Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to find the specific rule that is blocking some IP's?
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to find the specific rule that is blocking some IP's? (Read 5573 times)
nordsec
Newbie
Posts: 3
Karma: 0
How to find the specific rule that is blocking some IP's?
«
on:
May 06, 2018, 10:50:11 pm »
Hi. I find it very hard to trace blocked traffic back to the rule that is actually causing the traffic or IP to be blocked.
I've attached some screenshots from the logs.
The scenario here is that i'm watching Netflix on my Panasonic smart TV and I see that the Netflix looses its connecting due to Netflix trying to jump from one server to another witch my firewall is blocking. Its not blocking all the traffic but some resulting in me having to manually start the tv show again.
I see the traffic getting blocked but I cant find the exact rule that is blocking it. I am using both IDS and IPS with lots of rules enabled. I'm not gonna bother listing them here as the point is to be able to trace the blocked traffic to the exact rule that is causing the block.
but how?... I find it very strange that its this hard. Every time I try to google anything about opnsense google is always just serving me pfsense results
Thanks for answers!
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: How to find the specific rule that is blocking some IP's?
«
Reply #1 on:
May 06, 2018, 11:23:28 pm »
A TCP flag of FPA is not a legitimate block, rather a failed packet that will be retried and can be ignored. The label in the live view shows which rule caused the block. If you are getting 'Default deny rule' then most likely there is no rule allowing a good packet to pass.
The only legit block was to 104.123.137.85 with TCP flag 'A', but you didn't show the firewall live view for that one.
Usually those failed packets slowly go away. I always get a ton of them when I reboot. If they don't go away, then maybe there is some other issue like faulty wiring or hardware.
I do wish there was a way to filter the tcp flags in the live view, or at least show them in the list. Having a bunch of FA, PA, RA is annoying to sort through.
«
Last Edit: May 06, 2018, 11:33:44 pm by dcol
»
Logged
nordsec
Newbie
Posts: 3
Karma: 0
Re: How to find the specific rule that is blocking some IP's?
«
Reply #2 on:
May 06, 2018, 11:32:35 pm »
So what you’re saying is that the issue might not be the firewall? Funnny how the block appears exactly when netflix stops...
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: How to find the specific rule that is blocking some IP's?
«
Reply #3 on:
May 06, 2018, 11:37:20 pm »
Ignore the FPA's The firewall is just reporting a failed packet. look elsewhere for an issue. Could even be the source sending bad packets.
Logged
nordsec
Newbie
Posts: 3
Karma: 0
Re: How to find the specific rule that is blocking some IP's?
«
Reply #4 on:
May 07, 2018, 12:05:31 am »
Okei. Thank you for quick and good replies!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to find the specific rule that is blocking some IP's?