26.1.6_2 - All traffic blocked due to "Default deny / state violation rule"

Started by thormir84, April 26, 2026, 12:14:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 26, 2026, 12:14:12 AM Last Edit: April 26, 2026, 08:51:03 AM by thormir84
This morning i installed the update in question, and i noticed that i can no longer access Docker services i use, neither from inside nor from outside, due to the rule "Default deny / state violation rule".
I checked among the rules, but i didn't notice any changes in the existing ones (both in the automatically created ones and in mine), so i really can't understand what the problem is.

Did it happen only to me?

I am attaching some screenshots

April 26, 2026, 12:38:30 AM #1
Please attach screenshots.

Links are not attachments.

My reasons for the request are thread longevity and user security.

By the way, from which version were you upgrading?
Deciso DEC697
April 26, 2026, 03:15:49 AM #2
That's a very odd pair of rules. They may be outside of my experience, as I don't use any static NAT. As is, they do not appear to match the marked flows in your logs (source and destination ports and destination address do not match). For more info (e.g. "reason"), hit the "i" to the right of the log entries.
April 26, 2026, 08:43:57 AM #3
Quote from: pfry on April 26, 2026, 03:15:49 AMThat's a very odd pair of rules. They may be outside of my experience, as I don't use any static NAT. As is, they do not appear to match the marked flows in your logs (source and destination ports and destination address do not match). For more info (e.g. "reason"), hit the "i" to the right of the log entries.

The rules have been created to route traffic coming from the outside targeting ports 80 and 443 to NPM (Nginx Proxy Manager). NPM, in turn, handles forwarding the request to the required Docker container, based on the custom domain that has been pointed (for example: https://bitwarden.my_domain.xxx or https://paperless.my_domain.xxx).

The IP 192.168.84.2 is the IP of the WAN port. The router's IP is 192.168.84.1, and it is set to expose the firewall without filters (so that the traffic management is entirely handled by it).

The local network is 172.22.8.0/24. The IP of the LXC with Docker is 172.22.8.4.

In fact, the rules route all traffic on ports 80 and 443 arriving at 192.168.84.2 to 172.22.8.4 on ports 8443 and 8484. These 2 ports, within NPM, are translated into:
8443 -> 443
8484 -> 80

Schematically:

http://service.my_domain.xxx = public IP -> router -> WAN -> rules -> LAN -> NPM -> Docker
April 26, 2026, 08:54:22 AM #4 Last Edit: April 26, 2026, 10:31:39 AM by thormir84
Quote from: passeri on April 26, 2026, 12:38:30 AMPlease attach screenshots.

Links are not attachments.

My reasons for the request are thread longevity and user security.

By the way, from which version were you upgrading?

I apologize, i corrected it; i was trying to exceed the limit of 256kb.

The update was carried out starting from the immediately previous version, 26.1.6; 26.1.6_2 is a hotfix released on 23-04.




EDIT:

Since the firewall is a VM on Proxmox, i performed a restore of it using a previous backup (specifically, the backup dates back to the night of 25-04, before i installed the hotfix). Once it restarted, everything started working again as before.
At this point, i have the impression that the problem is in the hotfix.


EDIT 2:

After several tests, i discovered that the problem arises the moment i perform the migration from the old ISC DHCP (now legacy) to Kea DHCP.
There's probably some configuration problem, I don't know.
April 26, 2026, 02:50:27 PM #5
I'm also having this problem. Seems I cannot remove the legacy rules, which preclude the new Rules from taking effect.
Today at 04:18:34 PM #6
I did further tests and took a look at the configuration options of Kea DHCP, and i confirm that the crash occurs when i activate the service. I saw that there is a section related to DDNS, but in my case everything is managed via Docker with Nginx Proxy Manager; even on ISC DHCP there is an option related to DDNS, but i have never enabled it.
Today at 05:53:06 PM #7
Quote from: thormir84 on Today at 04:18:34 PMI did further tests and took a look at the configuration options of Kea DHCP, and i confirm that the crash occurs when i activate the service.
What kind of crash ?!

This topic started with a Firewall Rule issue and now there is something crashing ?!

QuoteI saw that there is a section related to DDNS, but in my case everything is managed via Docker with Nginx Proxy Manager;
even on ISC DHCP there is an option related to DDNS, but i have never enabled it.
KEA DDNS is meant for Hostname DNS Registration in combination with Unbound as the DNS Server because initially it only worked for a Static DHCP IP Address Mapping based on the MAC Address and not for a regular Dynamic DHCP IP Address.

Is there any chance that some of your Docker stuff got upgraded too within the same timeframe and is causing issues now ?
Reason I am asking : A lot of people let something like WatchTower update/upgrade their Docker Containers completely automatically.
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions