[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

problem with port 443 traffic



I having some problems with my rulesets for an email server. The server is not behind a firewall but I have pf enabled on the server. Here is my ruleset.

###############################################################################
#----------------------------------------------------------
# Variable Section
#----------------------------------------------------------
int_if="fxp0"
nonroute="{ 192.168.1.0/24, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8 }"
approved_mgmt_net="{ x.x.x.x }"
server_ip="{ x.x.x.x }"
#************************************************************************
#************************************************************************
# Firewall Rulebase Begin
#************************************************************************
#************************************************************************
#
#----------------------------------------------------------
# Packet Normalization (deny fragmented packets)
#----------------------------------------------------------
scrub in all
#----------------------------------------------------------
# Default Deny
#----------------------------------------------------------
block in log all
#----------------------------------------------------------
# Allow Loopback Packets
pass in quick on lo0 all
pass out quick on lo0 all
#----------------------------------------------------------
# Drop Spoofed Packets
#----------------------------------------------------------
block in log quick on $int_if from $nonroute to any
block out log quick on $int_if from any to $nonroute
#----------------------------------------------------------
# Drop wrong TCP Flags
#----------------------------------------------------------
block in quick on $int_if inet proto tcp from any to any flags FUP/FUP
#----------------------------------------------------------
#----------------------------------------------------------
# Firewall RULES
#----------------------------------------------------------
pass in quick on $int_if inet proto tcp from $approved_mgmt_net to $server_ip port ssh
pass in quick on $int_if inet proto tcp from any to $server_ip port https flags S/SA modulate state
pass in quick on $int_if inet proto tcp from any to $server_ip port { smtp } flags S/SA modulate state
#----------------------------------------------------------
# Allow Return Traffic and Connection From Firewall
#----------------------------------------------------------
pass out on $int_if inet proto { tcp, udp, icmp } all keep state


Here is a snippet from my pflog file using tcpdump -n -e -ttt.

Mar 07 10:58:10.177507 rule 1/0(match): block in on fxp0: user.ip.address.1501 > my.ip.address.443: F 71818460:71818460(0) ack 3194040235 win 5549 (DF)
Mar 07 10:58:10.183314 rule 1/0(match): block in on fxp0: user.ip.address.1502 > my.ip.address.443: F 71819657:71819657(0) ack 963312026 win 5549 (DF)
Mar 07 11:52:59.986506 rule 1/0(match): block in on fxp0: user.ip.address.1586 > my.ip.address.443: R 75169994:75169994(0) win 0 (DF)
Mar 07 11:52:59.990614 rule 1/0(match): block in on fxp0: user.ip.address.1585 > my.ip.address.443: R 75170656:75170656(0) win 0 (DF)


I'm curious as to why the above traffic is being block on port 443.

Thanks for your help. Any other suggestions concerning my ruleset would be greatly appreciated.


-- Sid Keller