Author Topic: Unclear why default deny kicks in (Read 5893 times)

Nico · « **on:** February 21, 2019, 12:04:48 pm »

Hi,

maybe someone can enlighten me why the "default deny" rule kicks in although there are several pass rules that should match?
It's about an IPsec tunnel with a permit any/any rule on that interface that should allow any traffic to pass through it. This works in like 99% of all cases I guess but a couple of times I see a default deny rule kicking it and when I look at the details of this log entry, I cannot spot why. It's like the thing ran out of memory to hold any more custom states and just falls back to the default deny. Is this possible? I will attach screenshots of one deny and one pass for you to see yourself.

Thanks!

Nico · « **Reply #1 on:** February 21, 2019, 12:06:48 pm »

These are the rules on that interface. 2 and 3 are for testing only. I added a manual default deny that should kick in before the system's default deny but it never did. So I kind of got the assumption that those packets are somewhat special for my pass rule not to kick in. So I tested a little with the advanced options, enabled any flags and changed the state to sloppy but with no effect.

chemlud · « **Reply #2 on:** February 21, 2019, 12:23:01 pm »

TCP flag finish might be involved? See your first screen shot ;-)

Nico · « **Reply #3 on:** February 21, 2019, 12:25:12 pm »

Quote from: chemlud on February 21, 2019, 12:23:01 pm

TCP flag finish might be involved? See your first screen shot ;-)

I'm looking and looking.. where do you see a "finish" flag? I'm unable to find it anywhere.

franco · « **Reply #4 on:** February 21, 2019, 12:27:23 pm »

FPA = finish push ack

Set state tracking to none, for one reason or another state tracking thinks this is a faulty state transition.

Nico · « **Reply #5 on:** February 21, 2019, 12:29:31 pm »

OK thanks, meanwhile I found this https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html which seems to address that. That helps, thanks a lot!

Nico · « **Reply #6 on:** February 21, 2019, 12:32:37 pm »

Quote from: franco on February 21, 2019, 12:27:23 pm

FPA = finish push ack

Set state tracking to none, for one reason or another state tracking thinks this is a faulty state transition.

Just for clearification: I cannot simply change state tracking to none for the only "pass any" rule since this would result in blocking the replies (unless I have a permit any inbound rule on WAN), correct? So I added a 2nd identical rule with pass any/any and state = none. Is this correct from your point of view?

franco · « **Reply #7 on:** February 21, 2019, 12:36:50 pm »

No, state tracking disable only disables state checking. The same rule will take care of return traffic as it normally would.

Nico · « **Reply #8 on:** February 21, 2019, 12:48:55 pm »

Thanks a lot!

Author Topic: Unclear why default deny kicks in (Read 5893 times)

Nico

Unclear why default deny kicks in

Nico

Re: Unclear why default deny kicks in

chemlud

Re: Unclear why default deny kicks in

Nico

Re: Unclear why default deny kicks in

franco

Re: Unclear why default deny kicks in

Nico

Re: Unclear why default deny kicks in

Nico

Re: Unclear why default deny kicks in

franco

Re: Unclear why default deny kicks in

Nico

Re: Unclear why default deny kicks in