Firewall rule is ignored ?!

thibaut.frantz

Hi all,

I'm completely baffled.. I have a rule who allow X to a list of 7 IP for a list of ports.
This rule works for one some IP in the list but one is still block.

I see in the log (attached) that it's the last rule (block all) who match and block this traffic...

My rule is :
Allow From "HOST X" Port * To "ListIP" Port "ListPort"

Of course I check several time my IP List and my Port List and everything looks OK !

Have you ever seen this ?

On the log you can see : 195.48.52.131 allow, 195.48.52.130 block ... (ports 8443 and 7787)

Gertjan

@thibaut-frantz said in Firewall rule is ignored ?!:

Allow From "HOST X" Port * To "ListIP" Port "ListPort

Show the rule.
From what you've written here, it that seems that the source device, HOST X also indicated s source port.
That's a fail, most of the time, as source ports are mostly random.
The result will be ; the rule doesn't match - or, so you call it : ignored (as you don't want it to match).

thibaut.frantz

@Gertjan

Thanks for your reply !

When I say Port * is for any.

You can see the rule here :

johnpoz

@thibaut-frantz said in Firewall rule is ignored ?!:

Of course I check several time my IP List and my Port List and everything looks OK !

So you looked in you table and the IPs and Ports are listed?

Example - normally you can just do a popup on the rule to list whats in a table. the diagnostics doesn't how port lists. Only IP tables.

What is your full list of rules - its possible a different rule is preventing that ip port combo.

If you set your firewall settings to show the rule that was used, it easier to spot

What is your full ruleset, do you have rules on floating tab?

thibaut.frantz

Hi,

Yes the IP is list :

And the port too :

I haven't any rules before that can match.

And I see in log that is the last rules who match with the block (on my log screenshot)

Gertjan

@thibaut-frantz
Proceed with steps :
When you remove the destination port list, and select 'any', does it pass ?
When you remove the destination IP list, thus using 'any', does it pass ?

thibaut.frantz

@Gertjan

I try to put "any" in destination and keep the port list. It works.

After, I rollback and change any with my alias IPlist and now ... it works again

So my problem is now SOLVE but I have change anything ...

Thanks all for your help !!

Have a nice day !

SteveITS

@thibaut-frantz Possibly there was an error loading the ruleset? Next time see https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied
"Second, the ruleset may not be reloading properly. Check Status > Filter Reload to see if an error is displayed. Click the fa-refresh Reload Filter button on that page to force a new filter reload. "