Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
FW Rule not working due to TCP flag?
« previous
next »
Print
Pages: [
1
]
Author
Topic: FW Rule not working due to TCP flag? (Read 1126 times)
gege29
Newbie
Posts: 10
Karma: 2
FW Rule not working due to TCP flag?
«
on:
March 21, 2022, 04:08:11 pm »
Hello,
I have a jump host sharing a public addressing subnet with my OPNSense firewall.
For the sake of dialogue, let's assume the following:
- Jump host's IP: 2.2.2.2/24
- FW's IP: 1.1.1.1/24
- ISP GW: 3.3.3.3/24
At the beginning I was routing all traffic straight to ISP GW from my jump host, that worked fine for SSH connections, but I would like to filter the traffic. I've been checking the firewall live logs, when I try to connect to the jump host via ssh, an entry appears as follows:
3000_EXTRANET IN-> 2022-03-21T15:52:30 2.2.2.2:22 193.3.19.178:64001 tcp
Despite having an IN(gresss) rule accepting (pass) TCP connection from source ip 2.2.2.2 on port 22, it still blocked me the connection, well, checking further the log entries, I've seen the rule was not being evaluated because the tcp flag, so I've edited the pass rule to check for the relevant handshake TCP flags, now it does evaluate and shows on my logs as the pass rule (green color).
Unfortunately, the ssh connection still doesn't go through. And on top of that, I'm getting some notices on my dashboard which I don't fully understand, seems related to the fact that I'm using that rule with TCP Flags.
03-21-22 15:11:06 [ There were error(s) loading the rules: /tmp/rules.debug:191: flags always false - The line in question reads [191]: pass in log quick on lagg0_vlan3000 reply-to ( lagg0_vlan3000 3.3.3.3 ) inet proto tcp from $bastion_iGent port {22} to {any} flags SA/FRPUEW keep state label 4a08b298dba26c3767c59faba4eaa586 # : Allow SSH ]
Another thing that confuses me, is the fact that the Firewall log shows the traffic as IN for a TCP packet that is SYNACK from an ssh connection request from outside, I would had expected this to be OUT (egress)?
I hope somebody can bring some light into this matter, because I'm pretty lost at this point. I will be glad to provide more data if needed.
Thanks in advance!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
FW Rule not working due to TCP flag?