Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Kelar

Pages1
#1
Tutorials and FAQs / Re: Cant understand Default deny / state violation rule
May 26, 2025, 12:16:30 AM
Quote from: EricPerl on May 25, 2025, 10:46:00 PMPort 445 is associated with AD file sharing, so it appears to be replies from a server back to a client.

Assuming asymmetric routing is not an issue (i.e. it works), then the state that allowed the connection (client initiated over VPN) was lost.
Apart from manual operations on the state table (which I hope you would have mentioned), this can also happen if the connection was idle for too long.

Some of these may end up being transparent to the end users because new connections get re-established...

It's harder to tell for the rest, but the same logic applies.
Thank you for reply. I found one post on reddit with same problem and one person wrote this:

"Denied packets with RA, FA & FPA flags are just 'finishing' packets trying to close a connection when the firewall already killed the state due to timeouts (out-of-state packets). Smartphones are prone to causing this.
It could be a symptom of asymmetric routing if they are excessive but generally you can safely ignore them.
You can try to use conservative firewall optimization setting for longer timeouts if it's really bothering you."

I tried to use conservative firewall optimization and this helped, no blocking logs at all. This dont bother me as long as everything works, but i needed to understand what was causing this.
#2
Tutorials and FAQs / Cant understand Default deny / state violation rule
May 25, 2025, 02:12:01 PM
Hi, i'm new to Opensense and trying to figure out how it working. I'm testing remote access to my domain controllers and i started noticing strange log entries in FW. First of all thats my testing lab:
You cannot view this attachment.
And this is firewall logs:
You cannot view this attachment.
Inside log entrie i can see this:
You cannot view this attachment.
Firewall rules for testing purpose - accept all in from interface AD and from Openvpn interface group(using modern instances without assigned interface). On Domain controllers i have static routes to vpn clients through 10.20.20.210 as non default gateway.
So the problem - is only logs, everything working, i can ping from Domain Controllers all VPN clients and vice versa. All functions like authorisation, copy files through SMB, applying GPO and etc. is working fine. I just cant undterstand what Opensense meaning under this logs ? As i read before, tcpflags like A and RA meaning asymetric route - but in my case i cant see any of this. Maybe someone can clarify the situation with this logs ? Thank you.
Pages1