Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Seeking for help understanding Firewall Live View
« previous
next »
Print
Pages: [
1
]
Author
Topic: Seeking for help understanding Firewall Live View (Read 2150 times)
sbellon
Jr. Member
Posts: 94
Karma: 8
Seeking for help understanding Firewall Live View
«
on:
November 16, 2021, 08:21:20 am »
Hi all,
from time to time I see packets blocked incoming to LAN interface from the LAN net with the label "Default deny rule" even though LAN has configured the "Default allow LAN to any rule".
Shouldn't the "Default deny rule" from the automatically generated floating rules be "last match" and therefore the "Default allow LAN to any rule" should match before?
And even, if the destination IP was in "Malicious IPs", then the label of the match shouldn't be "Default deny rule".
So, I'm really puzzled what I'm seeing there. Could anybody please explain to me how this can happen? What part of the workings of the firewall am I misunderstanding?
BTW: I noted that the LAN IPs where this originates from are Fire TV and Android devices, but that can of course be coincidence.
Thanks in advance.
Greetings,
Stefan
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Seeking for help understanding Firewall Live View
«
Reply #1 on:
November 16, 2021, 09:01:55 am »
Hi Stefan,
The default deny rule triggers when connections create state tracking violations. In a stateful firewall rule (which is the default for UDP, TCP and ICMP) the state must be correct and in case of faulty retransmission or network loops or asymmetric routing this state tracking can fail and the rule drops the connection which deny all catches.
Cheers,
Franco
Logged
sbellon
Jr. Member
Posts: 94
Karma: 8
Re: Seeking for help understanding Firewall Live View
«
Reply #2 on:
November 16, 2021, 09:46:12 am »
Hi Franco,
thanks for the explanation.
Can I somehow debug more WHY this happens (i.e. which connection the client thinks to use, etc.)? Or is this just to be expected due to faulty TCP/IP stack implementations and shouldn't be worried about?
Greetings,
Stefan
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Seeking for help understanding Firewall Live View
«
Reply #3 on:
November 16, 2021, 10:59:49 am »
You need to do a packet capture on said traffic to see why it drops out. Usually wireshark will also mark out of sequence packets or faulty retransmissions.
I would say if the routing layout isn't broken considerably and the affected devices do not show malfunction (Android phones for example with stalling connections or updates or apps or whatever) you can safely ignore these issues. Should operation of a device be affected negatively usually it helps to add a pass rule with state tracking disabled for them specifically.
Cheers,
Franco
Logged
sbellon
Jr. Member
Posts: 94
Karma: 8
Re: Seeking for help understanding Firewall Live View
«
Reply #4 on:
November 16, 2021, 11:05:26 am »
Again, thanks for the very detailed explanation.
Devices work just fine without any sign of malfunction. As this is only one packet per hour in average, I'll just ignore it for now - and know how to debug further if problems arise.
Greetings,
Stefan
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Seeking for help understanding Firewall Live View
«
Reply #5 on:
November 16, 2021, 11:07:14 am »
Hi Stefan,
Yes, usually networks stacks recover from these issue automatically and the applications don't care or bother the user.
Sounds like a plan indeed
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Seeking for help understanding Firewall Live View