Question regarding HTTP and PF rules

Hi All

I am viewing multiple blocks on my firewall regarding HTTP/HTTPS traffic. I am using https proxy and my understanding is that once a packet is in the system it will be dealt by only one function (for example either pf or proxy).  I am trying to understand why my client 192.168.2.11 has so many blocks on the pf when the host is using https proxy(Transparent mode).

Log of the pf

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="85.115.22.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49193" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="66.102.13.133" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49195" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="66.240.206.90" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49191" dstport="443" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="213.144.15.19" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49189" dstport="443" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="95.154.193.105" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49187" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="66.102.13.118" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49197" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="213.144.15.19" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49189" dstport="443" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="66.102.13.133" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49195" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="66.240.206.90" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49191" dstport="443" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="85.115.22.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49193" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="95.154.193.105" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49187" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="66.102.13.118" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49197" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="213.144.15.19" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49189" dstport="443" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="85.115.22.3" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49193" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:39 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="66.102.13.133" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49195" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:40 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="66.240.206.90" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49191" dstport="443" tcpflags="ACK FIN" 

2009:12:16-18:39:40 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="95.154.193.105" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49187" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:41 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="66.102.13.118" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49197" dstport="80" tcpflags="ACK FIN" 

2009:12:16-18:39:41 stuffman ulogd[3355]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth2" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.11" dstip="213.144.15.19" proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="49189" dstport="443" tcpflags="ACK FIN" 

Aming the destinations are: Google, Astaro etc. (Most of these drops are from websites I have RSS defined on the outlook client)

From the logs it seems that the handshake is wrong and therefore Astaro pf blocks it. However, on my executive reports I am getting port 80 and 443 as the top on the blocked services.


Any help will be much appreciated

This thread was automatically locked due to age.