Firewall rules not behaving like one would expect

[kryptonian]

I'm having difficulties trying to get my IoT firewall rules working like I want them to as the traffic does reach my KUBE_SVC addresses eg 192.168.10.10, but the connection timeouts after "connection established" message in mosquitto MQTT broker and logs are filled with the default deny, despite my rules allowing it.

What could be the issue then?

KUBE_SVC consist of: 192.168.10.0/24,10.0.0.0/8

pfctl output:

Code Select Expand


scrub on ix0_vlan50 all 
nat on igc1 inet from (ix0_vlan50:network) to any port 500 -> (igc1:0) static-port # Automatic outbound rule
nat on igc1 inet from (ix0_vlan50:network) to any -> (igc1:0) port 1024:65535 # Automatic outbound rule
rdr on ix0_vlan50 inet proto tcp from {any} to {(igc1)} port {80} -> 10.96.69.80 port 80
rdr on ix0_vlan50 inet proto tcp from {any} to {(igc1)} port {443} -> 10.96.69.80 port 443
rdr on ix0_vlan50 inet6 proto tcp from {any} to {(igc1)} port {443} -> 2001:14ba:16fd:961d::4443 port 443
rdr on ix0_vlan50 inet6 proto tcp from {any} to {(igc1)} port {80} -> 2001:14ba:16fd:961d::4443 port 80
rdr on ix0_vlan50 inet proto {tcp udp} from {any} to {(igc1)} port $Minecraft_EDU -> 192.168.2.203 # Forward MINECRAFT_EDU to Windows workstation
rdr on ix0_vlan50 inet proto {tcp udp} from {any} to {(igc1)} port {57427} -> 192.168.2.129 port 57427 # Bittorrent
rdr on ix0_vlan50 inet from {any} to {192.168.2.149} -> 172.16.9.10
rdr on ix0_vlan50 inet proto {tcp udp} from {any} to {any} port {53} -> $DNSDIST_CONTAINER port 53
rdr on ix0_vlan50 inet proto {tcp udp} from {any} to {any} port {53} -> $DNSDIST_CONTAINER port 53
rdr on ix0_vlan50 inet proto {tcp udp} from {any} to {any} port {53} -> $DNSDIST_CONTAINER port 53
rdr on ix0_vlan50 inet proto {tcp udp} from {any} to {any} port {53} -> $DNSDIST_CONTAINER port 53
rdr on ix0_vlan50 inet proto tcp from {any} to {(igc1)} port {22} -> 192.168.2.10 port 22
antispoof log for ix0_vlan50
pass in log quick on ix0_vlan50 proto udp from {any} port {68} to {255.255.255.255} port {67} label "d6ef6bbb636f55e2bf4b8cb8b2821770" # allow access to DHCP server
pass in log quick on ix0_vlan50 proto udp from {any} port {68} to {(self)} port {67} label "a60c3f34eeab5d538dbae5c4d2739d2c" # allow access to DHCP server
pass out log quick on ix0_vlan50 proto udp from {(self)} port {67} to {any} port {68} label "3f98e393536eccd150978a13dfac1ddc" # allow access to DHCP server
# block in log quick on ix0_vlan50 inet from {<bogons>} to {any} label "4120869b63ab77fc66406403f3b23276" # Block bogon IPv4 networks from IoT
# block in log quick on ix0_vlan50 inet6 from {<bogonsv6>} to {any} label "0fe01e65ee63392ccfebb9490aac5248" # Block bogon IPv6 networks from IoT
# block in log quick on ix0_vlan50 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "91b8c1a83111e17e6b7d955011b00bec" # Block private networks from IoT
# block in log quick on ix0_vlan50 inet6 from {fc00::/7} to {any} label "abd2aa4001768db1d10fb20842787d0d" # Block private networks from IoT
pass in log quick on ix0_vlan50 inet proto {tcp udp} from {any} to $KUBE_SVC keep state label "4d0f06412a2ca86ab6ce3bcf7bb481fb"
pass in quick on ix0_vlan50 inet proto tcp from $brother_printer to $NAS port $TCP_SMB keep state label "d9d31a41a5a9015c0d79e531c34cfc83"
pass in quick on ix0_vlan50 inet proto udp from $brother_printer to $NAS port $UDP_SMB keep state label "285c71e330ded34b6217d0cb4442a020"