Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: bazbaz on March 13, 2024, 05:19:51 PM

Title: Started ignoring rules
Post by: bazbaz on March 13, 2024, 05:19:51 PM
I've a firewall that was working until today (when I updated from  24.1.2 to  24.1.3, but maybe the problem has started before the upgrade), that now is not applying rules as expected.

I can see in the log that packets are dropped because "Default deny / state violation rule", but rules that allow that kind of packet are loaded (and they are working until yesterday).
I've this problem both on rules with SNAT (for example to connect to HTTPS), and without any NAT (for example simple "routing" from client in a network to AD servers in an other).

Tried to restart firewall service, and also all appliance but nothing :(

This is an hell: something can help me?
thanks
Title: Re: Started ignoring rules
Post by: Patrick M. Hausen on March 13, 2024, 05:26:03 PM
Please post parts of the log that show the "Default deny / state violation rule" hit and the firewall rule that should allow the traffic instead.

Complete with interfaces and IP addresses, please.
Title: Re: Started ignoring rules
Post by: bazbaz on March 13, 2024, 05:31:48 PM
for example:

F03LAN      2024-03-13T17:27:39   10.77.67.3:54052   52.20.40.101:443   tcp   Default deny / state violation rule
F03LAN      2024-03-13T17:27:15   10.77.67.3:56432   34.149.211.227:443   tcp   Default deny / state violation rule

and attached rules for F03LAN. The first is a bypass I added to avoid the problem (that is not working) and the last the rule I aspect that will allow the flow of above blocked logs.

The F03LAN address is 10.77.67.1/26
Title: Re: Started ignoring rules
Post by: Patrick M. Hausen on March 13, 2024, 05:38:34 PM
Can you show the TCP flags of the log entry?

Looks right to me - your rule should allow outbound access to ports 80 and 443.
Title: Re: Started ignoring rules
Post by: bazbaz on March 13, 2024, 05:41:04 PM
sometimes
tcpflags   RA
sometime only A

Title: Re: Started ignoring rules
Post by: zan on March 14, 2024, 03:38:34 AM
Quote from: bazbaz on March 13, 2024, 05:41:04 PM
sometimes
tcpflags   RA
sometime only A
Yea those are out-of-state packets. As long as they are not 'S' they are harmless.
See this for explanation: https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
You may want to experiment with Firewall>Settings>Firewall Optimization setting to suit your network.
Title: Re: Started ignoring rules
Post by: bazbaz on March 21, 2024, 05:42:25 PM
Maybe it's something similar, but I cannot explain nor fix :(
The first and the second server are in two subnets connected to this OPNSense. Direct and quick connection, no alternate route available.
Also tried to put the firewall in conservative

Also checking "Disable all packet filtering. " seems not solving problems :(

take a look to attached firewall log
Text only | Text with Images