Cant understand Default deny / state violation rule

Started by Kelar, May 25, 2025, 02:12:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 25, 2025, 02:12:01 PM
Hi, i'm new to Opensense and trying to figure out how it working. I'm testing remote access to my domain controllers and i started noticing strange log entries in FW. First of all thats my testing lab:
You cannot view this attachment.
And this is firewall logs:
You cannot view this attachment.
Inside log entrie i can see this:
You cannot view this attachment.
Firewall rules for testing purpose - accept all in from interface AD and from Openvpn interface group(using modern instances without assigned interface). On Domain controllers i have static routes to vpn clients through 10.20.20.210 as non default gateway.
So the problem - is only logs, everything working, i can ping from Domain Controllers all VPN clients and vice versa. All functions like authorisation, copy files through SMB, applying GPO and etc. is working fine. I just cant undterstand what Opensense meaning under this logs ? As i read before, tcpflags like A and RA meaning asymetric route - but in my case i cant see any of this. Maybe someone can clarify the situation with this logs ? Thank you.
May 25, 2025, 10:46:00 PM #1
Port 445 is associated with AD file sharing, so it appears to be replies from a server back to a client.

Assuming asymmetric routing is not an issue (i.e. it works), then the state that allowed the connection (client initiated over VPN) was lost.
Apart from manual operations on the state table (which I hope you would have mentioned), this can also happen if the connection was idle for too long.

Some of these may end up being transparent to the end users because new connections get re-established...

It's harder to tell for the rest, but the same logic applies.
May 26, 2025, 12:16:30 AM #2
Quote from: EricPerl on May 25, 2025, 10:46:00 PMPort 445 is associated with AD file sharing, so it appears to be replies from a server back to a client.

Assuming asymmetric routing is not an issue (i.e. it works), then the state that allowed the connection (client initiated over VPN) was lost.
Apart from manual operations on the state table (which I hope you would have mentioned), this can also happen if the connection was idle for too long.

Some of these may end up being transparent to the end users because new connections get re-established...

It's harder to tell for the rest, but the same logic applies.
Thank you for reply. I found one post on reddit with same problem and one person wrote this:

"Denied packets with RA, FA & FPA flags are just 'finishing' packets trying to close a connection when the firewall already killed the state due to timeouts (out-of-state packets). Smartphones are prone to causing this.
It could be a symptom of asymmetric routing if they are excessive but generally you can safely ignore them.
You can try to use conservative firewall optimization setting for longer timeouts if it's really bothering you."

I tried to use conservative firewall optimization and this helped, no blocking logs at all. This dont bother me as long as everything works, but i needed to understand what was causing this.
May 26, 2025, 12:57:59 AM #3
With ~10 packets every other second (20 secs total), there was probably more to it than TCP connection teardown in that specific case.
The server might have timed out on its side too and could be trying to either check if the client is still around or notify it.
Plenty of possibilities entirely depending on the actual high-level scenario. No point in conjecturing too much.

Conservative FW optimization just increases the idle time outs on the FW, at the cost of memory (more state) and CPU (to deal with the extra state).
Print
Go Up Pages1
User actions