hi guys,
any advice why my rule cannot block icmp try everything result still the same, i am using
opnsense veriosn 22.7.4 on vmware esxi 7 after rebooting or shutdown then power on the opnsense again rule working perfectly its like rule not applied properly any idea how to fix this.
i found the solutions clear states fix this problem, but why states not clear automatically do we need clear states every create rules please advice confused me.
Thanks
Your rule only stops pings to the firewall itself. Is that what you are testing?
If so, enable logging for default pass rules to see which rule applies before your block rule.
e.g. ICMP v6 is enabled by default in floating section.
Quote from: bartjsmit on September 22, 2022, 07:24:08 AM
Your rule only stops pings to the firewall itself. Is that what you are testing?
yes because our firewall directly to public, its work now but we need to clear states, why this happen can we just create rules without clear states from diagnostic..?
if we create pass rule its applied directly just fine, when we create block rule this rule will work if we clear states from diagnostic can you help whats going on
Quote from: tiermutter on September 22, 2022, 08:38:51 AM
If so, enable logging for default pass rules to see which rule applies before your block rule.
e.g. ICMP v6 is enabled by default in floating section.
its work if clear states first from diagnostic why this happen..?
any idea why i should reset states to work ...?
If a connection is already established due to the ruleset, a new block rule will not apply until the connection is closed. Then the new block rule applies and a new connection cant be established.
Reset states forces all connections to close.
Reset states for pass rules is not necessary, because a connection cannot be estabslished before, so there is no state "overriding" the new rule.
See also https://docs.opnsense.org/manual/firewall.html
Quote
Note
When changing rules, sometimes its necessary to reset states to assure the new policies are used for existing traffic. You can do this in Firewall ‣ Diagnostics ‣ States.
Quote from: tiermutter on September 23, 2022, 12:31:36 PM
If a connection is already established due to the ruleset, a new block rule will not apply until the connection is closed. Then the new block rule applies and a new connection cant be established.
Reset states forces all connections to close.
Reset states for pass rules is not necessary, because a connection cannot be estabslished before, so there is no state "overriding" the new rule.
See also https://docs.opnsense.org/manual/firewall.html
Quote
Note
When changing rules, sometimes its necessary to reset states to assure the new policies are used for existing traffic. You can do this in Firewall ‣ Diagnostics ‣ States.
so if the target already in established connection then we should clear state so wen can block the target again aim i right..?
Quote from: tiermutter on September 23, 2022, 12:31:36 PM
If a connection is already established due to the ruleset, a new block rule will not apply until the connection is closed. Then the new block rule applies and a new connection cant be established.
Reset states forces all connections to close.
Reset states for pass rules is not necessary, because a connection cannot be estabslished before, so there is no state "overriding" the new rule.
See also https://docs.opnsense.org/manual/firewall.html
Quote
Note
When changing rules, sometimes its necessary to reset states to assure the new policies are used for existing traffic. You can do this in Firewall ‣ Diagnostics ‣ States.
@tiermutter
thanks for the help anyway now i understand.