                   120s
    tcp.opening                  30s
    tcp.established           86400s
    tcp.closing                 900s
    tcp.finwait                  45s
    tcp.closed                   90s
    tcp.tsdiff                   30s

    From that, before the FIN+ACK was received it would be in the finwait state I think. If 45 seconds elapsed before the server sent back a FIN+ACK, the state would be removed.

    The info here is a bit dated but still has some relevance: http://httpd.apache.org/docs/2.0/misc/fin_wait_2.html

  • Good stuff.  Thanks a lot, Jim!

Log in to reply