OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: nordsec on May 06, 2018, 10:50:11 pm

Title: How to find the specific rule that is blocking some IP's?
Post by: nordsec on May 06, 2018, 10:50:11 pm

Hi. I find it very hard to trace blocked traffic back to the rule that is actually causing the traffic or IP to be blocked.

I've attached some screenshots from the logs.

The scenario here is that i'm watching Netflix on my Panasonic smart TV and I see that the Netflix looses its connecting due to Netflix trying to jump from one server to another witch my firewall is blocking. Its not blocking all the traffic but some resulting in me having to manually start the tv show again.

I see the traffic getting blocked but I cant find the exact rule that is blocking it. I am using both IDS and IPS with lots of rules enabled. I'm not gonna bother listing them here as the point is to be able to trace the blocked traffic to the exact rule that is causing the block.

but how?... I find it very strange that its this hard. Every time I try to google anything about opnsense google is always just serving me pfsense results :(

Thanks for answers!

Title: Re: How to find the specific rule that is blocking some IP's?
Post by: dcol on May 06, 2018, 11:23:28 pm

A TCP flag of FPA is not a legitimate block, rather a failed packet that will be retried and can be ignored. The label in the live view shows which rule caused the block. If you are getting 'Default deny rule' then most likely there is no rule allowing a good packet to pass.

The only legit block was to 104.123.137.85 with TCP flag 'A', but you didn't show the firewall live view for that one.

Usually those failed packets slowly go away. I always get a ton of them when I reboot. If they don't go away, then maybe there is some other issue like faulty wiring or hardware.

I do wish there was a way to filter the tcp flags in the live view, or at least show them in the list. Having a bunch of FA, PA, RA is annoying to sort through.

Title: Re: How to find the specific rule that is blocking some IP's?
Post by: nordsec on May 06, 2018, 11:32:35 pm

So what you’re saying is that the issue might not be the firewall? Funnny how the block appears exactly when netflix stops...

Title: Re: How to find the specific rule that is blocking some IP's?
Post by: dcol on May 06, 2018, 11:37:20 pm

Ignore the FPA's The firewall is just reporting a failed packet. look elsewhere for an issue. Could even be the source sending bad packets.

Title: Re: How to find the specific rule that is blocking some IP's?
Post by: nordsec on May 07, 2018, 12:05:31 am

Okei. Thank you for quick and good replies!