Some traffic bocked with explicit port forward
-
I'm trying to determine the source of some unexpected behaviour regarding port forwarding and traffic being logged as blocked by the firewall. I had set up an alias combining several ports to forward to my internal server, but I continued to see those ports show up in my firewall as being blocked by the default rule, though some connections are still being made to the internal server. I took the following steps to try to resolve the isuue:
- I turned off logging of traffic blocked by the default rule after reading that some traffic listed as blocked by that rule are redundant packets
I created a new rule to reject all traffic and placed it last in the rules list
I deleted the rules which used the alias and explicitly forwarded each port
I'm still seeing traffic logged with my custom rule
@114 block return in log quick on em0 reply-to (em0 x.x.x.x) inet all label "USER_RULE: Default Reject Rule"
however, not all traffic is being blocked, as my server still seems to be accepting connections.
Any ideas?
- I turned off logging of traffic blocked by the default rule after reading that some traffic listed as blocked by that rule are redundant packets
-
Post the rules and then maybe we might..
-
Port forward:
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WAN TCP * * WAN address 8321 x.x.x.x 8321Rules
WAN
Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 TCP * * x.x.x.x 8321 * none NAT
IPv4 * * * * * * none Default Reject RuleServer's VLAN
Proto Source Port Destination Port Gateway Queue Schedule
IPv4* VLAN248 net * ! Private_Networks * * noneNo other block rules are in place, the server and my server has connections established on 8321. I'm just confused as to why some packets are getting blocked and are apparently not being forwarded. It also seems like several in a row from the same source IP will be blocked, as opposed to a random selection of packets, but I have nothing in place to block any specific addresses.
edited for formatting
-
I thought there were more rules than this – so its possible other rule are doing something, without your full rule list its hard to say. That looks normal for a forward yes.
And what traffic is being blocked - are they SYN packets for new connections to that port? Its quite normal to see blocked packets in a stateful firewall even to ports your forwarding.. Depending on the STATE of the session.