Help me understand why this firewall rule is being invoked?

[yolocoffee]

I installed opnsense in a KVM, passed through two realtek NICs for LAN and WAN. LAN has 4 VLANs. I have not configured any firewall rules for any other VLANs. LAN has the default generated rules. All devices on LAN have WAN access without issue.

Now this particular device (a macbook) on LAN has blocked packets arriving on the firewall. See image Blocked.jpg. All other devices (imacs, iphones) are not seeing the same "default deny rule" being invoked.

What is triggering this rule only for this particular device?

[yolocoffee]

So every single device on this LAN is now showing the same issue.

From a reverse lookup, this looks like the IP address of apple push servers.

I am not sure why they would be blocked. This was not happening 2-3 days ago and I have not made any significant changes to firewall rules. At least, I don't remember any.

[franco]

You are looking at a rejected end of connection packet (TCP flags FIN+ACK). The connection was likely already closed. This is how stateful firewall rules work.

What is the issue you are having operationally?


Cheers,
Franco

[yolocoffee]

Okay. I am just trying to understand why these are now showing up in the firewall logs and not in the 2-3 days before?

For context, I am very new to firewalls and still learning.

FWIW, these devices have jumped routers in the last 2-3 days.

So is it correct to say that the original connections were established via the different router and opnsense has no context about the previous connections and thus this firewall rule is being matched?

Operationally, everything seems to be working fine so far.

[chemlud]

@franco: Isn't there an eays way to print something like "out-of-state traffic, this is normal" to the logs? the question comes up once a week at least...

@OP Have a look in your settings, if "log default deny rule" is enabled. Dunno if the default has changed or is not imported with your config...