Netgate Store

Author Topic: Default deny rule IPv4  (Read 601 times)

0 Members and 1 Guest are viewing this topic.

Offline CLOUDFACILE

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Default deny rule IPv4
« on: February 09, 2018, 03:17:22 pm »
Hello everyone, I have a firewall pfsense community edition 2.4.2-RELEASE-p1.
Today, suddenly, the firewall has begun to block traffic to one of our webservers.
On pfsense I installed reverse proxy to manage the addressing to different webservers.
In the firewall logs I find this line Default deny rule IPv4 (1000000103) or Default deny rule IPv4 (1000000104) for the TCP: R protocol.
I can not understand why this happened suddenly, until this morning everything worked and it's been months that everything worked perfectly.
Has anyone encountered this problem and can help me solve it?
Thank you and good job to everybody.
Luke

Offline slim2016

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Default deny rule IPv4
« Reply #1 on: February 09, 2018, 03:30:10 pm »
https://forum.pfsense.org/index.php?topic=17029.msg88467#msg88467

Just out curiosity have you tried rebooting everything?

Offline CLOUDFACILE

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Default deny rule IPv4
« Reply #2 on: February 09, 2018, 04:44:41 pm »
Hi I have already read this post, but my problem persists.
I have already restarted everything, but nothing changes, the firewall continues to block the TCP: R without any reason and prevents the resource from working.
Thanks.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16024
  • Karma: +1529/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Default deny rule IPv4
« Reply #3 on: February 09, 2018, 07:35:02 pm »
"TCP: R"

So a RST (reset)..  Yeah that is going to be blocked if there is no state.. And if there was a state that normally tears it down the FAST way... Normally tcp sessions are ended all nice and proper with a fin, fin,ack and everyone is done talking and the firewall sees this and removes the state..  Do you understand what a state is and how a tcp session is created and torn down?

A RST in a nutshell in TCP a shut the F up sort of way of tearing down the session.

What exactly is not working?  And we can move forward in fixing your problem...  But your default rule blocking out of state traffic is normal..
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline CLOUDFACILE

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Default deny rule IPv4
« Reply #4 on: February 10, 2018, 11:32:10 am »
Hello,
I thank you for the answer and I attach 3 pages with screenshots and my comments to better explain the configuration of pfsense and the problem.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16024
  • Karma: +1529/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Default deny rule IPv4
« Reply #5 on: February 10, 2018, 03:37:17 pm »
And sorry but a R sent to your wan IP yes would be blocked.. Only a SYN would be allowed and open a state...

Vs looking at what is just in your firewall rules, why don't you do a packet capture and watch the traffic...  Be more than happy to send traffic to your domain/IP so you can sniff and sees what happens, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline CLOUDFACILE

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Default deny rule IPv4
« Reply #6 on: February 10, 2018, 04:16:31 pm »
I solved the problem, I reinstalled pfsense, then I restored the backup and everything works perfectly.
Thanks anyway for your help.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16024
  • Karma: +1529/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Default deny rule IPv4
« Reply #7 on: February 11, 2018, 05:34:12 am »
I am glad your not seeing the issue you were having.. But such a solution is not really a solution.... Since you have no idea what was the root.. Blocking RST to the wan is what should happen.. If there was no state or was after a state was closed..

A sniff would of be very very informative to what the problem actually was.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)