Netgate SG-1000 microFirewall

Author Topic: Firewall rule not blocking  (Read 203 times)

0 Members and 1 Guest are viewing this topic.

Offline skipchang

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Firewall rule not blocking
« on: December 06, 2017, 11:34:18 pm »
I'm at my wit'n end trying to trouble shoot this issue:

Attached is the firewall rule for the lab_integration interface (10.1.0.1./16)

Configuration is as follows:
1.  Multiple VLANs assigned to the physical LAN device.
2.  Each VLAN on a separate and unique subnet
3.  Single WAN interface

Attached screen shot firewall rule description:
1.  Allow ICMP to any interface
2.  Allow DNS lookup to the internal DNS servers on a different subnet.  The alias AMGT_DNS defines two different DNS servers on the 10.0.0.0/16 subnet
3.  Allow NTP sync to the internal NTP server on a different subnet.  The alias NTP_SERVER points to 10.0.1.20.
4.  Allow NFS interface to the internal NFS server on a different subnet.  The alias Internal_Servers defines two different NFS servers on the 10.0.0.0/16 subnet
5.  Allow SSH/SCP interface to the Users address (10.0.0.0/16).
6.  Block everything else.

Based on this set of rules, I would expect the firewall to not allow any traffic to the Internet.  However, when I run "curl www.google.com", I get the response back from google.  I looked at the firewall logs and nothing show us.  However, when I look at the diagnostics-->states and filter on the machine on the 10.1.0.0/16 network (machine IP address: 10.1.200.1), I see that NAT occurred from 10.1.200.1-->127.0.0.1:xxxx  .  I don't get this at all.

I could really use the help figuring this out.

Thanks,
Skip

Offline KOM

  • Hero Member
  • *****
  • Posts: 5412
  • Karma: +674/-19
    • View Profile
Re: Firewall rule not blocking
« Reply #1 on: December 07, 2017, 08:16:47 am »
You don't need that last rule since there is a hidden Default Deny rule on all interfaces.

Did you reset your states after you made your firewall rule changes?  Established states will not be affected by a rule update.

Offline skipchang

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Firewall rule not blocking
« Reply #2 on: December 07, 2017, 09:13:58 am »
Yes.  I did reset the states after the firewall rule changes.  No changes in behavior.

I'm scheduling a reboot of the pfsense box this weekend to see if that clears it up.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5412
  • Karma: +674/-19
    • View Profile
Re: Firewall rule not blocking
« Reply #3 on: December 07, 2017, 09:57:42 am »
Those rules should block WWW traffic on that interface.  Are you sure you're on the interface and not some other VLAN?

Offline skipchang

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Firewall rule not blocking
« Reply #4 on: December 07, 2017, 11:05:59 am »
Yes.  I'm sure.  Just for yucks, I moved the "block all" rule to the top and it stopped the curl command.

I will be rebooting the pfsense box tonight and see if that clears things up.

In addition, from the machine on the VLAN, here's the default routes:

[root@localhost ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.0.0        0.0.0.0         255.255.0.0     U     1      0        0 eth0
0.0.0.0         10.1.1.1        0.0.0.0         UG    0      0        0 eth0


Also, when I ran "curl www.google.com", here's the firewall log and the state log:

Firewall log:
2 Matched Firewall Log Entries. (Maximum 2000) Pause
Action   Time   Interface   Source   Destination   Protocol
Dec 7 10:29:42   LAB_INTEGRATION   10.1.200.1:42270   10.0.1.22:53   UDP
Dec 7 10:29:08   LAB_INTEGRATION   10.1.200.1:45254   10.0.1.22:53   UDP

State Log:
States
Interface   Protocol   Source (Original Source) -> Destination (Original Destination)   State   Packets   Bytes   
LAB_INTEGRATION   udp   10.1.200.1:58220 -> 10.0.1.22:53   SINGLE:MULTIPLE   2 / 2   120 B / 164 B   
USERS   udp   10.1.200.1:58220 -> 10.0.1.22:53   MULTIPLE:SINGLE   2 / 2   120 B / 164 B   
LAB_INTEGRATION   tcp   10.1.200.1:55985 -> 127.0.0.1:3128 (172.217.1.196:80)   FIN_WAIT_2:FIN_WAIT_2   16 / 15   1017 B / 13 KiB   
LAB_INTEGRATION   tcp   10.1.200.1:813 -> 10.0.1.11:2049   ESTABLISHED:ESTABLISHED   28.851 K / 24.415 K   5.11 MiB / 5.83 MiB   
USERS   tcp   10.1.200.1:813 -> 10.0.1.11:2049   ESTABLISHED:ESTABLISHED   28.851 K / 24.415 K   5.11 MiB / 5.83 MiB   
USERS   tcp   10.0.4.1:52516 -> 10.1.200.1:22   ESTABLISHED:ESTABLISHED   359 / 233   26 KiB / 98 KiB   
LAB_INTEGRATION   tcp   10.0.4.1:52516 -> 10.1.200.1:22   ESTABLISHED:ESTABLISHED   359 / 233   26 KiB / 98 KiB   


One of my main question is the route to 127.0.0.1 on the third line of the filtered states log.
« Last Edit: December 07, 2017, 11:33:09 am by skipchang »

Offline KOM

  • Hero Member
  • *****
  • Posts: 5412
  • Karma: +674/-19
    • View Profile
Re: Firewall rule not blocking
« Reply #5 on: December 07, 2017, 01:01:59 pm »
That's a redirect to squid web proxy which listens on tcp/3128.

Offline skipchang

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Firewall rule not blocking
« Reply #6 on: December 07, 2017, 02:07:21 pm »
KOM,

That was the key.  What I thought was seeing was the cached page for the sites from the squid proxy.

Thanks for getting my head out of my #@$.

Skip

Offline KOM

  • Hero Member
  • *****
  • Posts: 5412
  • Karma: +674/-19
    • View Profile
Re: Firewall rule not blocking
« Reply #7 on: December 07, 2017, 03:00:27 pm »
Glad to help.