Why would "Default deny" rule block these (while similar traffic is passed)
-
Hi,
I noticed something strange in my logs. 10.0.0.20 (my smartphone) was being blocked from accessing a resource on my LAN at 10.0.0.40. The resource is a media player that I interact with all day long, and also now as I write, and I have pinged it successfully from my smartphone. I don't know what the blocked traffic was, but that it was blocked perplexes me, as well as that only some traffic between 10.0.0.20 and 10.0.0.40 was blocked?Around the same time I noticed my smartphone was also being blocked from accessing an external IMAP server. But when I try to fetch mail, I receive new mail from that server to my smartphone.
Again, perplexed!
(apparently 10.0.0.200 on my LAN as well as well as some third external site at 52.85.....)
FWIW, I recently bridged LAN and OPT1 (which is a wireless AP for my smartphone), but I have not "made the bridge into the new LAN".
I don't know enough about pfsense to cry "bug!", but what could be going on here?
-
@pastic those are out of state, see the FPA and FA
-
@johnpoz
Thanks.
So, if I understand correctly, they are kind of left-overs from delayed communications, without detrimental effect because most likely new attempts were made and succeded, so the out-of-state packages became just "noise"? Is that a fair rendering of the situation? -
@pastic yeah phones can be horrible at it. They can also point to asymmetrical traffic - but I don't see any SA (syn,ack) which would point more to asymmetrical.
If you see a lot of them, and it bugs you to see them in the logs, you can always set up rule to only log SYN blocks. And not log the out of state stuff, by disable logging default - and then creating a block rule that logs but only if its syn and blocked.