OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Firewall: Some Destination IPs blocked, some not - why?
« previous next »
  • Print
Pages: [1]

Author Topic: Firewall: Some Destination IPs blocked, some not - why?  (Read 192 times)

tabbit

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Firewall: Some Destination IPs blocked, some not - why?
« on: October 16, 2024, 04:47:21 pm »
Hello Community,

maybe you can tell me more about this strange behavior, I just don't get it.
I use a OPNsense as a gateway for devices in a subnet to access other nets / internet.
What's strange:
The devices in that subnet should be allowed to access the internet, but some IPs are blocked whereas some of them are allowed by the firewall rules, although there is no special restriction configured.

Rules are similar to this:
First Match IN IPv4, Source is 192.168.99.0/24, any Port, any destination/port, std. gateway
First Match OUT IPv4, Source is 192.168.99.0/24, any Port, any destination/port, std. gateway

Now in the live view, I can see, that the machines in that net are sometimes allowed to contact machines in the internet on port 443, and sometimes not, e.g.:
Tenant99 - pass - 192.168.99.x:50345 -> 198.19.2.14:443 tcp -> allow rule
Tenant99 - block -192.168.99.x:52161 -> 95.101.111.175:443 tcp -> default deny / state violation rule

What could I miss there? Why are some connections allowed and some not?
Logged

cookiemonster

  • Hero Member
  • *****
  • Posts: 1823
  • Karma: 95
    • View Profile
Re: Firewall: Some Destination IPs blocked, some not - why?
« Reply #1 on: October 16, 2024, 05:02:18 pm »
state validation failure. It''s benign and normal. Connection has timed out and will re-establish.
Logged

EricPerl

  • Jr. Member
  • **
  • Posts: 88
  • Karma: 2
    • View Profile
Re: Firewall: Some Destination IPs blocked, some not - why?
« Reply #2 on: October 16, 2024, 08:30:16 pm »
I'm still new at this but here is my mental model related to similar issues.

The firewall maintains state for connections that have been vetted during the initial handshake, allowing it to bless all traffic under that connection with minimal effort.
But there are several situations when that state does not exist:
* connections established earlier (eg. turning the firewall back on, or inserting OPNsense in filtering bridge mode, or resetting all state - there's a button for this that comes with a warning).
* idle connections dropped to preserve memory (e.g. machine on the network went to sleep?, app put to sleep or idle in the background?)

I suspect it's standard for clients to retry a bit over the same connection, but at some point, they should give up and try to restart from scratch, which will rebuild the state used by the firewall.
As a user, you can also force the client to restart (refresh, restart an app or the client altogether).
But in time, things should clear up.

Traffic on an idle connection could even come from a server (long pull on an update stream?).

The help for the button that causes the firewall to forget its current state indicates that nothing happens to state when rules are added/removed/changed. You use that button when your rules have changed significantly, and browser sessions might look hung.
No state appears to be kept for block rules. Only valid state.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Firewall: Some Destination IPs blocked, some not - why?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2