Firewall Assistance - Pass sometimes, not always

Started by finish06, March 08, 2019, 03:22:42 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 08, 2019, 03:22:42 PM
What would cause the below issue?  Ports on the firewall are set to '*'.

Thanks!

March 08, 2019, 03:24:26 PM #1
Asymmetric routing or faulty switching. The default deny rule will block connections that don't have a correct TCP state so it doesn't see all packets belonging to the connection.

There are a number of threads in this forum about it, look for "default deny" and "state tracking disable".


Cheers,
Franco
March 08, 2019, 04:04:58 PM #2
Thank you for the prompt reply!  I was struggled to search for anything meaningful.  I think it is asymmetrical routing.  While I am not sure what that is exactly, changing the state type to none fixed the issue.  I found the information on this forum:
https://forum.opnsense.org/index.php?topic=9136.msg40997#msg40997
March 08, 2019, 04:41:01 PM #3
It would mean packets (usually one direction, sometimes more fuzzy than this) find another way to the OPNsense than the assigned network port where they are supposed to appear and "confuse" the state tracking, causing it to invalidate the connection because the TCP is not well-formed.

From an end user perspective this doesn't matter, from a network design and security standpoint that can pose problems. Sometimes it can be a switch that is flooding due to full MAC tables.


Cheers,
Franco
Print
Go Up Pages1
User actions