Started ignoring rules

Started by bazbaz, March 13, 2024, 05:19:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 13, 2024, 05:19:51 PM
I've a firewall that was working until today (when I updated from  24.1.2 to  24.1.3, but maybe the problem has started before the upgrade), that now is not applying rules as expected.

I can see in the log that packets are dropped because "Default deny / state violation rule", but rules that allow that kind of packet are loaded (and they are working until yesterday).
I've this problem both on rules with SNAT (for example to connect to HTTPS), and without any NAT (for example simple "routing" from client in a network to AD servers in an other).

Tried to restart firewall service, and also all appliance but nothing :(

This is an hell: something can help me?
thanks
March 13, 2024, 05:26:03 PM #1
Please post parts of the log that show the "Default deny / state violation rule" hit and the firewall rule that should allow the traffic instead.

Complete with interfaces and IP addresses, please.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 13, 2024, 05:31:48 PM #2 Last Edit: March 13, 2024, 05:33:34 PM by bazbaz
for example:

F03LAN      2024-03-13T17:27:39   10.77.67.3:54052   52.20.40.101:443   tcp   Default deny / state violation rule
F03LAN      2024-03-13T17:27:15   10.77.67.3:56432   34.149.211.227:443   tcp   Default deny / state violation rule

and attached rules for F03LAN. The first is a bypass I added to avoid the problem (that is not working) and the last the rule I aspect that will allow the flow of above blocked logs.

The F03LAN address is 10.77.67.1/26
March 13, 2024, 05:38:34 PM #3
Can you show the TCP flags of the log entry?

Looks right to me - your rule should allow outbound access to ports 80 and 443.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 13, 2024, 05:41:04 PM #4
sometimes
tcpflags   RA
sometime only A

March 14, 2024, 03:38:34 AM #5
Quote from: bazbaz on March 13, 2024, 05:41:04 PM
sometimes
tcpflags   RA
sometime only A
Yea those are out-of-state packets. As long as they are not 'S' they are harmless.
See this for explanation: https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
You may want to experiment with Firewall>Settings>Firewall Optimization setting to suit your network.
March 21, 2024, 05:42:25 PM #6 Last Edit: March 21, 2024, 05:48:39 PM by bazbaz
Maybe it's something similar, but I cannot explain nor fix :(
The first and the second server are in two subnets connected to this OPNSense. Direct and quick connection, no alternate route available.
Also tried to put the firewall in conservative

Also checking "Disable all packet filtering. " seems not solving problems :(

take a look to attached firewall log
Print
Go Up Pages1
User actions