26.1.6_2 - All traffic blocked due to "Default deny / state violation rule"

Started by thormir84, Today at 12:14:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 12:14:12 AM Last Edit: Today at 08:51:03 AM by thormir84
This morning i installed the update in question, and i noticed that i can no longer access Docker services i use, neither from inside nor from outside, due to the rule "Default deny / state violation rule".
I checked among the rules, but i didn't notice any changes in the existing ones (both in the automatically created ones and in mine), so i really can't understand what the problem is.

Did it happen only to me?

I am attaching some screenshots

Today at 12:38:30 AM #1
Please attach screenshots.

Links are not attachments.

My reasons for the request are thread longevity and user security.

By the way, from which version were you upgrading?
Deciso DEC697
Today at 03:15:49 AM #2
That's a very odd pair of rules. They may be outside of my experience, as I don't use any static NAT. As is, they do not appear to match the marked flows in your logs (source and destination ports and destination address do not match). For more info (e.g. "reason"), hit the "i" to the right of the log entries.
Today at 08:43:57 AM #3
Quote from: pfry on Today at 03:15:49 AMThat's a very odd pair of rules. They may be outside of my experience, as I don't use any static NAT. As is, they do not appear to match the marked flows in your logs (source and destination ports and destination address do not match). For more info (e.g. "reason"), hit the "i" to the right of the log entries.

The rules have been created to route traffic coming from the outside targeting ports 80 and 443 to NPM (Nginx Proxy Manager). NPM, in turn, handles forwarding the request to the required Docker container, based on the custom domain that has been pointed (for example: https://bitwarden.my_domain.xxx or https://paperless.my_domain.xxx).

The IP 192.168.84.2 is the IP of the WAN port. The router's IP is 192.168.84.1, and it is set to expose the firewall without filters (so that the traffic management is entirely handled by it).

The local network is 172.22.8.0/24. The IP of the LXC with Docker is 172.22.8.4.

In fact, the rules route all traffic on ports 80 and 443 arriving at 192.168.84.2 to 172.22.8.4 on ports 8443 and 8484. These 2 ports, within NPM, are translated into:
8443 -> 443
8484 -> 80

Schematically:

http://service.my_domain.xxx = public IP -> router -> WAN -> rules -> LAN -> NPM -> Docker
Today at 08:54:22 AM #4 Last Edit: Today at 10:31:39 AM by thormir84
Quote from: passeri on Today at 12:38:30 AMPlease attach screenshots.

Links are not attachments.

My reasons for the request are thread longevity and user security.

By the way, from which version were you upgrading?

I apologize, i corrected it; i was trying to exceed the limit of 256kb.

The update was carried out starting from the immediately previous version, 26.1.6; 26.1.6_2 is a hotfix released on 23-04.




EDIT:

Since the firewall is a VM on Proxmox, i performed a restore of it using a previous backup (specifically, the backup dates back to the night of 25-04, before i installed the hotfix). Once it restarted, everything started working again as before.
At this point, i have the impression that the problem is in the hotfix.


EDIT 2:

After several tests, i discovered that the problem arises the moment i perform the migration from the old ISC DHCP (now legacy) to Kea DHCP.
There's probably some configuration problem, I don't know.
Print
Go Up Pages1
User actions