Crowdsec and floating rules appear as "Default deny / state violation" in 26.1 logs. This makes it incredibly difficult to troubleshoot.
- To reproduce, enable Crowdsec plugin and defaults.
- Whitelist your local host IPs (192.168.1.0/24).
- Start docker instances that use port forwarding for a range of port connections.
- Note that the docker instances will be blocked from outgoing traffic on those ports after Crowdsec makes a decision to block.
- Note that the logs do NOT indicate this, and instead treat all Crowdsec decision floating rules as "Default deny / state violation".
Desired result: Floating rules are logged by their origin (plugin name or automatic), or if not possible, floating rules appear as "Floating Rule".
Workaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).
Related threads:
- https://forum.opnsense.org/index.php?topic=38822.0
- https://forum.opnsense.org/index.php?topic=45838.0
Network Setup:
- OPNSense 26.1.6_2 latest on a AMD SoC, 3 Intel NICs.
- NIC 0 to Cable Modem (WAN).
- NIC 1 to 10G home network, 10G dumb switches no other routing equipment (LAN).
- No VLANs or anything yet. Still haven't graduated from basic networking.
- Debian 13 on an Intel NIC large host.
- Multiple other PCs wired in.
OPNsense Setup:
- IPV6 disabled (some of the PCs and apps have a fit and refuse to work on IPV6).
- Unbound DNS installed, enabled, and set up with overrides that match aliases.
- Aliases set up for IPV4 for Debain 13 PCs.
- ACME Client installed and configured.
- CrowdSec installed and configured with whitelist for 192.168.1.106.
- ISC DECHPv4 migrated from 25.
- NAT (New) migrated from 25, old rules removed.
Debian 13 Setup:
- Default settings for the NIC.
- Default settings for Docker install (bridge mode NAT).
- Using a docker instance to start port scanning-like activity.
Quote from: cyb_tachyon on April 29, 2026, 10:16:56 PMWorkaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).
Debian 13 Setup:
- Default settings for Docker install (bridge mode NAT).
Why not use MACVLAN for Docker and maybe not have this issue ?!
A lot of Docker users I know use it and recommend it to pretty much everyone too! :)
Quote from: nero355 on April 29, 2026, 11:55:16 PMWorkaround: Whitelist Docker IP subnets in Crowdsec
Don't you have RFC 1918 networks whitelisted, anyway?
https://docs.crowdsec.net/u/getting_started/next_steps
QuoteBy default, CrowdSec whitelists private LAN IP addresses. You can add your own IPs or events to prevent false positives.
Quote from: Patrick M. Hausen on April 30, 2026, 09:06:03 AMQuote from: nero355 on April 29, 2026, 11:55:16 PMWorkaround: Whitelist Docker IP subnets in Crowdsec
Don't you have RFC 1918 networks whitelisted, anyway?
https://docs.crowdsec.net/u/getting_started/next_steps
QuoteBy default, CrowdSec whitelists private LAN IP addresses. You can add your own IPs or events to prevent false positives.
You quoted the wrong guy ^_^
Soo let's ask him :
Quote from: cyb_tachyon on April 29, 2026, 10:16:56 PMWorkaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).
Don't you have RFC 1918 networks whitelisted, anyway?
https://docs.crowdsec.net/u/getting_started/next_steps
QuoteBy default, CrowdSec whitelists private LAN IP addresses. You can add your own IPs or events to prevent false positives.
:P