1
General Discussion / Self Misconfig or unexpected firewall: diagnostics: sessions behavior.
« on: July 22, 2023, 10:38:25 pm »
Hello!
Just joined the community after installing opnsense and it’s humming along so far. Excited to be onboard. This is my first software firewall, so I'm still settling in.
An interesting thing happened, that is either a potential firewall misconfiguration on my part or just unexpected behavior that is quite normal.
I was following the docs (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html) to configure an IPsec tunnel with a friend and when configuring and applying the attached WAN firewall rules, I was looking around the interface for IPsec logging, and found that the session diagnostic appeared to switch all established connections. In my screenshot, most if not all, various LAN (DHCP leased) sourced traffic, were considered to be 'hitting' the new WAN rules. Even though the new rules were not applicable based on rule criterion.
After digging into it, I learned that pftop (https://man.freebsd.org/cgi/man.cgi?query=pftop) is used for this, and may not be fully accurate after firewall rule changes. I'm not clear if the state table is what the firewall:diag:sessions screen pulls from. It appears to be at least partially related.
"The state table tries to connect states to rules, but since these are referred to by rule number (sequence) in pf(4) these aren’t always accurate after changes to the rules."
After seeing this behavior, I disabled the rules, and the sessions went back to what I consider normal, hitting the default rules for the applicable traffic (Default allow LAN to any rule. etc)
This is also when I learned that the rules I created based on the documentation may be auto generated, because the tunnel still came online with my WAN rules disabled and they’re showing up in the auto gen’d folder.
Type
opnsense
Version
23.1.11
Architecture
amd64
Commit
f1305748e
Just joined the community after installing opnsense and it’s humming along so far. Excited to be onboard. This is my first software firewall, so I'm still settling in.
An interesting thing happened, that is either a potential firewall misconfiguration on my part or just unexpected behavior that is quite normal.
I was following the docs (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html) to configure an IPsec tunnel with a friend and when configuring and applying the attached WAN firewall rules, I was looking around the interface for IPsec logging, and found that the session diagnostic appeared to switch all established connections. In my screenshot, most if not all, various LAN (DHCP leased) sourced traffic, were considered to be 'hitting' the new WAN rules. Even though the new rules were not applicable based on rule criterion.
After digging into it, I learned that pftop (https://man.freebsd.org/cgi/man.cgi?query=pftop) is used for this, and may not be fully accurate after firewall rule changes. I'm not clear if the state table is what the firewall:diag:sessions screen pulls from. It appears to be at least partially related.
"The state table tries to connect states to rules, but since these are referred to by rule number (sequence) in pf(4) these aren’t always accurate after changes to the rules."
After seeing this behavior, I disabled the rules, and the sessions went back to what I consider normal, hitting the default rules for the applicable traffic (Default allow LAN to any rule. etc)
This is also when I learned that the rules I created based on the documentation may be auto generated, because the tunnel still came online with my WAN rules disabled and they’re showing up in the auto gen’d folder.
Type
opnsense
Version
23.1.11
Architecture
amd64
Commit
f1305748e