Automatic Rules killed my connection

Started by j0xter, Today at 12:04:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 12:04:42 AM
Today my ISP had a issue, everything was down.
After they fixed it i noticed that i couldn't reach some sites, like steam, bredbandskollen
tv4.. list goes on.
Ping worked, dns no issues.
So i looked at wireshark..
Concluded that firewall dint let the remote sites talk back

To confirm i brought out my old OpenBSD firewall/router
No issues. everything worked.

So what happened?
Today there was a automatic rule created
a" any to any " deny rule

Searching to find a way to reset that table

TLDR
Remove the rules created today.
It has worked perfectly until my isp had a
mishap
Today at 05:22:14 AM #1 Last Edit: Today at 05:35:15 AM by hharry
some more info would be helpful..

are you referring to the Default deny / state violation rule ? or some other rule ?

I've tested the scenario, (many times) in both LAB and production, where ISP goes down, then comes back up and haven't' had any issues...OPNsense recovered the WAN interface and L2 and L3 topology automatically, gateway monitor also always recovers automatically as expected, and haven't observed any automatic rule changes...

If you restart OPNsense, or make a F/W rule change, there is a known issue, where the F/W state tables rule's can get out of sync, necessitating a F/W state table reset....in  Firewall: Diagnostics: States -> Actions 'Reset state table'
OPNsense 25.7.1_1-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr, IDS, AdGuard Home, sftp-backup plugins
Today at 07:30:11 AM #2
Quote from: hharry on Today at 05:22:14 AMsome more info would be helpful..

are you referring to the Default deny / state violation rule ? or some other rule ?

I've tested the scenario, (many times) in both LAB and production, where ISP goes down, then comes back up and haven't' had any issues...OPNsense recovered the WAN interface and L2 and L3 topology automatically, gateway monitor also always recovers automatically as expected, and haven't observed any automatic rule changes...

If you restart OPNsense, or make a F/W rule change, there is a known issue, where the F/W state tables rule's can get out of sync, necessitating a F/W state table reset....in  Firewall: Diagnostics: States -> Actions 'Reset state table'

Thank you for suggestions to perform a reset of the state tables,

But that didn't help am i afraid

Are we saying that this deny rule has existed since i configured the FW?

It sure goes to work when i reload a page like bredbandskollen.se :)



It has worked fantastic for over a year, 4 month ago i added a Wireguard connection

that's only special thing about my firewall

Today at 09:55:31 AM #3
Quote from: j0xter on Today at 07:30:11 AMAre we saying that this deny rule has existed since i configured the FW?

Yes. Like any firewall the default policy is "deny anything which is not explicitly allowed". This is achieved by this default rule which matches last.

You might want to check your allow rules - it seems they do for some reason not match connecting to the site you mentioned with your browser. Do you have Geo IP in your allow rules?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 11:01:01 AM #4
Quote from: Patrick M. Hausen on Today at 09:55:31 AM
Quote from: j0xter on Today at 07:30:11 AMAre we saying that this deny rule has existed since i configured the FW?

Yes. Like any firewall the default policy is "deny anything which is not explicitly allowed". This is achieved by this default rule which matches last.

You might want to check your allow rules - it seems they do for some reason not match connecting to the site you mentioned with your browser. Do you have Geo IP in your allow rules?

What is the best way to list the rules in terminal?

So we might get a productive thing going


I haven't touched anything like that.
Only rule change ive made is to allow Wireguard

And that was 4 month ago.
Print
Go Up Pages1
User actions