Arrow in firewall log, why?

Operations

Why is the arrow (direction out) there? I have not seen this before. That is probably my bad.

172 is a vlan and 192 is my default LAN.

I want to keep a forum clean and easy to search. So for this new question i created a new topic. (This is for johnpoz)

darcey

@Operations I am guessing it's a floating rule and, judging by the src IP, possibly leaked docker packets?

Operations

@darcey said in Arrow in firewall log, why?:

@Operations I am guessing it's a floating rule and, judging by the src IP, possibly leaked docker packets?

You could be right. 172.16.20.245 is my docker server.

And i do have floating rules for ICMP:

What is a leaked packets and why would docker ping (icmp) my synology (192.168.222.90)?

darcey

@Operations By docker leaked IPs, I was referring to a docker container IP rather than docker host. I was guessing you had a docker server running on a LAN host. These packets are not supposed to leave the docker host. It may not be that but, if it is, this is the issue.
I do not know why a docker (host or container) is pinging your NAS. Perhaps some monitoring app in a container? Then again it could be something altogether different. It's not clear how the other VLAN that you mention is involved.

Operations

@darcey said in Arrow in firewall log, why?:

@Operations By docker leaked IPs, I was referring to a docker container IP rather than docker host. I was guessing you had a docker server running on a LAN host. These packets are not supposed to leave the docker host. It may not be that but, if it is, this is the issue.
I do not know why a docker (host or container) is pinging your NAS. Perhaps some monitoring app in a container? Then again it could be something altogether different. It's not clear how the other VLAN that you mention is involved.

Should i not have my float rules like this?

darcey

@Operations The rule is not the issue. It's what's generatng packets with a src IP 172.x.x.x on a 192.168.x.x network. You should determine why. You may have a misconfigured host on that network or, more likely IME, a docker server leaking unmasqueraded packets.
Docker is supposed NAT the traffic leaving containers but it seems some packets slip through. If it is coming from a docker machine/vm, see the link I posted.

Operations

@darcey said in Arrow in firewall log, why?:

@Operations The rule is not the issue. It's what's generatng packets with a src IP 172.x.x.x on a 192.168.x.x network. You should determine why. You may have a misconfigured host on that network or, more likely IME, a docker server leaking unmasqueraded packets.
Docker is supposed NAT the traffic leaving containers but it seems some packets slip through. If it is coming from a docker machine/vm, see the link I posted.

I checked that link. It seems to be a 4 year old problem. Still without a solution?

So if that is my problem, what should i do? Just leave it?

I get the rules are not the problem, it was more a seperate question

darcey

@Operations If this is the problem, and you may be jumping the gun here, you can drop the packets on the docker host.

Operations

@darcey said in Arrow in firewall log, why?:

@Operations If this is the problem, and you may be jumping the gun here, you can drop the packets on the docker host.

How do i do that? Dropping the packets on the docker host? Maybe jumping the gun i get that but not sure how to go from here.

darcey

This post is deleted!

darcey

@Operations Sorry, I am leading you down the wrong path here. The firewall log is matching on 'out', which is traffic going on to the LAN. Therefore the src IP is not indicative of anything problematic.
Apologies. I think the only question remaining for you is, why docker is pinging your NAS.

Operations

@darcey said in Arrow in firewall log, why?:

@Operations Sorry, I am leading you down the wrong path here. The firewall log is matching on 'out', which is traffic going on to the LAN. Therefore the src IP is not indicative of anything problematic.
Apologies. I think the only question remaining for you is, why docker is pinging your NAS.

I created an whole reply while you deleted your post so i couldnt submit it hahaha

So basically the arrow in the log is because it is a floating rule? So no issues there and normal behaviour?

Docker server is pinging my synology because of Kuma Uptime docker.

darcey

@Operations said in Arrow in firewall log, why?:

I created an whole reply while you deleted your post so i couldnt submit it hahaha

So basically the arrow in the log is because it is a floating rule? So no issues there and normal behaviour?

Docker server is pinging my synology because of Kuma Uptime docker.

Sorry about that. I missed the crux of your question and got triggered!
Yes, the arrow is indicating your floating permit rule matched in the out direction, i.e. traffic leaving the firewall on the 'LAN' interface and that seems to be inline with your rule definition.
If your monitoring app is on a different network segment to the target, then you of course need rule(s), somewhere, that will permit that traffic. As to whether floating rule is the appropriate location for that is a matter of personal preference.
Regarding explicit echo reply permission in rules, I have found it unnecessary, The pf firewall seems to permit the reply back in without it. But that might not be the case with two-way floating rules.