State type setting in firewall rule doesn't work?
-
Hi
I'm interested in allowing a specific rule to pass through partial TCP traffic (for example a lonely TCP:SA packet) instead of blocking it with the default deny rule.
In other words, I want the rule in pfsense to ignore the state of the TCP connections and just pass through the data, no matter which TCP flags are set.
As far as I can tell, this should be possible by setting "State Type=none" in the rule, but it doesn't work…have I misunderstood how this functionality is supposed to work?
With the State Type set to none, I still receive the following message in the logs:
@1 scrub in on em2 all fragment reassemble @1 block drop in all label "Default deny rule"
The same rule does allow the correctly established TCP connections between the same source/destination host.
-
By default, all packets are dropped. If you want to pass that kind of traffic, you are going to have to create a rule to do so. If you look at the advanced options, there is a TCP flags section. You can pass based on what flags are set or not set.
This seems like it would create a giant hole in security, why are you wanting to pass that type of traffic? -
pass out rules will keep state as well, you'll also need no state floating pass out quick rule if you really want to do that.
-
Thank you for this useful tip cmb !
We had a similar problem : our WAN interface is on the same subnet that our public network where some servers lie. While trying to configure pfSense, we were able to join them from our private networks, but not from outside world. In fact, we were facing asymetric routing, with our ISP router placed in the same subnet than our public subnet. So the packets coming from outside were routed by our ISP router directly to our servers (thanks to layer 2) without being processed by pfSense. Then, when the server replied, pfSense dropped the packets because it didn't see the initiation of the connection.
We applied your tip and it seems to fit all our needs. I just didn't check the "Quick" box.
Is there any security considerations to have in mind with this configuration ? I tried to be a bit restrictive writing the rule, allowing only one subnet to pass through it.
Thanks.
-
Blakkheim.GW, perhaps a routed solution would work better for that situation. Otherwise, you are going to have to go to a NATed solution or a bridge setup as to prevent unwanted connections to the servers you mentioned. Inbound traffic is going to bypass the firewall completely. how is the firewall getting any returning traffic, do you have the pfSense firewall as the default gateway on the servers?
-
Thanks for your answer.
Yes, pfSense will be the default gateway of all our servers. If we want them to access our private networks, we have no choice about that.
The incoming connections to our public servers you are talking about are not really an issue as our campus ISP is filtering a little bit (in the current situation, we have no filter at all on these servers, except the campus ISP minimum one).
I actually don't see any other solution for my problem as the floating rule one. I will continue to test it, but it seems some communications errors appear when it's enabled..
-
Just in case it can help someone facing asymmetric routing problems like we do, I share our experience.
The tip gave by "cmb" was the good one. We applied it but we didn't check the "Quick" checkbox and it worked fine in our test platform, some months ago. But when we went to production, a week ago, we were facing a lot of problems with instable TCP sessions, for example, we couldn't send emails with attachement but simple emails were OK.
After days of struggling, checking the quick box solved all these problems. But due to the security hole it implies, if we want to have more restricting rules for the concerned interface, we have to put them in the floating rules tab too and place them before the "anti-asymmetric routing" rule.
Hope it can help someone ;)
-
Can I use the NAT "state type" to "none"? Would this effect "disable your SPI" for whichever voip providers have pfsense NAT/rules?