Seeking for help understanding Firewall Live View

Started by sbellon, November 16, 2021, 08:21:20 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 16, 2021, 08:21:20 AM
Hi all,

from time to time I see packets blocked incoming to LAN interface from the LAN net with the label "Default deny rule" even though LAN has configured the "Default allow LAN to any rule".

Shouldn't the "Default deny rule" from the automatically generated floating rules be "last match" and therefore the "Default allow LAN to any rule" should match before?

And even, if the destination IP was in "Malicious IPs", then the label of the match shouldn't be "Default deny rule".

So, I'm really puzzled what I'm seeing there. Could anybody please explain to me how this can happen? What part of the workings of the firewall am I misunderstanding?

BTW: I noted that the LAN IPs where this originates from are Fire TV and Android devices, but that can of course be coincidence.

Thanks in advance.

Greetings,
Stefan
November 16, 2021, 09:01:55 AM #1
Hi Stefan,

The default deny rule triggers when connections create state tracking violations. In a stateful firewall rule (which is the default for UDP, TCP and ICMP) the state must be correct and in case of faulty retransmission or network loops or asymmetric routing this state tracking can fail and the rule drops the connection which deny all catches.


Cheers,
Franco
November 16, 2021, 09:46:12 AM #2
Hi Franco,

thanks for the explanation.

Can I somehow debug more WHY this happens (i.e. which connection the client thinks to use, etc.)? Or is this just to be expected due to faulty TCP/IP stack implementations and shouldn't be worried about?

Greetings,
Stefan
November 16, 2021, 10:59:49 AM #3
You need to do a packet capture on said traffic to see why it drops out. Usually wireshark will also mark out of sequence packets or faulty retransmissions.

I would say if the routing layout isn't broken considerably and the affected devices do not show malfunction (Android phones for example with stalling connections or updates or apps or whatever) you can safely ignore these issues. Should operation of a device be affected negatively usually it helps to add a pass rule with state tracking disabled for them specifically.


Cheers,
Franco
November 16, 2021, 11:05:26 AM #4
Again, thanks for the very detailed explanation.

Devices work just fine without any sign of malfunction. As this is only one packet per hour in average, I'll just ignore it for now - and know how to debug further if problems arise.

Greetings,
Stefan
November 16, 2021, 11:07:14 AM #5
Hi Stefan,

Yes, usually networks stacks recover from these issue automatically and the applications don't care or bother the user.

Sounds like a plan indeed :)


Cheers,
Franco
Print
Go Up Pages1
User actions