Crowdsec & floating rules appear as Default Deny in 26.1

Started by cyb_tachyon, April 29, 2026, 10:16:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 29, 2026, 10:16:56 PM
Crowdsec and floating rules appear as "Default deny / state violation" in 26.1 logs. This makes it incredibly difficult to troubleshoot.

  • To reproduce, enable Crowdsec plugin and defaults.
  • Whitelist your local host IPs (192.168.1.0/24).
  • Start docker instances that use port forwarding for a range of port connections.
  • Note that the docker instances will be blocked from outgoing traffic on those ports after Crowdsec makes a decision to block.
  • Note that the logs do NOT indicate this, and instead treat all Crowdsec decision floating rules as "Default deny / state violation".

Desired result: Floating rules are logged by their origin (plugin name or automatic), or if not possible, floating rules appear as "Floating Rule".
Workaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).

Related threads:

Network Setup:
  • OPNSense 26.1.6_2 latest on a AMD SoC, 3 Intel NICs.
  • NIC 0 to Cable Modem (WAN).
  • NIC 1 to 10G home network, 10G dumb switches no other routing equipment (LAN).
  • No VLANs or anything yet. Still haven't graduated from basic networking.
  • Debian 13 on an Intel NIC large host.
  • Multiple other PCs wired in.

OPNsense Setup:
  • IPV6 disabled (some of the PCs and apps have a fit and refuse to work on IPV6).
  • Unbound DNS installed, enabled, and set up with overrides that match aliases.
  • Aliases set up for IPV4 for Debain 13 PCs.
  • ACME Client installed and configured.
  • CrowdSec installed and configured with whitelist for 192.168.1.106.
  • ISC DECHPv4 migrated from 25.
  • NAT (New) migrated from 25, old rules removed.

Debian 13 Setup:
  • Default settings for the NIC.
  • Default settings for Docker install (bridge mode NAT).
  • Using a docker instance to start port scanning-like activity.
April 29, 2026, 11:55:16 PM #1
Quote from: cyb_tachyon on April 29, 2026, 10:16:56 PMWorkaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).

Debian 13 Setup:
  • Default settings for Docker install (bridge mode NAT).
Why not use MACVLAN for Docker and maybe not have this issue ?!

A lot of Docker users I know use it and recommend it to pretty much everyone too! :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions