Messages

1

21.1 Legacy Series / Re: host being blocked after session is established?

« on: April 05, 2021, 06:48:47 pm »

I have two problems and I'm probably causing confusing trying to do both. Let's just work on this one.

I nuked all the rules I made from WAN, LAN, and NAT except for allowing incoming ICMP, since that one works.

I ssh from inside my network to the jump box, and in 21 seconds the default deny rule kicks on and locks up all traffic for the session.

LAN      Apr 5 11:46:33   192.168.10.99:56083   108.161.128.28:22   tcp   Default deny rule   
LAN      Apr 5 11:46:33   192.168.10.99:56083   108.161.128.28:22   tcp   Default deny rule   
WAN      Apr 5 11:46:13   108.161.128.28   23.126.222.155   icmp   Allow ping from Muppets   
WAN      Apr 5 11:46:02   192.168.10.99:56083   108.161.128.28:22   tcp   let out anything from firewall host itself


I'm having this problem with almost any host in the LAN. Trying to send an email at the moment through gmail that's 2M and it's hanging ... thousands of denys in the logs on the default rule. I change my default route to my old router and it sends right away.

2

21.1 Legacy Series / Re: host being blocked after session is established?

« on: April 05, 2021, 06:26:34 pm »

I enabled logging on the WAN rule - still no entries created.

The connection is not being closed by the jump host. When the default deny rule is being thrown in the logs, the session hangs and it stops any traffic mid-typing. It's not a timeout being hit, the default drop fw rule is suddenly being enforced on the active session after 25-40 seconds of being connected. I'm confused as to how that's being applied when it should allow any from LAN -> WAN

3

21.1 Legacy Series / Re: host being blocked after session is established?

« on: April 05, 2021, 05:54:54 pm »

logging is enabled for the nat rule, nothing is being logged. I will try to recreate.

So the session being closed will happen even if I don't attempt anything.

SSH from inside network -> jump box. Mess around on the box for 40 seconds -> default deny rule hits.

4

21.1 Legacy Series / Re: host being blocked after session is established?

« on: April 05, 2021, 05:34:43 pm »

Shouldn't the port forward rule do this?

The rules are not showing it - but if I ssh user@23.126.222.155 -p 10022 from the jump host nothing shows in the logs.....

And why would a failure to connect here cause the initial session to the jump box to be closed? That's not a normal expected behavior. I would expect to see the connection blocked and error out immediately?

5

21.1 Legacy Series / Re: host being blocked after session is established?

« on: April 05, 2021, 04:53:37 pm »

I'm boggled why the default deny rule would be hit after a successful connection is allowed.

I've added all rules I put in to the gphotos link - https://photos.app.goo.gl/mMsxEaKDM49akHxS6

6

21.1 Legacy Series / host being blocked after session is established?

« on: April 05, 2021, 04:49:27 am »

so I have a fresh install of 21.4. Very basic setup, WAN & LAN only.

default rules on LAN side. Trying to enable a port forward from a jump server to hit the firewall on port 10022 and have it forwarded to a local server on port 22.

I have an incoming WAN icmp rule from the jump server that works fine, however the port forward rule does not. While trying to figure that out ....

I can ssh to the jump server and it will let me stay connected for about 30-60 seconds, and then the firewall decides to block traffic for the same session I just established??

I have IDS enabled, but set only to alert.

I cannot find the 'default rule' that seems to be blocking the session. (Is this a bug - when I click in to the info on the rule and click on the hyperlink to bring up the rule that is blocking it, it opens a window that is immediately closed in chrome & firefox. Bringing it up it looks like https://opnsense/firewall_rule_lookup.php is not returning anything? Is the script broken?)

Apparently I can't upload attachments to this forum either. here's the log file :

https://photos.app.goo.gl/mMsxEaKDM49akHxS6

I'm seeing a ton of LAN -> Internet traffic that is getting blocked by this default rule for other hosts as well.