Packet received by interface but blocked before firewall

Started by Somnolus, Today at 01:54:32 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 01:54:32 AM
I'm trying to pass a very specific UDP packet from one interface to another on different networks on the same router.  I've run a packet capture on both interfaces, I can see the packet coming in on the input interface but it just disappears after that.  There are no firewall logs indicating the packet was blocked.  I've tried sending the packet through with the firewall and NAT disabled but it still doesn't get processed.  I'm convinced its either the interface or Kernel blocking the packet before the firewall can process it.

If anyone has any tips on where I can look to see why the packet is being blocked that would be great.  Any help would be appreciated here as I'm at a complete loss on where to troubleshoot next.
Today at 10:56:04 AM #1
So should the packet even go out on the desired interface according the routing table?
Or did you forward the traffic to a device connected to this interface?

Maybe we can get closer to the issue if you give some more details: destination IP, networks, routing table, rules.
Today at 01:31:08 PM #2
Quote from: Somnolus on Today at 01:54:32 AMI've run a packet capture on both interfaces, I can see the packet coming in on the input interface but it just disappears after that.
You should share your tcpdump/pcap output IMHO if you want anyone to say anything useful about it :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 03:16:19 PM #3
Quote from: Somnolus on Today at 01:54:32 AMThere are no firewall logs indicating the packet was blocked.

The likelihood is that it is being blocked by a firewall rule, or you don't have a rule to allow it out of the destination interface. It's difficult to suggest anything without seeing the relevant rules and if Source or Destination NAT is required.

Ensure you have enabled logging of Default block and Default pass in Firewall -> Settings -> Advanced.

In addition, if you have configured any block rules, ensure logging is enabled in them so you can spot anything amiss.
Today at 03:39:31 PM #4 Last Edit: Today at 03:43:38 PM by Monviech (Cedrik)
What kind of network device are you using (intel nic)?
Are VLANs involved?
How large is the UDP packet, would it need to be fragmented?
Is intrusion detection used (netmap driver)?
Is a Captive Portal configured? (ipfw enabled, can block packets before pf)
Is a ipsec policy installed that might blackhole this paket?

I know a few things that can make packets "vanish" without a trace in tcpdump, the above are some.
Hardware:
DEC740
Print
Go Up Pages1
User actions