Unclear why default deny kicks in

Started by Nico, February 21, 2019, 12:04:48 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 21, 2019, 12:04:48 PM
Hi,

maybe someone can enlighten me why the "default deny" rule kicks in although there are several pass rules that should match?
It's about an IPsec tunnel with a permit any/any rule on that interface that should allow any traffic to pass through it. This works in like 99% of all cases I guess but a couple of times I see a default deny rule kicking it and when I look at the details of this log entry, I cannot spot why. It's like the thing ran out of memory to hold any more custom states and just falls back to the default deny. Is this possible? I will attach screenshots of one deny and one pass for you to see yourself.

Thanks!
February 21, 2019, 12:06:48 PM #1
These are the rules on that interface. 2 and 3 are for testing only. I added a manual default deny that should kick in before the system's default deny but it never did. So I kind of got the assumption that those packets are somewhat special for my pass rule not to kick in. So I tested a little with the advanced options, enabled any flags and changed the state to sloppy but with no effect.
February 21, 2019, 12:23:01 PM #2
TCP flag finish might be involved? See your first screen shot ;-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
February 21, 2019, 12:25:12 PM #3
Quote from: chemlud on February 21, 2019, 12:23:01 PM
TCP flag finish might be involved? See your first screen shot ;-)

I'm looking and looking.. where do you see a "finish" flag? I'm unable to find it anywhere.
February 21, 2019, 12:27:23 PM #4
FPA = finish push ack

Set state tracking to none, for one reason or another state tracking thinks this is a faulty state transition.
February 21, 2019, 12:29:31 PM #5
OK thanks, meanwhile I found this https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html which seems to address that. That helps, thanks a lot!
February 21, 2019, 12:32:37 PM #6
Quote from: franco on February 21, 2019, 12:27:23 PM
FPA = finish push ack

Set state tracking to none, for one reason or another state tracking thinks this is a faulty state transition.

Just for clearification: I cannot simply change state tracking to none for the only "pass any" rule since this would result in blocking the replies (unless I have a permit any inbound rule on WAN), correct? So I added a 2nd identical rule with pass any/any and state = none. Is this correct from your point of view?
February 21, 2019, 12:36:50 PM #7
No, state tracking disable only disables state checking. The same rule will take care of return traffic as it normally would.
February 21, 2019, 12:48:55 PM #8
Thanks a lot!
Print
Go Up Pages1
User actions