API calls blocked by pfsense 2.2.1
-
I went in the log and searched for the IP of a couple of the APIs.
Attached is our rule info and what the log looks like. I do not understand why this traffic is being blocked.
-
Click on the red X and find out what blocked it.
-
Ok. Here is what it told me:
_JavaScript: The rule that triggered this action is:
@5(1000000103) block drop in log inet all label "Default deny rule IPv4"_
I have searched for this and found a couple of things that said turn on "bypass firewall rules for traffic on the same interface". Unfortunately that did not work either.
Any other ideas?
-
This is a bridge? You are filtering on the bridge, or on the interfaces? Try an allow all rule with log and watch how the traffic flows…
-
Yes it is a transparent bridge (followed the documentation for setup). The filtering rules are on the WAN rule tab. The OPT1 tab has a pass all rule. Adding a pass all rule to the WAN does not resolve the issue.
-
Ok. Here is what it told me:
JavaScript: The rule that triggered this action is:
@5(1000000103) block drop in log inet all label "Default deny rule IPv4"Any other ideas?
No, not really, looks mostly like out-of-state traffic anyway. Do some traffic capture of the Java-produced garbage, perhaps…
-
Here are the non WAN rules and the stuff I changed for the bridge. Does this look correct?
-
pfil_bridge should be 0, pfil_member 1. Assuming the bridge0 isn't assigned, which it didn't appear to be.
-
I changed pfil_bridge to 0.
pfil_member was already on 1.
I saved the change and re-enabled pf.
It did not solve the issue.
-
You didn't show the WAN rules. You put a pass any any any there and it didn't fix the issue? If so, put a floating any any any in and log that.
-
I added a floating rule to pass any as you suggested. I re-enabled packet filtering and tested the APIs. They worked. I hit my IP range with nmap and it shows that pfsense has only the correct ports open so it appears this solved the issue.
First of all thank you very much for the suggestion.
Second can someone explain why I needed this floating pass all rule to make the APIs work?
Does having this floating any rule open up any security risks?
Thanks