OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: Nico on February 21, 2019, 12:04:48 pm

Title: Unclear why default deny kicks in
Post by: Nico on February 21, 2019, 12:04:48 pm

Hi,

maybe someone can enlighten me why the "default deny" rule kicks in although there are several pass rules that should match?
It's about an IPsec tunnel with a permit any/any rule on that interface that should allow any traffic to pass through it. This works in like 99% of all cases I guess but a couple of times I see a default deny rule kicking it and when I look at the details of this log entry, I cannot spot why. It's like the thing ran out of memory to hold any more custom states and just falls back to the default deny. Is this possible? I will attach screenshots of one deny and one pass for you to see yourself.

Thanks!

Title: Re: Unclear why default deny kicks in
Post by: Nico on February 21, 2019, 12:06:48 pm

These are the rules on that interface. 2 and 3 are for testing only. I added a manual default deny that should kick in before the system's default deny but it never did. So I kind of got the assumption that those packets are somewhat special for my pass rule not to kick in. So I tested a little with the advanced options, enabled any flags and changed the state to sloppy but with no effect.

Title: Re: Unclear why default deny kicks in
Post by: chemlud on February 21, 2019, 12:23:01 pm

TCP flag finish might be involved? See your first screen shot ;-)

Title: Re: Unclear why default deny kicks in
Post by: Nico on February 21, 2019, 12:25:12 pm

Quote from: chemlud on February 21, 2019, 12:23:01 pm

TCP flag finish might be involved? See your first screen shot ;-)

I'm looking and looking.. where do you see a "finish" flag? I'm unable to find it anywhere.

Title: Re: Unclear why default deny kicks in
Post by: franco on February 21, 2019, 12:27:23 pm

FPA = finish push ack

Set state tracking to none, for one reason or another state tracking thinks this is a faulty state transition.

Title: Re: Unclear why default deny kicks in
Post by: Nico on February 21, 2019, 12:29:31 pm

OK thanks, meanwhile I found this https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html which seems to address that. That helps, thanks a lot!

Title: Re: Unclear why default deny kicks in
Post by: Nico on February 21, 2019, 12:32:37 pm

Quote from: franco on February 21, 2019, 12:27:23 pm

FPA = finish push ack

Set state tracking to none, for one reason or another state tracking thinks this is a faulty state transition.

Just for clearification: I cannot simply change state tracking to none for the only "pass any" rule since this would result in blocking the replies (unless I have a permit any inbound rule on WAN), correct? So I added a 2nd identical rule with pass any/any and state = none. Is this correct from your point of view?

Title: Re: Unclear why default deny kicks in
Post by: franco on February 21, 2019, 12:36:50 pm

No, state tracking disable only disables state checking. The same rule will take care of return traffic as it normally would.

Title: Re: Unclear why default deny kicks in
Post by: Nico on February 21, 2019, 12:48:55 pm

Thanks a lot!