pfSense Gold Subscription

Author Topic: Firewall blocking too much?  (Read 3972 times)

0 Members and 1 Guest are viewing this topic.

Offline Tomasu

  • Newbie
  • *
  • Posts: 19
    • View Profile
Firewall blocking too much?
« on: May 14, 2008, 11:30:18 pm »
I'm seeing some traffic being caught in the default "block all" rule, which I assume is comming from torrent traffic. Shouldn't such traffic be caught by the firewall's state tracker?

Also I'm seeing some odd ICMP pings comming in from outside, targeting an internal (192.168.1.x) address, which I assume is only possible if the source of the packets is specially creating the packets? To go along with that, I've had to explicitly allow ICMP traffic so he.net ipv6 tunnels work, but I've set it so the rule only allows ICMPs targeted at the WAN address, but its still allowing ICMP targeting internal addresses, I've also tried adding a specific block rule for ICMP targeting internall addresses from the outside, and the firewall log is still saying the ICMP Allow rule is catching it, even though the block rule is above it.

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5065
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: Firewall blocking too much?
« Reply #1 on: May 15, 2008, 06:17:34 am »
screenshots of blocks and of firewall rules please.
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline Tomasu

  • Newbie
  • *
  • Posts: 19
    • View Profile
Re: Firewall blocking too much?
« Reply #2 on: May 15, 2008, 07:40:46 am »
screenshots of blocks and of firewall rules please.

Firewall log: (the blocked TCP and UDP traffic _looks_ like it aught to be ok, but I can't be sure, and the allowed ICMP traffic is very strange, particularly the ones with a local dest)


Wan Rules:

Offline sai

  • Sr. Member
  • ****
  • Posts: 383
    • View Profile
Re: Firewall blocking too much?
« Reply #3 on: May 17, 2008, 08:16:36 am »
do you have any NAT rules setup?
do you have private IP addresses blocked in the WAN interface?

Offline Tomasu

  • Newbie
  • *
  • Posts: 19
    • View Profile
Re: Firewall blocking too much?
« Reply #4 on: May 17, 2008, 10:17:43 am »
do you have any NAT rules setup?
do you have private IP addresses blocked in the WAN interface?
Yes and yes.

The private address thats being sent ICMP packets never has existed on my lan, and private addresses are blocked using those checkboxes labeled "block private networks" and "block bogon networks" on the WAN interfaces page.

Offline sai

  • Sr. Member
  • ****
  • Posts: 383
    • View Profile
Re: Firewall blocking too much?
« Reply #5 on: May 18, 2008, 04:00:56 am »
if you click on the green icon in the logs, it will tell you which rule is letting it through. I would guess it is the one labeled "icmp allow"

Offline Tomasu

  • Newbie
  • *
  • Posts: 19
    • View Profile
Re: Firewall blocking too much?
« Reply #6 on: May 18, 2008, 06:03:31 am »
if you click on the green icon in the logs, it will tell you which rule is letting it through. I would guess it is the one labeled "icmp allow"
Right. That is the one that pfsense thinks is letting the rule through, but not only should it not be letting it through, an earlier rule should be blocking it first.

Offline sai

  • Sr. Member
  • ****
  • Posts: 383
    • View Profile
Re: Firewall blocking too much?
« Reply #7 on: May 19, 2008, 03:45:41 am »
the previous rule will only block packets going to LANnet. I guess your lan net is not 192.168.1.0/24 so that is why the packets are not blocked.

Offline Tomasu

  • Newbie
  • *
  • Posts: 19
    • View Profile
Re: Firewall blocking too much?
« Reply #8 on: May 19, 2008, 04:13:22 am »
the previous rule will only block packets going to LANnet. I guess your lan net is not 192.168.1.0/24 so that is why the packets are not blocked.
It is indeed 192.168.1.0/24. And the rule allowing ICMP specifically only allows ICMP traffic NOT targeting LANnet, so the first rule should be blocking it, and the second shouldn't be allowing it.

Offline sai

  • Sr. Member
  • ****
  • Posts: 383
    • View Profile
Re: Firewall blocking too much?
« Reply #9 on: May 19, 2008, 05:15:37 am »
can you show us your NAT rules and interfaces page?

Offline razor2000

  • Jr. Member
  • **
  • Posts: 77
    • View Profile
Re: Firewall blocking too much?
« Reply #10 on: May 19, 2008, 09:26:41 am »
Tomasu, try this:

Switch the order of your two icmp rules.  Place your "logged, allow icmp rule" above your "logged, block icmp rule" and see if that does this trick.   Good luck! :)

ps (do you have any Virtual ip's, carp ip's, or 1:1 NAT items setup?  Let us know because I am wondering how the allowed icmp rule know to go directly to your 192.168.1.102 ip address instead of just listing your normal, WAN ip address.  More specifically, does 192.168.1.102 have a WAN ip of something other than 68.149.45.164? )

Offline Tomasu

  • Newbie
  • *
  • Posts: 19
    • View Profile
Re: Firewall blocking too much?
« Reply #11 on: May 19, 2008, 09:55:31 am »
Tomasu, try this:

Switch the order of your two icmp rules.  Place your "logged, allow icmp rule" above your "logged, block icmp rule" and see if that does this trick.   Good luck! :)
I'll get back to you on this...

ps (do you have any Virtual ip's, carp ip's, or 1:1 NAT items setup?  Let us know because I am wondering how the allowed icmp rule know to go directly to your 192.168.1.102 ip address instead of just listing your normal, WAN ip address.  More specifically, does 192.168.1.102 have a WAN ip of something other than 68.149.45.164? )
192.168.1.102 does not exist. Never has as far as I know. My dynamic dhcp pool starts allocating from 199 and goes down to 100, and I'm currently only seeing 192.168.1.17x ips so far (mainly for Virtual Machines with random'ish mac addresses) I also have no Virtual IPs, no carp IPs, or 1:1 NAT items.

The icmp just should not be getting through at all. The allow rule explicitly states only ICMP not targeting a LAN address should get through, and the explict deny rule should further block it. the extra block rule was added after I noticed the allow rule allowing local dest icmps through even when told not to.

Not to mention the packets getting blocked when they could be valid bittorrent traffic (not sure on this one, its hard to test when pfsense lacks all the useful packet sniffing tools that I'm used to).

Offline razor2000

  • Jr. Member
  • **
  • Posts: 77
    • View Profile
Re: Firewall blocking too much?
« Reply #12 on: May 19, 2008, 11:31:28 am »
Interesting... If you don't mind, could you post you WAN ip info and LAN ip info of your pfsense box?  Block out the necessary items in the WAN ip as needed.  Just to be sure, your  WAN ip is gotten via DHCP from your ISP, correct?

Another item:  Are you using pfsense 1.2 or an older version?

Offline Tomasu

  • Newbie
  • *
  • Posts: 19
    • View Profile
Re: Firewall blocking too much?
« Reply #13 on: May 19, 2008, 11:31:02 pm »
Interesting... If you don't mind, could you post you WAN ip info and LAN ip info of your pfsense box?  Block out the necessary items in the WAN ip as needed.  Just to be sure, your  WAN ip is gotten via DHCP from your ISP, correct?

Another item:  Are you using pfsense 1.2 or an older version?
I'm using 1.2. And yes I get DHCP from my isp.


Offline razor2000

  • Jr. Member
  • **
  • Posts: 77
    • View Profile
Re: Firewall blocking too much?
« Reply #14 on: May 20, 2008, 10:00:05 am »
Thanks for supplying the interfaces screenshot.  Several different items and thoughts:

I would like to see the subnet mask of your WAN ip if you don't mind.  I am still intrigued as to which machine on your lan is the 192.168.1.102 computer that showed up in the logs.  Could be a random machine that had that ip address at that time.  The reason I asked if you had any virtual/public ip's is because normally, when items in the firewall get blocked on the WAN side, they should only be showing the WAN ip address, as they are in the other types of items being blocked.  Internal ip addresses show in the logs when those internal addresses are matched up with 1:1 NAT public ip's (at least from all the setups I have performed and seen).

Another item, unless needed for the specific application you mentioned in your first post regarding that "he.net ipv6 tunnels work", you could delete the two ICMP rules and just use the following:

Allow - ICMP - * - WAN ADDRESS - * - *

That way, you'd be allowing ping replies to your 64.149.45.164 ip address, and by default, all ICMP requests to your internal LAN would be blocked by default.  Of course, for logging purposes, that is when you need to create the additional rules.  So basically, I am saying, get rid of the rule that says ALLOW ICMP to !LAN net, and replace it with what I have mentioned above.

Could you post your latest firewall log so we could see the ip's whose ICMP packets are still making it through?  I am interested if it is still coming from the same ip, or from somewhere else.

Thanks