Symptoms:
With firewall rules defined in DFW to match traffic by source (IP), destination (IP) and service (PORT NO).
For firewall rule (E.G): Source 1.1.#.# Destination 2.2.#.# Service port: 13000 to 14000.
With logging enabled for the rule, If you see under /var/log/dfwpktlogs.log, the traffic hits the default rule.
When a SYN segment arrives on to the DVFilter the rule X will create a flow for it and it will be placed in the flow table.
Every TCP segment that is a part of this TCP session will be matched against the flow and allowed/dropped. After some time depending on the state of TCP session the default timers will kick in and flow will be dropped from the flow table.
If after that a segment arrives from an existing TCP session and it is not a SYN segment, it will not be matched by this rule and it will continue downwards through next rules to find a match, which is default rule in this case which matches only on source and destination IP and not TCP session state.
Timers:
Default values (in seconds)
----------------------------------------------
TCP_FIRST_PACKET 120 First TCP packet
TCP_OPENING 30 No response yet
TCP_ESTABLISHED 43200 Established
TCP_CLOSING 900 Half closed
TCP_FIN_W
TCP_CLOSED 20 Got a RST
UDP_FIRST_PACKET 60 First UDP packet
UDP_SINGLE 30 Unidirectional
UDP_MULTIPLE 60 Bidirectional
ICMP_FIRST_PACKET 20 First ICMP packet
ICMP_ERROR_REPLY 10 Got error response
OTHER_FIRST_PACKET 60 First packet
OTHER_SINGLE 30 Unidirectional
OTHER_MULTIPLE 60 Bidirectional
FRAG 30 Fragment expire
INTERVAL 10 Expire interval
TS_DIFF 30 Allowed TS diff
In /var/log/dfwpktlogs.log, you can see the state of the rule by last letters for example:
PASS in—c-19062/1123 OUT 52 TCP 10.20.#.# -192.8/56248010 -207 . 192 -9/13063 RA
RA is a Reset Ack which is not part of SYN packet
TCP flags, shown in dfwpktlog.log:
Not logged? - NS - ECN-nonce concealment protection
W - CWR - Congestion Window Reduced
E - ECE - ECN-Echo has a dual role, depending on the value of the SYN flag. It indicates:
U - URG - Indicates that Urgent pointer field is significant.
A - ACK - indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.
P - PSH - Push function. Asks to push the buffered data to the receiving application.
R - RST - Reset the connection
S - SYN - Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid for when it is set, and others when it is clear.
F - FIN - Last package from sender.
Timers can be changed from version 6.3.0.