pfSense Gold Subscription

Author Topic: [SOLVED] Help understanding firewall rule behaviour  (Read 151 times)

0 Members and 1 Guest are viewing this topic.

Offline anarokus

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
[SOLVED] Help understanding firewall rule behaviour
« on: November 28, 2017, 10:01:14 am »
Hi,

I'm running two pfsense devices in HA running 2.3.5.

On our Guest wifi rule I have initially created a temporary allow any rule (allow ipv4 any any).
When I checked the firewall logs I noticed that some traffic is still being blocked by the default ipv4 block all rule.

So I created a new explicit block all rule as my last firewall rule to confirm that the traffic matches this rule and sure enough the traffic is passing the allow any rule and getting blocked by the explicit block all rule.

The pattern that I'm noticing is that all of the traffic that is matching the default block all rule is tcp port 80 and 443. The protocol is mostly TCP:PA or TCP:FA but sometimes it is TCP:PFA.

I added specific allow rules from the source net to tcp port 80 and tcp port 443, but I'm still seeing traffic missing these rules and hitting the explicit block all rule.

Under what criteria could this happen?
Is the firewall maybe not generating states and thus subsequent packets in the flow being blocked because the state doesnt exist? Or possibly some parts of the traffic flow going through one firewall and the rest through the other, preventing a complete state from being formed (asymmetric traffic flow..)?
If so, how would I go about troubleshooting this?

Thanks for the help.

Shane
« Last Edit: November 29, 2017, 09:07:23 am by anarokus »

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 385
  • Karma: +32/-0
    • View Profile

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2212
  • Karma: +204/-12
    • View Profile
Re: Help understanding firewall rule behaviour
« Reply #2 on: November 28, 2017, 11:35:50 am »
Cellphones are notorious for these invalid states.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14431
  • Karma: +1336/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Help understanding firewall rule behaviour
« Reply #3 on: November 28, 2017, 11:38:49 am »
^ yup!!! They are horrible at them.. Especially noticed them with my son's android.   I just turned off default logging and set a rule to only log syn.. So to remove the log spam of out of state traffic.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline anarokus

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: [SOLVED] Help understanding firewall rule behaviour
« Reply #4 on: November 29, 2017, 09:08:16 am »
Thanks everyone! It was indeed out of state packets.