1
20.1 Legacy Series / Firewall Rules Not Executing In Order
« on: July 23, 2020, 05:16:28 pm »
Hi All,
Setting up OPNsense for the first time, and created a couple of test rules in my test VM to see how everything works, but having an issue with the rule firing order. I have 4 basic rules for testing the firewall and I was expecting the "first match" to apply to my traffic, but looks like it's applying the "last match" even though I have all rules set to "quick"
LAN Rules:
Firewall: Log Files: Live View:
Firewall: Log Files: Plain View
HOTE: 192.168.10.251 is my test OPNsense VM and 192.168.10.10 is my laptop connecting to the web GUI.
I was expecting rule ""Allow Subnet Access" to be applied not rule "Block Access To All Internal Networks"
Thoughts/ideas?
Setting up OPNsense for the first time, and created a couple of test rules in my test VM to see how everything works, but having an issue with the rule firing order. I have 4 basic rules for testing the firewall and I was expecting the "first match" to apply to my traffic, but looks like it's applying the "last match" even though I have all rules set to "quick"
LAN Rules:
Code: [Select]
Description Action Quick Interface Direction TCP/IP Version Protocol Source Source Port Destination Destination Port
Allow Gateway Access Pass Yes LAN IN IPv4 ANY LAN net ANY LAN address ANY
Allow Subnet Access Pass Yes LAN IN IPv4 ANY LAN net ANY LAN net ANY
Block Access To All Internal Networks Block Yes LAN IN IPv4 ANY LAN net ANY N_Internal_Networks ANY
Block Access To All External Networks Block Yes LAN IN IPv4 ANY LAN net ANY ANY ANY
Firewall: Log Files: Live View:
Code: [Select]
__timestamp__ Jul 23 10:56:46
ack 3701013923
action [block]
anchorname
datalen 1460
dir [in]
dst 192.168.10.10
dstport 25793
ecn
id 0
interface em0
interface_name lan
ipflags DF
label Block Access To All Internal Networks
length 1500
offset 0
proto 6
protoname tcp
reason match
rid 310440840809ac6ac297342b87a2292f
ridentifier 0
rulenr 342
seq 2133222556:2133224016
src 192.168.10.251
srcport 443
subrulenr
tcpflags A
tcpopts
tos 0x0
ttl 63
urp 65535
version 4
Firewall: Log Files: Plain View
Code: [Select]
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,355,192.168.10.251,192.168.10.10,443,1533,315,PA,257669456:257669771,2691555010,65535,,
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,52,192.168.10.251,192.168.10.10,443,1533,0,A,,2691555010,65535,,nop;nop;sack
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,40,192.168.10.251,192.168.10.10,443,1533,0,A,,2691555010,65031,,
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,52,192.168.10.251,192.168.10.10,443,1533,0,A,,2691554341,65535,,nop;nop;sack
HOTE: 192.168.10.251 is my test OPNsense VM and 192.168.10.10 is my laptop connecting to the web GUI.
I was expecting rule ""Allow Subnet Access" to be applied not rule "Block Access To All Internal Networks"
Thoughts/ideas?