On Wed, Dec 22, 2010 at 5:41 PM, Jan Stary <hans@stare.cz> wrote:

quoted text
> Speculation: this looks to me like an end of a valid http session:
> an internal clients reads a web page, and probably a few images,
> everything goes through, but the last FIN does not. The first SYN
> creates state that lets the subsequent packets through. Doesn't the
> last FIN belong to the same state? Also, this is an outgoing packet,
> which I explicitly allow.
>
> What can possibly be blocking these FIN packets?
>
>
Jan,

I have run into a similiar situation where I had packets getting blocked
through my OpenBSD fw and could not figure out why.

The couple pieces of code I tend to use to debug such a thing:

1. The 'log' and 'log (all)' statements in pf.conf. Take your pick of the
two and throw them on all your block statements.

2. Following that, I run 'tcpdump -n -ttt -e -i pflog0'. This shows me not
only the packets being logged, but also the pf rules blocking them. Example:
Dec 22 19:24:13.564109 rule 8/(match) block in on vr0: 115.178.83.69.6000 >
96.21.64.23.2967: S 449708032:449708032(0) win 16384 [tos 0x20]

I see this is rule 8. I then run 'pfctl -s rules -vv' which among other
things, outputs

@8 block return in log all label "block_all"
  [ Evaluations: 1196726   Packets: 5786      Bytes: 352780      States:
0     ]
  [ Inserted: uid 0 pid 2220 State Creations: 0     ]

"@8" corresponding to a particular PF rule.

I find that by combining these two debugging tools, I am able to pin
point the rule that might be blocking a specific set of connections.

Hope that helps.

Cheers,
Jeffrey