Text only | Text with Images

OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: Mr. Happy on August 13, 2020, 09:34:27 PM

Title: Firewall blocks one time, passes another...
Post by: Mr. Happy on August 13, 2020, 09:34:27 PM
When I looked in the live logging of the firewall I found several of the following lines...

Code Select
vl70_iot Aug 13 21:23:09 192.168.70.16:49462 173.194.76.206:443 tcp Default deny rule
vl70_iot Aug 13 21:23:08 192.168.70.16:52646 34.90.171.169:80 tcp Default deny rule
vl70_iot Aug 13 21:23:06 192.168.70.16:48390 34.90.173.53:443 tcp Default deny rule
vl70_iot Aug 13 21:23:05 192.168.70.16:52646 34.90.171.169:80 tcp Default deny rule
vl70_iot Aug 13 21:23:04 192.168.70.16:49468 173.194.76.206:443 tcp vl70 allow to any rule`

As you can see at 21:23:04 the traffic is allowed, at 21:23:09 it is blocked.
I would have expected it to allowed or disallowd, not both....
Is this a bug or is there some other logfile what might explain this (erratic?) behaviour??
Title: Re: Firewall blocks one time, passes another...
Post by: chemlud on August 14, 2020, 08:17:46 AM
out-of-state traffic, maybe? ::)
Title: Re: Firewall blocks one time, passes another...
Post by: Vilhonator on September 09, 2020, 03:11:17 PM
Check your firewall rules and port forwarding rules.

You can find firewall rules under Firewall -> Rules -> WAN, LAN and rest of the interfaces you are using, keep in mind that in Rules, the order does matter and rules are applied from top to bottom by default, so if there is any block rule to port which is port forwarded and the portforward rule is below that, then connections are blocked. (Port forwrding is found under Firewall -> NAT but you can see them in firewall rules aswell, you just can't modify them without going to port forwarding section).

Also to helpout to recognize if firewall is blocking something because you have made a rule to block it, edit rule, check the "log" box and type something on the text field next to "Description", that way text in description field is shown in live log monitor. If you leave description text field empty, then the default description is used which is "Default deny rule", if you leave "log" box unchecked, then only default rules are shown in live log monitor.

Example how to set firewall rules and how they work can be found in https://docs.opnsense.org/manual/how-tos/edrop.html (and yes, they are very confusing, so better not make any firewall rules, without first going through a guide setting up few of them first)
Text only | Text with Images