Traffic is not correctly blocked?

Started by cyb, April 07, 2023, 06:45:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 07, 2023, 06:45:17 PM Last Edit: April 07, 2023, 06:48:05 PM by cyb
Hi there,

I am just starting to try out OPNsense although I am familiar with firewalls from Fortinet and Mikrotik.

I have one physical LAN interface combining several VLANs. In OPNsense I have defined multiple OPT-interfaces, one interface for each VLAN (all with the same physical interface as parent).

I then have created one first rule for one OPT-interface, very simple: just allow ICMP traffic to "this firewall". After creating and enabling the rule, I can ping the corresponding firewall interface without problems (I was not able to ping it before).

Now the strange thing: When disabling the rule or even when deleting the rule, I am still able to ping the interface. I am still receiving echo replies!

When rebooting the OPNsense machine, the ping is not replied aynmore, as I expected.

I can permanently reproduce the behaviour.

Is this a bug or am I misunderstanding something?

Best regards,
cyb
April 07, 2023, 06:48:23 PM #1
Hint: stateful firewall. With an ongoing ping the old permission is still active until there is no traffic for a certain timeout value - which I don't know from the top of my head.

You can clear the state table instead of rebooting. This is not done automatically each time you change rules, because it woukd interrupt active and perfectly permitted connections. Not good in a production environment.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 07, 2023, 06:57:49 PM #2
Thanks for your very fast reply.

Yeah, I thought of that and because of that I stopped the ping, closed the terminal, waited some seconds, opened a new terminal and restarted the ping. I thought the session would be terminated because of that but I seem to be wrong.
April 11, 2023, 08:54:39 PM #3
I have a different (in my opinion) strange behavior, which I currently cannot understand. I don't want to start a new thread because of the question, so I continue in this one.

I am starting with very simple firewall rules in one VLAN, one allow-rule for a single source ip to internal destinations (_PrivateNetworks) and one allow-rule for that same ip to external destinations: See attached image rule.png

When I try to access a SMB share on an internal destination (192.168.10.12) from that source ip, the access seems not to be directly working, but after about 10 seconds the share can be accessed.

When checking the live view, it can be seen that the access is first denied because of the global deny-rule in that vlan and then allowed because of the explicit rule mentioned above: See attached image log.png

This behaviour is reproducable: sometimes the rule seems to hit the traffic, sometimes not.

Can anybody explain that behavior?

Best regards,
cyb
April 13, 2023, 07:12:43 PM #4
I really don't understand why the firewall behaves differently for the same incoming requests.

Is there any way to get more logging to find the reason for this?
April 13, 2023, 07:26:00 PM #5
Is it possible that opnsense just allows new sessions?

It seems that when I have access to the destination and I am then changing something in opnsense and apply the settings the access gets lost. The detail view of the packages in live view shows that the accepted packages are SYN-messages while the blocked ones are acknowledges.
April 14, 2023, 07:23:08 PM #6
Nobody any hints for me?
Print
Go Up Pages1
User actions