pfSense Gold Subscription

Author Topic: WAN out blocked TCP:a TCP:PA  (Read 1188 times)

0 Members and 1 Guest are viewing this topic.

Offline webroy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
WAN out blocked TCP:a TCP:PA
« on: February 06, 2014, 09:08:37 am »
Hi Guys,

I have a pfsense box 2.1 running.

I have a WAN connection BRIDGED with my DMZ.

In my firewall logs i see a lot of WAN out connections being blocked... Most of them are customers using for example IMAP or MYSQL

I have allow rules in WAN and DMZ to allow trafic but he keeps on blocking..

any ideas?

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4612
  • Karma: +550/-3
    • View Profile
    • International Nepal Fellowship
Re: WAN out blocked TCP:a TCP:PA
« Reply #1 on: February 07, 2014, 03:06:22 am »
TCP:A means it is an ACKnowledge packet. If the corresponding state has been closed in the firewall (one end or the other has done a FIN, or there has been no activity for a bit and the state has been timed out or...) and then the ACK comes along later, it will be blocked.
The firewall only really uses the rules to establish states. So SYN packets are processed by the rules and if "pass" then a state is established. Later traffic that matches the state is all passed automagically.
Any other TCP-flagged packet is always dropped if it does not match a state.
If the users are not experiencing any problems, then bits and pieces of traffic blocked like this is "normal".
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline webroy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
Re: WAN out blocked TCP:a TCP:PA
« Reply #2 on: February 07, 2014, 04:15:23 am »
I had customers complaining. When i added a rule in floating which said WAN out allow it works better... is that a oke rule?

Offline Spix

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: WAN out blocked TCP:a TCP:PA
« Reply #3 on: December 08, 2017, 03:44:43 am »
I have the same "problem", a lot of TCP:A in the logs. What can I do about those?

Offline KOM

  • Hero Member
  • *****
  • Posts: 5412
  • Karma: +674/-19
    • View Profile
Re: WAN out blocked TCP:a TCP:PA
« Reply #4 on: December 08, 2017, 11:17:11 am »
Are you experiencing any problems, or are you just concerned about log spam?  Blocked ACKs on an open interface are usually indicative of out of state traffic.

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

If they really bug you, you can craft rules without logging that will not report those.