Out of State Packets
At least weekly, we get a question from someone who is confused by blocked packets that should not be blocked by their existing rules. It's out of state packets, of course. The question is, why are they out of state? In a lot of logs I've seen, the OoS packet is a Fin/ACK (TCP:FA). Is the state being dropped in the middle of the TCP teardown?
Without a full packet capture of an affected connection it's hard to say.
Likely the connection was being torn down and pf removed the state before the far side sent the FIN+ACK. IIRC various keep-alive techniques on servers and clients make that a bigger issue on HTTP/HTTPS.
That's what I was suspecting. The state was being dropped as soon as pfSense got the initial ACK response from Destination, instead of waiting for the full sequence to complete. I imagine that this behaviour is part of the FreeBSD TCP/IP stack and can't be easily modified, but it bugs me and causes confusion with new users.
: pfctl -st | grep tcp tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s
From that, before the FIN+ACK was received it would be in the finwait state I think. If 45 seconds elapsed before the server sent back a FIN+ACK, the state would be removed.
The info here is a bit dated but still has some relevance: http://httpd.apache.org/docs/2.0/misc/fin_wait_2.html
Good stuff. Thanks a lot, Jim!