How do I find the cause & fix a rule thats blocking legit traffic?

[Aart.Jansen]

My firewall is the commercial OVA one, if thats important.
Anyway when I go to Firewall:Logfiles:Live View, I have made a filter to view blocked traffic.

I can see the traffic source IP, and that is coming in on port 25 (its legit email)
But I can't see why its blocked, its got no label (most blocks say "Default deny Rule")

Given that its email, I turned off clamAV
IP still gets blocked.

I then turned off Intrusion Detection
IP still gets blocked.


the Source IP is 116.50.58.190
I have checked they are not on a blacklist with mxtoolbox

EDIT: I made a firewall WAN rule (top of the chain) to allow traffic from the IP. It is still being blocked in the live view!

[zerwes]

Hi, regarding your problem there are some questions:
Do you mean by "block" the rejection of the tcp package or of the mail?
Is the target mailserver hosted on the opn box itself?
You should enable logging on all rules in question, so your fwlog will be more verbose and eloquent.
If you can see the packages from the IP in question get blocked by "Default deny Rule" you can assume there is no matching allow rule.
If the match is a "Default deny / state violation rule" it might be a client misbehavior
...

[Aart.Jansen]

Hi, Thanks for your response.
I mean the rejection of the tcp package/connection
the target mail server is exchange 2010, a seperate VM.

In the plain log I get...

2022-05-06T19:26:21   filterlog[13067]   76,,,5c7ccd2452149d4b919716ce981cd2c8,pppoe0,match,block,in,4,0x0,,56,8672,0,DF,6,tcp,125,116.50.58.190,192.168.16.3,48694,25,85,PA,2421699908:2421699993,2465203256,235,,

Which makes little sense to me.

[zerwes]

can you please provide the NAT rule here and the brief network setup (wan + lan/dmz IP of the opn box and the exchange network config)?
btw: you can make the plain log lines a little bit better readable by pipeing them to

Code: [Select]

awk 'BEGIN { FS = "," } ; {print "iface:"$5" action:"$7" dir:"$8" proto:"$17" src:"$19" dst:"$20" sport:"$21" dport:"$22}'

[zerwes]

do you have a rule on the WAN iface allowing traffic to the public IP in charge on port 25?
something like
allow proto: IPv4 TCP    src:*    sport:*    dest:exchageDMZ_IP    port:25 (SMTP)
from the log I assume this is missing or not correct ...

[Aart.Jansen]

Yes thats the default mail rule. Except exchangeDMZ_IP is labelled WAN address, as dest:

All other email is being delivered ok, and often mail from that sender does go through, but sometimes the IP comes up as blocked.
I have added a new rule to allow that known IP above the GEOIP blocking rule, so far it seems to be OK, but its outside of office hours now.

It doesn't make any sense (to me) that it would occasionally block the IP and allow it other times.

[zerwes]

I do not know your geoip setup and I do not use such methods (as I think people who like do do some harmful things are able to bypass geoip filters).
But a dynamic alias could explain the behavior of doing different things on on different times ...
So a allowlist should always precede the blocklist ...

[Aart.Jansen]

oh I agree theres definitely a way around the geoip stuff. But it's a good deterrent for low effort attempts/bots. Same reason I lock my car,  a car thief would easily get past the lock. The delinquent down the road will go find an  easier target.

I do wonder if the ports of the sender which seem random, and never 25, only the destination is 25. Have something to do with the block?

[zerwes]

the src port will always be random unprivileged ...
maybe it would be a option to enable logging on your geoip blocking rule and evaluate the logs for a few days ...