I have a network that's supposed to have unrestricted IPv4 internet access. The rule set has worked fine for years. Today, I was made aware that some Apple iCloud service seems to be broken. Sure enough, with global logging on, I saw that connections to 17.145.16.2:443 were blocked by the default rule. While scratching my head trying to find out what went wrong, I saw that the pass rule kicked in again without any intervention.
The screenshot shows 2 source devices, but the pass rule doesn't care about the source address. No one else had access to the firewall.
What could possibly be the reason for this behaviour?
System is OPNsense 26.4_14-amd64
The rules
Best to start by looking at the detailed information in the log (https://docs.opnsense.org/manual/logging_firewall.html#live-view), which is at the end of the line.
Click on the information icon. In the window which opens, scroll down to the end and and look for the tcpflags line. You may see flags of F or R in the logs for the blocked connections, as they all relate to the connection which logged a pass at 14:45:23 - which should show a flag of S.
It may have been the connection was closed but the client belatedly sent flags to close the connection - judging by the time stamps.
Did you check the Apple System Status page at that time?