Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Traffic is not correctly blocked?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Traffic is not correctly blocked? (Read 1265 times)
cyb
Newbie
Posts: 6
Karma: 0
Traffic is not correctly blocked?
«
on:
April 07, 2023, 06:45:17 pm »
Hi there,
I am just starting to try out OPNsense although I am familiar with firewalls from Fortinet and Mikrotik.
I have one physical LAN interface combining several VLANs. In OPNsense I have defined multiple OPT-interfaces, one interface for each VLAN (all with the same physical interface as parent).
I then have created one first rule for one OPT-interface, very simple: just allow ICMP traffic to "this firewall". After creating and enabling the rule, I can ping the corresponding firewall interface without problems (I was not able to ping it before).
Now the strange thing: When disabling the rule or even when deleting the rule, I am still able to ping the interface. I am still receiving echo replies!
When rebooting the OPNsense machine, the ping is not replied aynmore, as I expected.
I can permanently reproduce the behaviour.
Is this a bug or am I misunderstanding something?
Best regards,
cyb
«
Last Edit: April 07, 2023, 06:48:05 pm by cyb
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6836
Karma: 574
Re: Traffic is not correctly blocked?
«
Reply #1 on:
April 07, 2023, 06:48:23 pm »
Hint: stateful firewall. With an ongoing ping the old permission is still active until there is no traffic for a certain timeout value - which I don't know from the top of my head.
You can clear the state table instead of rebooting. This is not done automatically each time you change rules, because it woukd interrupt active and perfectly permitted connections. Not good in a production environment.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
cyb
Newbie
Posts: 6
Karma: 0
Re: Traffic is not correctly blocked?
«
Reply #2 on:
April 07, 2023, 06:57:49 pm »
Thanks for your very fast reply.
Yeah, I thought of that and because of that I stopped the ping, closed the terminal, waited some seconds, opened a new terminal and restarted the ping. I thought the session would be terminated because of that but I seem to be wrong.
Logged
cyb
Newbie
Posts: 6
Karma: 0
Re: Traffic is not correctly blocked?
«
Reply #3 on:
April 11, 2023, 08:54:39 pm »
I have a different (in my opinion) strange behavior, which I currently cannot understand. I don't want to start a new thread because of the question, so I continue in this one.
I am starting with very simple firewall rules in one VLAN, one allow-rule for a single source ip to internal destinations (_PrivateNetworks) and one allow-rule for that same ip to external destinations: See attached image rule.png
When I try to access a SMB share on an internal destination (192.168.10.12) from that source ip, the access seems not to be directly working, but after about 10 seconds the share can be accessed.
When checking the live view, it can be seen that the access is first denied because of the global deny-rule in that vlan and then allowed because of the explicit rule mentioned above: See attached image log.png
This behaviour is reproducable: sometimes the rule seems to hit the traffic, sometimes not.
Can anybody explain that behavior?
Best regards,
cyb
Logged
cyb
Newbie
Posts: 6
Karma: 0
Re: Traffic is not correctly blocked?
«
Reply #4 on:
April 13, 2023, 07:12:43 pm »
I really don't understand why the firewall behaves differently for the same incoming requests.
Is there any way to get more logging to find the reason for this?
Logged
cyb
Newbie
Posts: 6
Karma: 0
Re: Traffic is not correctly blocked?
«
Reply #5 on:
April 13, 2023, 07:26:00 pm »
Is it possible that opnsense just allows new sessions?
It seems that when I have access to the destination and I am then changing something in opnsense and apply the settings the access gets lost. The detail view of the packages in live view shows that the accepted packages are SYN-messages while the blocked ones are acknowledges.
Logged
cyb
Newbie
Posts: 6
Karma: 0
Re: Traffic is not correctly blocked?
«
Reply #6 on:
April 14, 2023, 07:23:08 pm »
Nobody any hints for me?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Traffic is not correctly blocked?