[solved] understanding 'usecase' of default deny rule

Started by ole, May 30, 2020, 08:56:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 30, 2020, 08:56:35 PM Last Edit: June 04, 2020, 04:49:35 PM by ole
Hi,

just I revised the logs and saw a default deny rule active, details see attachement. The private IP from SRC it's me, the Dst adress is Dropbox (https://whois.domaintools.com/162.125.35.135) which I use. So what triggers these, since I don't expected it (and even dropbox seems still to work as expected).
May 30, 2020, 09:12:00 PM #1 Last Edit: May 30, 2020, 09:14:07 PM by fabian
The default deny rule should exist on any firewall except those of the ISPs. It blocks any traffic you don't allow. The use case is simple: If you do not configure anything, no traffic can pass and therefore nothing can harm your hosts. When you allow traffic, you are expected to know what you are doing so your network is as safe as you wish.

If you have the default policy pass, you would have to block any traffic you don't want. This is almost impossible to get safe but that is what ISPs do. For example they have to block RFC1918 addresses as source addresses when there is no CGN. Also some hosts may be blocked due to malware or some ports like TR-069.
May 31, 2020, 10:33:14 AM #2 Last Edit: May 31, 2020, 10:35:35 AM by ole
thanks for your answer. My fault, the topic is missleading.

igb1 is my LAN1 attached with (imo) allow to anywhere rule. So I don't understand why it's blocked, or even why doesn't it match my own rule?

Maybe I didn't read the block message carefully or I miss something....
May 31, 2020, 07:02:41 PM #3
Maybe you have to reload the firewall configuration.
June 03, 2020, 03:24:01 PM #4
You know, I see this occasionally as well.  I have a catch-all allow any to any on my LAN interface as well.  And every now and then something hits the the default deny rule.  I have not been able to figure out why either.
June 03, 2020, 07:06:57 PM #5
I have similar issues (since new hardware) , questioned in german forum some days ago.
Did you have a look at the tcp flags? In my case those packets are hit by default deny because they are out of state.

But can`t figure out why there are (in my case so much) out of state packets.
i am not an expert... just trying to help...
June 04, 2020, 04:49:13 PM #6 Last Edit: June 04, 2020, 04:51:24 PM by ole
Quote from: tiermutter on June 03, 2020, 07:06:57 PM
I have similar issues (since new hardware) , questioned in german forum some days ago.
Did you have a look at the tcp flags? In my case those packets are hit by default deny because they are out of state.

Yes! Yesterday in the evening I found by reading the pfsense book this: Troubleshooting Blocked Log Entries for Legitimate Connection Packets (https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html). This explains this with the TCP flags.

Quote from: tiermutter on June 03, 2020, 07:06:57 PM
But can`t figure out why there are (in my case so much) out of state packets.

Maybe the next chapter about asymtric routing answers your problems.
June 05, 2020, 12:18:48 PM #7
Thank you for sharing, I already tried out and checked everything mentioned in this chapter, but nothing worked for me.

Knowing that these entries are nothing to worry about I would just like to know why they massively appear since I changed my hardware (espacially NICs)... I can live with that, its just a little annoying...
i am not an expert... just trying to help...
Print
Go Up Pages1
User actions