OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: allebone on October 15, 2021, 09:59:12 pm

Title: A rule that should not block on the firewall blocked something temporarily.
Post by: allebone on October 15, 2021, 09:59:12 pm

Hi there,

I had a strange occurrence. I have rules that block certain IP's on my home network and an allow rule above this block rule that allows certain IP's that I dont want captured in the block.

Last night a netflix CDN IP was blocked . I noticed today (the next day) when reviewing the logs. However this IP was already in the allow rule. The effect this had was momentarily netflix would not work and I refreshed a few times and thought nothing of it. However I noticed today that IP was blocked and so I went to add it to the list of allowed IP's and discovered it was already in the list.

This means temporarily the rules did not function as expected last night. However there were no changes to the firewall and in fact I was not logged onto it at all either at that time or around that time (due to watching netflix).

Why would the firewall temporarily ignore a firewall rule? The problem seems to have resolved itself with no intervention. I have not added this IP later on into the alias of allowed IP's. I can confirm it was already in there and did not require a change to the firewall.

Kind regards
Pete

Title: Re: A rule that should not block on the firewall blocked something temporarily.
Post by: Napsterbater on October 16, 2021, 12:06:34 am

The rule allows TCP/UDP port 53, the connection blocked was on port 443 I.e. HTTPs or DoH

Actually nevermind, its hard to tell with that picture.

Title: Re: A rule that should not block on the firewall blocked something temporarily.
Post by: allebone on October 16, 2021, 02:50:02 am

No issue. The top rule allows out port 443 and the block rule below blocks any port (ie all ports *)

Title: Re: A rule that should not block on the firewall blocked something temporarily.
Post by: Fright on October 16, 2021, 07:18:58 am

hi
what tcp flags did these packages have? maybe the state was no longer there for some reason

Title: Re: A rule that should not block on the firewall blocked something temporarily.
Post by: allebone on October 17, 2021, 03:39:48 am

Actually I dont know the answer but I like this answer. It is an answer that makes sense to me. Im not sure how to interpret what flags would indicate this but here are a few of the packets. Do the flags indicate what you suggest?
It is an answer that would make sense to me. I included 1 packet that was legitimately blocked to compare. Its flag is S which is different.

P

Title: Re: A rule that should not block on the firewall blocked something temporarily.
Post by: Fright on October 17, 2021, 06:46:01 am

Quote

Do the flags indicate what you suggest?

yep
https://forum.opnsense.org/index.php?topic=20219.msg93687#msg93687

Title: Re: A rule that should not block on the firewall blocked something temporarily.
Post by: allebone on October 17, 2021, 04:22:02 pm

Ok thanks.