Traffic is not correctly blocked?

[cyb]

Hi there,

I am just starting to try out OPNsense although I am familiar with firewalls from Fortinet and Mikrotik.

I have one physical LAN interface combining several VLANs. In OPNsense I have defined multiple OPT-interfaces, one interface for each VLAN (all with the same physical interface as parent).

I then have created one first rule for one OPT-interface, very simple: just allow ICMP traffic to "this firewall". After creating and enabling the rule, I can ping the corresponding firewall interface without problems (I was not able to ping it before).

Now the strange thing: When disabling the rule or even when deleting the rule, I am still able to ping the interface. I am still receiving echo replies!

When rebooting the OPNsense machine, the ping is not replied aynmore, as I expected.

I can permanently reproduce the behaviour.

Is this a bug or am I misunderstanding something?

Best regards,
cyb

[Patrick M. Hausen]

Hint: stateful firewall. With an ongoing ping the old permission is still active until there is no traffic for a certain timeout value - which I don't know from the top of my head.

You can clear the state table instead of rebooting. This is not done automatically each time you change rules, because it woukd interrupt active and perfectly permitted connections. Not good in a production environment.

[cyb]

Thanks for your very fast reply.

Yeah, I thought of that and because of that I stopped the ping, closed the terminal, waited some seconds, opened a new terminal and restarted the ping. I thought the session would be terminated because of that but I seem to be wrong.

[cyb]

I have a different (in my opinion) strange behavior, which I currently cannot understand. I don't want to start a new thread because of the question, so I continue in this one.

I am starting with very simple firewall rules in one VLAN, one allow-rule for a single source ip to internal destinations (_PrivateNetworks) and one allow-rule for that same ip to external destinations: See attached image rule.png

When I try to access a SMB share on an internal destination (192.168.10.12) from that source ip, the access seems not to be directly working, but after about 10 seconds the share can be accessed.

When checking the live view, it can be seen that the access is first denied because of the global deny-rule in that vlan and then allowed because of the explicit rule mentioned above: See attached image log.png

This behaviour is reproducable: sometimes the rule seems to hit the traffic, sometimes not.

Can anybody explain that behavior?

Best regards,
cyb

[cyb]

I really don't understand why the firewall behaves differently for the same incoming requests.

Is there any way to get more logging to find the reason for this?

[cyb]

Is it possible that opnsense just allows new sessions?

It seems that when I have access to the destination and I am then changing something in opnsense and apply the settings the access gets lost. The detail view of the packages in live view shows that the accepted packages are SYN-messages while the blocked ones are acknowledges.

[cyb]

Nobody any hints for me?