[solved] understanding 'usecase' of default deny rule

[ole]

Hi,

just I revised the logs and saw a default deny rule active, details see attachement. The private IP from SRC it's me, the Dst adress is Dropbox (https://whois.domaintools.com/162.125.35.135) which I use. So what triggers these, since I don't expected it (and even dropbox seems still to work as expected).

[fabian]

The default deny rule should exist on any firewall except those of the ISPs. It blocks any traffic you don't allow. The use case is simple: If you do not configure anything, no traffic can pass and therefore nothing can harm your hosts. When you allow traffic, you are expected to know what you are doing so your network is as safe as you wish.

If you have the default policy pass, you would have to block any traffic you don't want. This is almost impossible to get safe but that is what ISPs do. For example they have to block RFC1918 addresses as source addresses when there is no CGN. Also some hosts may be blocked due to malware or some ports like TR-069.

[ole]

thanks for your answer. My fault, the topic is missleading.

igb1 is my LAN1 attached with (imo) allow to anywhere rule. So I don't understand why it's blocked, or even why doesn't it match my own rule?

Maybe I didn't read the block message carefully or I miss something....

[fabian]

Maybe you have to reload the firewall configuration.

[Steve28]

You know, I see this occasionally as well.  I have a catch-all allow any to any on my LAN interface as well.  And every now and then something hits the the default deny rule.  I have not been able to figure out why either.

[tiermutter]

I have similar issues (since new hardware) , questioned in german forum some days ago.
Did you have a look at the tcp flags? In my case those packets are hit by default deny because they are out of state.

But can`t figure out why there are (in my case so much) out of state packets.

[ole]

I have similar issues (since new hardware) , questioned in german forum some days ago.
Did you have a look at the tcp flags? In my case those packets are hit by default deny because they are out of state.

Yes! Yesterday in the evening I found by reading the pfsense book this: Troubleshooting Blocked Log Entries for Legitimate Connection Packets (https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html). This explains this with the TCP flags.

But can`t figure out why there are (in my case so much) out of state packets.

Maybe the next chapter about asymtric routing answers your problems.

[tiermutter]

Thank you for sharing, I already tried out and checked everything mentioned in this chapter, but nothing worked for me.

Knowing that these entries are nothing to worry about I would just like to know why they massively appear since I changed my hardware (espacially NICs)... I can live with that, its just a little annoying...