Always getting big red X on connections that are in passlist

battles

I am not sure what is going on with this.  As you can see in the 2nd pic, there is what seems to be a block of the two addresses.  In the 1st pic, you can see that both those addresses are in a passlist.  Why is the red X along side the ips that are in the passlist?  (Snort also is pointing to the passlist.)

johnpoz

So was that a SYN that was blocked or out of state?  Your not showing your full log, nor are you showing your wan rules?  You have a port forward to 49339?  And 9689??

9689 EMC2 (Legato) Networker or Sun Solcitice Backup (Official)

battles

Not real knowledgeable about what is needed here.

KOM

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

battles

Thanks KOM.  That has to be the answer and it is nicely explained.  As it said, my connections were going through, so I couldn't understand the X block indicator.  The connections are going to 2 of my own servers and they both do send FIN packets.

johnpoz

If pfsense closes the session seeing a fin from your server to the remote client, then sure the response fin,ack could be blocked and logged.

One way to get rid of such noise would be to just log syn packets.  I turn off default logging and enable a block rule that only blocks syn packets for my log.  So I log attempts to ports that are not open for example say something hits 3389, then sure that is logged.  But other sort of noise like FA packets are not logged.