Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall defaulting to "Default deny rule"

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      collisterm
      last edited by

      Hi,

      Something randomly occurred today. Running 1.23. Everything was working fine, I hadn't logged into the web interface for more than a week.

      Now the firewall is blocking all traffic from one IP (111.65.225.105.25), others are working fine. It's hitting the "Default deny rule" for all traffic:

      032665 rule 158/0(match): block in on em1: 111.65.225.105.25 > 208.75.123.193.39626: [|tcp]
      056940 rule 158/0(match): block in on em1: 111.65.225.105.80 > 85.118.193.145.4994: [|tcp]
      054671 rule 158/0(match): block in on em1: 111.65.225.105.80 > 85.118.193.145.48485: [|tcp]
      007487 rule 158/0(match): block in on em1: 111.65.225.105.80 > 132.234.107.59.4862: [|tcp]
      034468 rule 158/0(match): block in on em1: 111.65.225.105.80 > 203.97.101.10.50310: [|tcp]
      023962 rule 158/0(match): block in on em1: 111.65.225.105.80 > 203.97.101.10.50311: [|tcp]
      134041 rule 158/0(match): block in on em1: 111.65.225.105.80 > 75.61.119.45.62501: [|tcp]
      200011 rule 158/0(match): block in on em1: 111.65.225.105.80 > 203.79.97.58.50405: [|tcp]
      199965 rule 158/0(match): block in on em1: 111.65.225.105.80 > 111.65.227.47.53948: [|tcp]

      But for other IP's I have in that public subnet traffics flowing as usual. I've added an allow everything rule, but it doesn't seem to make any difference.  I've had to disable the "Default deny rule"'s in the mean time.

      Any ideas?

      Thanks

      -Mark

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        That's almost certainly reply traffic since the source ports are a flip of common destination ports, probably SYN ACKs for which the firewall doesn't see the SYN. If the SYN doesn't traverse any firewall, the SYN ACK will be blocked because it's not legit traffic to a stateful firewall. How or why the SYN wouldn't be seen by the firewall is hard to say from the info there, would need more details on your setup. Generally it's because the server in question has a default gateway other than the firewall that takes the egress traffic some different route.

        1 Reply Last reply Reply Quote 0
        • C Offline
          collisterm
          last edited by

          Thanks for the reply, my networking/tcpip isn't all that good but I think I follow. That traffic is indeed going out a default gateway which isn't the pfsense server.

          I was a bit suspect about the fact that interface em1 is on local network 192.168.6.1, and my WAN interface is em0 (111.65.225.101). The pfsense server is running on vmware esxi, each interface on a virtual switch

          Could the fact that the traffic isn't coming in on em0 (111.65.225.101) be causing the block to occur?

          1 Reply Last reply Reply Quote 0
          • C Offline
            collisterm
            last edited by

            Hi

            There was a routing misconfiguration on the server which was being blocked, it had 2 default routes set and for some reason today it decided to start sending traffic down the default route bound to the LAN interface as far as I can tell. Anyone, there is now one correct default gw and i'm looking good

            Thanks again

            -Mark

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.