Can't forward HTTP
-
There is a firewall rule, created by the NAT rule, to the local computer. It's also the same, other than protocol as the ones for SSH & IMAPS.
-
Further on the above. I deleted the NAT rule and verified the firewall rule was also gone. I then copied the SSH NAT rule, which works, to create a new rule, changing only the protocol from SSH to HTTP. I also verified the firewall rule had been created. It still does not work. This shows that a rule that worked for SSH, when changed to HTTP does not work, so there must be something peculiar about HTTP.
-
OK, so don't post what you have done.
Every time someone says this doesn't work I lab it and it works just fine.
You can use Diagnostics > Test Port to check HTTP connectivity to the inside host. If that doesn't work neither will a port forward in almost all cases.
Packet capture on the pfSense interface to see if the SYN to TCP/80 is being sent.
 -
That test shows "Successful". I also tried the port scan from www.grc.com. It shows port 80 as "stealth", which indicates the firewall hasn't opened that port. I verified the packets were reaching pfSense with Packet Capture. Here's the capture for port 80:
22:12:24.687593 IP 4.79.142.206.58395 > 174.112.12.127.80: tcp 0
22:12:25.213150 IP 4.79.142.206.58395 > 174.112.12.127.80: tcp 0
22:12:25.717610 IP 4.79.142.206.58395 > 174.112.12.127.80: tcp 0
22:12:26.232136 IP 4.79.142.206.58395 > 174.112.12.127.80: tcp 0
22:12:26.763370 IP 4.79.142.206.58395 > 174.112.12.127.80: tcp 0
22:12:27.261501 IP 4.79.142.206.58395 > 174.112.12.127.80: tcp 0
22:12:27.777258 IP 4.79.142.206.58395 > 174.112.12.127.80: tcp 0
22:12:28.291087 IP 4.79.142.206.58395 > 174.112.12.127.80: tcp 0All the traffic is incoming, nothing going out.
Now with port 22:
22:20:46.507819 IP 4.79.142.206.58463 > 174.112.12.127.22: tcp 0
22:20:46.508005 IP 174.112.12.127.22 > 4.79.142.206.58463: tcp 0
22:20:46.591332 IP 4.79.142.206.58463 > 174.112.12.127.22: tcp 0
22:20:47.510215 IP 174.112.12.127.22 > 4.79.142.206.58463: tcp 0
22:20:47.591690 IP 4.79.142.206.58463 > 174.112.12.127.22: tcp 0
22:20:49.510167 IP 174.112.12.127.22 > 4.79.142.206.58463: tcp 0
22:20:49.597182 IP 4.79.142.206.58463 > 174.112.12.127.22: tcp 0
22:20:53.510183 IP 174.112.12.127.22 > 4.79.142.206.58463: tcp 0
22:20:53.592164 IP 4.79.142.206.58463 > 174.112.12.127.22: tcp 0There is traffic in both directions. The port scan shows port 22 to be open.
So, the problem now boils down to why that port isn't open, even though the firewall rule says it should be.
-
No. Don't capture on WAN. Capture on LAN. Easiest thing to capture on is probably 4.79.142.206.
Look at the states in Diagnostics > States.
-
Post up your rules for gosh sake… Maybe you have a rule in front blocking the traffic before its allowed. Do you have any rules in floating? You using pfblocker? You using snort or suricata?
-
Where are those rules found, beyond the GUI?
What do you mean by "in floating"
I'm not using any of those, to my knowledge.
Back when my firewall was openSUSE Linux, I could forward HTTP. -
Where are those rules found, beyond the GUI?
What do you mean, "beyond the GUI"? Rules are found under Firewall - Rules. You can also access them from console, if that's what you mean:
https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset
What do you mean by "in floating"?
If you go to Firewall - Rules, there are several tabs visible. The first is Floating, where the floating rules are listed.
Back when my firewall was openSUSE Linux, I could forward HTTP.
There is no problem with pfSense and NATs/port-forwards. You are doing something wrong.
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
Read both of these. If you're still having problems, post your NAT - Port-Forwards and WAN firewall rules.
-
"I verified the packets were reaching pfSense with Packet Capture. Here's the capture for port 80:
22:12:24.687593 IP 4.79.142.206.58395 > 174.112.12.127.80: tcp 0"Just completely dumb struck really.. So you figured out you needed to verify that traffic actually getting to your wan.. Where is the next logical step and sniffing that traffic gets sent to your box behind pfsense by sniffing on the pfsense interface on that network?
We would then have some actual info to work with, after you show your rules.. Hey see my rules should work. See I see the packets on my wan, but nothing goes out the lan interface.. Or what I expect you will see is packets going out your lan interface be either to the wrong place or no answer from the place your forwarding. That is if you don't have your rules actually correct. And not something higher up in your rules preventing the forward?
The links KOM provided give you everything you need to track down your isssue/mistake in like 2 minutes..
-
-
I've only been using pfSense for a few month, so I'm not that familiar with it.
Where is the next logical step and sniffing that traffic gets sent to your box behind pfsense by sniffing on the pfsense interface on that network?
I mentioned in my first post that I used Wireshark to verify that.
If you go to Firewall - Rules, there are several tabs visible. The first is Floating, where the floating rules are listed.
I see that and it shows no floating rules.
Here are the rules:
/root: pfctl -sa
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on re0 inet from 127.0.0.0/8 to any port = isakmp -> 174.112.12.127 static-port
nat on re0 inet from 172.16.1.0/24 to any port = isakmp -> 174.112.12.127 static-port
nat on re0 inet from 127.0.0.0/8 to any -> 174.112.12.127 port 1024:65535
nat on re0 inet from 172.16.1.0/24 to any -> 174.112.12.127 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr on re0 inet proto tcp from any to 174.112.12.127 port = imaps -> 172.16.1.10
rdr on re0 inet proto tcp from any to 174.112.12.127 port = ssh -> 172.16.1.10
rdr on re0 inet proto tcp from any to 174.112.12.127 port = http -> 172.16.1.10
rdr on re0 inet proto tcp from any to 174.112.12.127 port = 4000 -> 172.16.1.10
rdr on re0 inet proto udp from any to 174.112.12.127 port = 4225 -> 172.16.1.10
rdr-anchor "miniupnpd" allFILTER RULES:
scrub on re0 all fragment reassemble
scrub on bge0 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
anchor "ipsec/" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c>to any label "Block snort2c hosts"
block drop log quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = http label "webConfiguratorlockout"
block drop in log quick from <virusprot>to any label "virusprot overload table"
pass in quick on re0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
pass in quick on re0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
pass out quick on re0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
block drop in log quick on re0 from <bogons>to any label "block bogon IPv4 networks from WAN"
block drop in log quick on re0 from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
block drop in log on ! re0 inet6 from 2607:f798:804:93:5026:e137:17be:8959 to any
block drop in log inet6 from 2607:f798:804:93:5026:e137:17be:8959 to any
block drop in log on re0 inet6 from fe80::214:d1ff:fe2b:edea to any
block drop in log on ! re0 inet from 174.112.12.0/23 to any
block drop in log inet from 174.112.12.127 to any
block drop in log quick on re0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block drop in log quick on re0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block drop in log quick on re0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block drop in log quick on re0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block drop in log quick on re0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
pass in on re0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
pass out on re0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
block drop in log on ! bge0 inet6 from 2607:fea8:4cdf:fbe5::/64 to any
block drop in log inet6 from 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3 to any
block drop in log on bge0 inet6 from fe80::1:1 to any
block drop in log on ! bge0 inet from 172.16.1.0/24 to any
block drop in log inet from 172.16.1.1 to any
pass in quick on bge0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on bge0 inet proto udp from any port = bootpc to 172.16.1.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on bge0 inet proto udp from 172.16.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass quick on bge0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on bge0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on bge0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on bge0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on bge0 inet6 proto udp from fe80::/10 to 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass out quick on bge0 inet6 proto udp from 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3 port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (re0 174.112.12.1) inet from 174.112.12.127 to ! 174.112.12.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (re0 fe80::217:10ff:fe91:41f) inet6 from 2607:f798:804:93:5026:e137:17be:8959 to ! 2607:f798:804:93::/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on bge0 proto tcp from any to (bge0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on bge0 proto tcp from any to (bge0) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to any port = 4000 flags S/SA keep state label "USER_RULE"
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto udp from any to any port = 4225 keep state label "USER_RULE"
block drop in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to any port = microsoft-ds flags S/SA label "USER_RULE"
block drop in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to any port = microsoft-ds flags S/SA label "USER_RULE"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to 172.16.1.10 port = imaps flags S/SA keep state label "USER_RULE: NAT Forward IPv4 IMAPS to main computer"
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to any port = imaps flags S/SA keep state label "USER_RULE"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto icmp all keep state label "USER_RULE"
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto ipv6-icmp all keep state label "USER_RULE"
block drop in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to 2607:f798:804:93:5026:e137:17be:8959 flags S/SA label "USER_RULE"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to 172.16.1.10 port = ssh flags S/SA keep state label "USER_RULE: NAT Forward IPv4 SSH to main computer"
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE"
block drop in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp all label "USER_RULE"
block drop in quick on re0 reply-to (re0 174.112.12.1) inet proto udp all label "USER_RULE"
block drop in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp all label "USER_RULE"
block drop in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto udp all label "USER_RULE"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to 172.16.1.10 port = 4000 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto udp from any to 172.16.1.10 port = 4225 keep state label "USER_RULE: NAT "
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to 2607:fea8:4cdf:fbe5:76d4:35ff:fe5b:f5fa port = http flags S/SA keep state label "USER_RULE: Web site"
pass in quick on bge0 inet from 172.16.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on bge0 inet6 from 2607:fea8:4cdf:fbe5::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to 172.16.1.10 port = http flags S/SA keep state label "USER_RULE: NAT "
anchor "tftp-proxy/*" all
No queue in useSTATES:
bge0 tcp 2607:f8b0:4001:c08::bc[5228] <- 2607:fea8:4cdf:fbe5:d9a9:939e:d98c:8c6d[45495] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:d9a9:939e:d98c:8c6d[45495] -> 2607:f8b0:4001:c08::bc[5228] ESTABLISHED:ESTABLISHED
bge0 tcp 2607:f8b0:4001:c0a::bc[5228] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[38368] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[38368] -> 2607:f8b0:4001:c0a::bc[5228] ESTABLISHED:ESTABLISHED
bge0 tcp 2607:f8b0:4009:80e::2008[443] <- 2607:fea8:4cdf:fbe5:d9a9:939e:d98c:8c6d[36337] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:d9a9:939e:d98c:8c6d[36337] -> 2607:f8b0:4009:80e::2008[443] ESTABLISHED:ESTABLISHED
bge0 tcp 2607:f8b0:4001:c0c::10[993] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[48006] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[48006] -> 2607:f8b0:4001:c0c::10[993] ESTABLISHED:ESTABLISHED
bge0 tcp 65.52.108.227:443 <- 172.16.1.11:50567 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:26984 (172.16.1.11:50567) -> 65.52.108.227:443 ESTABLISHED:ESTABLISHED
bge0 tcp 65.52.108.74:443 <- 172.16.1.10:40509 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:42237 (172.16.1.10:40509) -> 65.52.108.74:443 ESTABLISHED:ESTABLISHED
bge0 tcp 64.4.23.142:40027 <- 172.16.1.10:51933 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:58996 (172.16.1.10:51933) -> 64.4.23.142:40027 ESTABLISHED:ESTABLISHED
bge0 tcp 91.190.218.54:12350 <- 172.16.1.10:40197 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:46800 (172.16.1.10:40197) -> 91.190.218.54:12350 ESTABLISHED:ESTABLISHED
bge0 tcp 2607:f8b0:4001:c0c::bd[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[40858] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[40858] -> 2607:f8b0:4001:c0c::bd[443] ESTABLISHED:ESTABLISHED
bge0 udp 2607:f8b0:4001:c0c::bd[443] <- 2607:fea8:4cdf:fbe5:dd46:cb0:bd4f:4c34[39250] MULTIPLE:MULTIPLE
re0 udp 2607:fea8:4cdf:fbe5:dd46:cb0:bd4f:4c34[39250] -> 2607:f8b0:4001:c0c::bd[443] MULTIPLE:MULTIPLE
bge0 tcp 52.32.153.92:443 <- 172.16.1.10:40165 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:58932 (172.16.1.10:40165) -> 52.32.153.92:443 ESTABLISHED:ESTABLISHED
bge0 tcp 52.32.153.92:443 <- 172.16.1.10:40174 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:19244 (172.16.1.10:40174) -> 52.32.153.92:443 ESTABLISHED:ESTABLISHED
re0 icmp 174.112.12.127:63979 -> 174.112.12.1:63979 0:0
re0 ipv6-icmp fe80::214:d1ff:fe2b:edea[64362] -> fe80::217:10ff:fe91:41f[64362] NO_TRAFFIC:NO_TRAFFIC
bge0 tcp 173.192.82.195:443 <- 172.16.1.10:50438 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:7925 (172.16.1.10:50438) -> 173.192.82.195:443 ESTABLISHED:ESTABLISHED
bge0 tcp 52.87.141.251:443 <- 172.16.1.10:59718 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:61059 (172.16.1.10:59718) -> 52.87.141.251:443 ESTABLISHED:ESTABLISHED
bge0 tcp 52.73.164.50:443 <- 172.16.1.10:35685 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:19073 (172.16.1.10:35685) -> 52.73.164.50:443 ESTABLISHED:ESTABLISHED
bge0 tcp 208.85.216.36:5061 <- 172.16.1.95:54929 CLOSING:ESTABLISHED
re0 tcp 174.112.12.127:46584 (172.16.1.95:54929) -> 208.85.216.36:5061 ESTABLISHED:CLOSING
bge0 tcp 2607:f8b0:4009:80e::200a[443] <- 2607:fea8:4cdf:fbe5:ac68:5a6f:60e4:8b83[50964] FIN_WAIT_2:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac68:5a6f:60e4:8b83[50964] -> 2607:f8b0:4009:80e::200a[443] ESTABLISHED:FIN_WAIT_2
bge0 tcp 2607:f8b0:400b:806::200d[443] <- 2607:fea8:4cdf:fbe5:ac68:5a6f:60e4:8b83[50965] FIN_WAIT_2:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac68:5a6f:60e4:8b83[50965] -> 2607:f8b0:400b:806::200d[443] ESTABLISHED:FIN_WAIT_2
bge0 tcp 2607:f8b0:4006:807::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34116] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34116] -> 2607:f8b0:4006:807::200e[443] ESTABLISHED:ESTABLISHED
bge0 udp 2607:f8b0:4009:80d::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55792] MULTIPLE:MULTIPLE
re0 udp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55792] -> 2607:f8b0:4009:80d::200e[443] MULTIPLE:MULTIPLE
bge0 tcp 81.22.36.107:80 <- 172.16.1.10:45023 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:60442 (172.16.1.10:45023) -> 81.22.36.107:80 ESTABLISHED:ESTABLISHED
bge0 tcp 81.22.36.107:80 <- 172.16.1.10:45024 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:13075 (172.16.1.10:45024) -> 81.22.36.107:80 ESTABLISHED:ESTABLISHED
bge0 tcp 2607:f8b0:4009:80d::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34430] FIN_WAIT_2:FIN_WAIT_2
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34430] -> 2607:f8b0:4009:80d::200e[443] FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2607:f8b0:4009:80d::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34436] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34436] -> 2607:f8b0:4009:80d::200e[443] ESTABLISHED:ESTABLISHED
bge0 tcp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[80] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[51716] FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2607:f8b0:4009:80d::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34501] FIN_WAIT_2:FIN_WAIT_2
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34501] -> 2607:f8b0:4009:80d::200e[443] FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2607:f8b0:4001:c0c::5d[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[40215] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[40215] -> 2607:f8b0:4001:c0c::5d[443] ESTABLISHED:ESTABLISHED
bge0 tcp 2607:f8b0:4006:808::2003[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[60659] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[60659] -> 2607:f8b0:4006:808::2003[443] ESTABLISHED:ESTABLISHED
bge0 tcp 2607:f8b0:4006:808::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[41113] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[41113] -> 2607:f8b0:4006:808::200e[443] ESTABLISHED:ESTABLISHED
bge0 tcp 2607:f8b0:4009:80d::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34701] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34701] -> 2607:f8b0:4009:80d::200e[443] ESTABLISHED:ESTABLISHED
bge0 tcp 172.217.0.162:443 <- 172.16.1.10:47745 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:58046 (172.16.1.10:47745) -> 172.217.0.162:443 ESTABLISHED:ESTABLISHED
bge0 udp 172.16.1.255:631 <- 172.16.1.10:631 NO_TRAFFIC:SINGLE
bge0 tcp 2607:f8b0:4009:80d::2011[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[51136] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[51136] -> 2607:f8b0:4009:80d::2011[443] ESTABLISHED:ESTABLISHED
bge0 tcp 69.90.66.190:80 <- 172.16.1.10:50987 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:35564 (172.16.1.10:50987) -> 69.90.66.190:80 FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 69.90.66.190:80 <- 172.16.1.10:50988 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:8630 (172.16.1.10:50988) -> 69.90.66.190:80 FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2607:f8b0:4009:80d::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34723] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[34723] -> 2607:f8b0:4009:80d::200e[443] ESTABLISHED:ESTABLISHED
bge0 tcp 104.244.43.145:443 <- 172.16.1.10:39962 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:43861 (172.16.1.10:39962) -> 104.244.43.145:443 FIN_WAIT_2:FIN_WAIT_2
bge0 udp 2607:f8b0:4006:808::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[44467] MULTIPLE:MULTIPLE
re0 udp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[44467] -> 2607:f8b0:4006:808::200e[443] MULTIPLE:MULTIPLE
bge0 tcp 69.90.66.190:80 <- 172.16.1.10:50995 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:49061 (172.16.1.10:50995) -> 69.90.66.190:80 FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 104.244.43.145:443 <- 172.16.1.10:40016 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:30719 (172.16.1.10:40016) -> 104.244.43.145:443 FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 69.90.66.190:80 <- 172.16.1.10:51047 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:43197 (172.16.1.10:51047) -> 69.90.66.190:80 FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 69.90.66.190:80 <- 172.16.1.10:51048 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:6270 (172.16.1.10:51048) -> 69.90.66.190:80 FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2610:160:11:11::68[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55193] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55193] -> 2610:160:11:11::68[443] ESTABLISHED:ESTABLISHED
bge0 tcp 2610:160:11:11::68[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55194] FIN_WAIT_2:FIN_WAIT_2
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55194] -> 2610:160:11:11::68[443] FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2610:160:11:11::68[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55195] FIN_WAIT_2:FIN_WAIT_2
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55195] -> 2610:160:11:11::68[443] FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2610:160:11:11::68[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55196] FIN_WAIT_2:FIN_WAIT_2
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55196] -> 2610:160:11:11::68[443] FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2610:160:11:11::68[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55197] FIN_WAIT_2:FIN_WAIT_2
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55197] -> 2610:160:11:11::68[443] FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2610:160:11:11::68[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55198] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[55198] -> 2610:160:11:11::68[443] ESTABLISHED:ESTABLISHED
bge0 tcp 66.218.74.149:995 <- 172.16.1.10:39467 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:20326 (172.16.1.10:39467) -> 66.218.74.149:995 FIN_WAIT_2:FIN_WAIT_2
bge0 udp 2607:f8b0:4009:80d::200e[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[56972] MULTIPLE:MULTIPLE
re0 udp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[56972] -> 2607:f8b0:4009:80d::200e[443] MULTIPLE:MULTIPLE
bge0 udp 2607:f8b0:400b:806::2004[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[35780] MULTIPLE:MULTIPLE
re0 udp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[35780] -> 2607:f8b0:400b:806::2004[443] MULTIPLE:MULTIPLE
bge0 tcp 2607:f8b0:400b:806::2004[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[52788] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[52788] -> 2607:f8b0:400b:806::2004[443] ESTABLISHED:ESTABLISHED
bge0 tcp 69.90.66.190:80 <- 172.16.1.10:51061 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:11234 (172.16.1.10:51061) -> 69.90.66.190:80 FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 104.244.43.145:443 <- 172.16.1.10:40034 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:62662 (172.16.1.10:40034) -> 104.244.43.145:443 FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 69.90.66.190:80 <- 172.16.1.10:51065 FIN_WAIT_2:FIN_WAIT_2
re0 tcp 174.112.12.127:41820 (172.16.1.10:51065) -> 69.90.66.190:80 FIN_WAIT_2:FIN_WAIT_2
bge0 tcp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[22] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[35363] FIN_WAIT_2:FIN_WAIT_2
bge0 udp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[53] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[59890] SINGLE:MULTIPLE
re0 udp 174.112.12.127:11725 -> 216.239.34.10:53 MULTIPLE:SINGLE
re0 udp 174.112.12.127:60110 -> 216.239.34.10:53 MULTIPLE:SINGLE
bge0 udp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[53] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[58930] SINGLE:MULTIPLE
re0 udp 174.112.12.127:6986 -> 216.239.34.10:53 MULTIPLE:SINGLE
re0 udp 174.112.12.127:45401 -> 216.239.34.10:53 MULTIPLE:SINGLE
bge0 udp 8.8.8.8:53 <- 172.16.1.11:51806 SINGLE:MULTIPLE
re0 udp 174.112.12.127:8408 (172.16.1.11:51806) -> 8.8.8.8:53 MULTIPLE:SINGLE
bge0 udp 8.8.8.8:53 <- 172.16.1.11:63526 SINGLE:MULTIPLE
re0 udp 174.112.12.127:26060 (172.16.1.11:63526) -> 8.8.8.8:53 MULTIPLE:SINGLE
bge0 udp 2607:fea8:4cdf:fd04:216:17ff:fea7:f2d3[53] <- 2607:fea8:4cdf:fbe5:ac68:5a6f:60e4:8b83[63526] NO_TRAFFIC:SINGLE
re0 udp 2607:fea8:4cdf:fbe5:ac68:5a6f:60e4:8b83[63526] -> 2607:fea8:4cdf:fd04:216:17ff:fea7:f2d3[53] SINGLE:NO_TRAFFIC
bge0 tcp 64.4.54.253:443 <- 172.16.1.11:50976 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:11350 (172.16.1.11:50976) -> 64.4.54.253:443 ESTABLISHED:ESTABLISHED
lo0 ipv6-icmp ff02::1[16576] <- fe80::1:1[16576] NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp fe80::1:1[16576] -> ff02::1[16576] NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp fe80::1:1 <- fe80::ac68:5a6f:60e4:8b83 NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp fe80::1:1[49152] -> fe80::ac68:5a6f:60e4:8b83[49152] NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3 -> 2607:fea8:4cdf:fbe5:449d:75aa:2fd4:dbde NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[24576] <- 2607:fea8:4cdf:fbe5:449d:75aa:2fd4:dbde[24576] NO_TRAFFIC:NO_TRAFFIC
bge0 udp 2607:f8b0:4009:80d::2011[443] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[43783] MULTIPLE:MULTIPLE
re0 udp 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[43783] -> 2607:f8b0:4009:80d::2011[443] MULTIPLE:MULTIPLE
bge0 tcp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[22] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[35366] ESTABLISHED:ESTABLISHED
bge0 ipv6-icmp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3 -> 2607:fea8:4cdf:fbe5:dd46:cb0:bd4f:4c34 NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[16384] <- 2607:fea8:4cdf:fbe5:dd46:cb0:bd4f:4c34[16384] NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3 -> 2607:fea8:4cdf:fbe5:ac68:5a6f:60e4:8b83 NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[24576] <- 2607:fea8:4cdf:fbe5:ac68:5a6f:60e4:8b83[24576] NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp fe80::1:1[24576] <- fe80::ac68:5a6f:60e4:8b83[24576] NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3 <- 2607:fea8:4cdf:fbe5:d01f:b75:f23d:3972 NO_TRAFFIC:NO_TRAFFIC
bge0 ipv6-icmp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[49152] -> 2607:fea8:4cdf:fbe5:d01f:b75:f23d:3972[49152] NO_TRAFFIC:NO_TRAFFIC
re0 ipv6-icmp fe80::214:d1ff:fe2b:edea -> fe80::217:10ff:fe91:41f NO_TRAFFIC:NO_TRAFFIC
re0 ipv6-icmp fe80::214:d1ff:fe2b:edea[57344] <- fe80::217:10ff:fe91:41f[57344] NO_TRAFFIC:NO_TRAFFIC
re0 icmp 174.112.12.127:57043 <- 74.205.112.125:57043 0:0
re0 icmp 174.112.12.127:19772 <- 74.205.112.126:19772 0:0
bge0 ipv6-icmp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[24576] <- 2607:fea8:4cdf:fbe5:d01f:b75:f23d:3972[24576] NO_TRAFFIC:NO_TRAFFIC
bge0 udp 2607:fea8:4cdf:fbe5:216:17ff:fea7:f2d3[53] <- 2607:fea8:4cdf:fbe5:ac00:3d89:1121:2ccf[47019] SINGLE:MULTIPLE
re0 udp 174.112.12.127:22991 -> 208.78.71.2:53 MULTIPLE:SINGLE
re0 udp 2607:f798:804:93:5026:e137:17be:8959[55409] -> 2001:500:90:1::136[53] MULTIPLE:SINGLE
re0 udp 174.112.12.127:24886 -> 204.13.251.2:53 MULTIPLE:SINGLE
re0 udp 2607:f798:804:93:5026:e137:17be:8959[62687] -> 2001:500:90:1::136[53] MULTIPLE:SINGLE
re0 ipv6-icmp fe80::214:d1ff:fe2b:edea <- fe80::217:10ff:fe91:402 NO_TRAFFIC:NO_TRAFFIC
re0 ipv6-icmp fe80::214:d1ff:fe2b:edea[49152] -> fe80::217:10ff:fe91:402[49152] NO_TRAFFIC:NO_TRAFFIC
bge0 tcp 69.90.66.190:80 <- 172.16.1.10:51110 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:61643 (172.16.1.10:51110) -> 69.90.66.190:80 ESTABLISHED:ESTABLISHED
bge0 tcp 69.90.66.190:80 <- 172.16.1.10:51111 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:8595 (172.16.1.10:51111) -> 69.90.66.190:80 ESTABLISHED:ESTABLISHED
bge0 tcp 65.52.108.193:443 <- 172.16.1.11:49707 ESTABLISHED:ESTABLISHED
re0 tcp 174.112.12.127:33278 (172.16.1.11:49707) -> 65.52.108.193:443 ESTABLISHED:ESTABLISHED
bge0 tcp 2607:f8b0:4001:c0c::7d[5222] <- 2607:fea8:4cdf:fbe5:449d:75aa:2fd4:dbde[49801] ESTABLISHED:ESTABLISHED
re0 tcp 2607:fea8:4cdf:fbe5:449d:75aa:2fd4:dbde[49801] -> 2607:f8b0:4001:c0c::7d[5222] ESTABLISHED:ESTABLISHEDINFO:
Status: Enabled for 3908 days 03:16:27 Debug: UrgentInterface Stats for bge0 IPv4 IPv6
Bytes In 1054518785 1350031969
Bytes Out 7283260814 8112883488
Packets In
Passed 8154194 7548367
Blocked 10041 16625
Packets Out
Passed 9503473 10611706
Blocked 218 0State Table Total Rate
current entries 161
searches 83139137 0.2/s
inserts 4446599 0.0/s
removals 4446438 0.0/s
Counters
match 4548972 0.0/s
bad-offset 0 0.0/s
fragment 3 0.0/s
short 26 0.0/s
normalize 50 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 1483 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
divert 0 0.0/sLABEL COUNTERS:
Block IPv4 link-local 4548850 1503 134276 1503 134276 0 0 0
Block IPv4 link-local 619704 148 20092 148 20092 0 0 0
Default deny rule IPv4 619556 14062 974241 14062 974241 0 0 0
Default deny rule IPv4 3368800 218 20274 0 0 218 20274 0
Default deny rule IPv6 4547199 16615 4615401 16615 4615401 0 0 0
Default deny rule IPv6 3927643 0 0 0 0 0 0 0
Block traffic from port 0 3743328 1 40 1 40 0 0 0
Block traffic from port 0 3726568 1 40 1 40 0 0 0
Block traffic to port 0 2694501 40 1760 40 1760 0 0 0
Block traffic to port 0 2686633 40 1760 40 1760 0 0 0
Block traffic from port 0 3743287 0 0 0 0 0 0 0
Block traffic from port 0 3719681 0 0 0 0 0 0 0
Block traffic to port 0 1048826 0 0 0 0 0 0 0
Block traffic to port 0 1046964 0 0 0 0 0 0 0
Block snort2c hosts 3743287 0 0 0 0 0 0 0
Block snort2c hosts 3743287 0 0 0 0 0 0 0
sshlockout 3743287 0 0 0 0 0 0 0
webConfiguratorlockout 597901 0 0 0 0 0 0 0
virusprot overload table 1375354 0 0 0 0 0 0 0
allow dhcpv6 client in WAN 1375296 0 0 0 0 0 0 0
allow dhcpv6 client in WAN 69919 97 16147 97 16147 0 0 0
allow dhcpv6 client out WAN 2377000 116 17144 0 0 116 17144 0
block bogon IPv4 networks from WAN 2452491 4035 1322365 4035 1322365 0 0 0
block bogon IPv6 networks from WAN 2433293 4417 1350633 4417 1350633 0 0 0
Block private networks from WAN block 10/8 615099 0 0 0 0 0 0 0
Block private networks from WAN block 127/8 610367 0 0 0 0 0 0 0
Block private networks from WAN block 172.16/12 610367 0 0 0 0 0 0 0
Block private networks from WAN block 192.168/16 610367 0 0 0 0 0 0 0
Block ULA networks from WAN block fc00::/7 616003 0 0 0 0 0 0 0
allow dhcp client out WAN 65990 0 0 0 0 0 0 0
allow dhcp client out WAN 2372350 0 0 0 0 0 0 0
allow access to DHCP server 615592 861 286784 861 286784 0 0 1
allow access to DHCP server 410 819 269045 410 134887 409 134158 14
allow access to DHCP server 633870 0 0 0 0 0 0 0
allow access to DHCPv6 server 821718 0 0 0 0 0 0 0
allow access to DHCPv6 server 179 0 0 0 0 0 0 0
allow access to DHCPv6 server 0 0 0 0 0 0 0 0
allow access to DHCPv6 server 615188 0 0 0 0 0 0 0
allow access to DHCPv6 server 150961 0 0 0 0 0 0 0
allow access to DHCPv6 server 150961 0 0 0 0 0 0 0
pass IPv4 loopback 3702636 1622 173768 820 53434 802 120334 30
pass IPv4 loopback 1650 0 0 0 0 0 0 0
pass IPv6 loopback 1699 126 17958 122 17628 4 330 0
pass IPv6 loopback 880 0 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 3702587 591506 126718390 295755 95976021 295751 30742369 123
let out anything IPv6 from firewall host itself 2367925 14231954 8934457853 8432697 7716139249 5799257 1218318604 1939
let out anything from firewall host itself 1461177 11306109 4654930360 5974874 4040844260 5331235 614086100 16324
let out anything from firewall host itself 674647 73703 17681406 36656 14134446 37047 3546960 935
anti-lockout rule 3702755 125917 46161121 62404 15960971 63513 30200150 9
anti-lockout rule 3672518 126436 46135150 62587 15971386 63849 30163764 2
USER_RULE 3221690 7055 3673483 3192 312072 3863 3361411 0
USER_RULE 904 0 0 0 0 0 0 0
USER_RULE 540517 0 0 0 0 0 0 0
USER_RULE 539952 0 0 0 0 0 0 0
USER_RULE: NAT Forward IPv4 IMAPS to main computer 45346 171583 57800364 82808 8958724 88775 48841640 28
USER_RULE 26058 69087 66280551 45507 63828298 23580 2452253 0
USER_RULE 63194 54411 3680485 27254 1844229 27157 1836256 111
USER_RULE 63082 53749 3638139 26922 1823003 26827 1815136 0
USER_RULE 331 0 0 0 0 0 0 0
USER_RULE: NAT Forward IPv4 SSH to main computer 52779 417217 68594540 211219 21665848 205998 46928692 65
USER_RULE 25893 22 1626 13 912 9 714 0
USER_RULE 26303 25702 1277559 25702 1277559 0 0 0
USER_RULE 26205 25506 1271145 25506 1271145 0 0 0
USER_RULE 26172 25473 1265895 25473 1265895 0 0 0
USER_RULE 26074 25473 1265895 25473 1265895 0 0 0
USER_RULE: NAT 23687 0 0 0 0 0 0 0
USER_RULE: NAT 5479 0 0 0 0 0 0 0
USER_RULE: Web site 720 0 0 0 0 0 0 0
USER_RULE: Default allow LAN to any rule 338632 3412153 1197107897 1721556 194589533 1690597 1002518364 4687
USER_RULE: Default allow LAN IPv6 to any rule 179897 3679104 1888087798 1594799 294337026 2084305 1593750772 5540
USER_RULE: NAT 1630 0 0 0 0 0 0 0TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 185400 states
adaptive.end 370800 states
src.track 0sLIMITS:
states hard limit 309000
src-nodes hard limit 309000
frags hard limit 5000
table-entries hard limit 200000TABLES:
bogons
bogonsv6
snort2c
sshlockout
virusprot
webConfiguratorlockoutOS FINGERPRINTS:
710 fingerprints loadedAs I mentioned, the HTTP rule is identical to the SSH rule and was even created from it and changing only the ports.</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>
-
-
anchor "userrules/*" all
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to any port = 4000 flags S/SA keep state label "USER_RULE"
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto udp from any to any port = 4225 keep state label "USER_RULE"
block drop in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to any port = microsoft-ds flags S/SA label "USER_RULE"
block drop in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to any port = microsoft-ds flags S/SA label "USER_RULE"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to 172.16.1.10 port = imaps flags S/SA keep state label "USER_RULE: NAT Forward IPv4 IMAPS to main computer"
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to any port = imaps flags S/SA keep state label "USER_RULE"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto icmp all keep state label "USER_RULE"
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto ipv6-icmp all keep state label "USER_RULE"
block drop in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to 2607:f798:804:93:5026:e137:17be:8959 flags S/SA label "USER_RULE"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to 172.16.1.10 port = ssh flags S/SA keep state label "USER_RULE: NAT Forward IPv4 SSH to main computer"
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE"
block drop in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp all label "USER_RULE"
block drop in quick on re0 reply-to (re0 174.112.12.1) inet proto udp all label "USER_RULE"
block drop in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp all label "USER_RULE"
block drop in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto udp all label "USER_RULE"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to 172.16.1.10 port = 4000 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto udp from any to 172.16.1.10 port = 4225 keep state label "USER_RULE: NAT "
pass in quick on re0 reply-to (re0 fe80::217:10ff:fe91:41f) inet6 proto tcp from any to 2607:fea8:4cdf:fbe5:76d4:35ff:fe5b:f5fa port = http flags S/SA keep state label "USER_RULE: Web site"
pass in quick on bge0 inet from 172.16.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on bge0 inet6 from 2607:fea8:4cdf:fbe5::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in quick on re0 reply-to (re0 174.112.12.1) inet proto tcp from any to 172.16.1.10 port = http flags S/SA keep state label "USER_RULE: NAT "So if firewall rules are processed top down, first match wins, why is it that IMAPS and SSH work and HTTP doesn't?
No. Check the firewall rules in addition to the NAT rules. Post what you have done.
Maybe you have a rule in front blocking the traffic before its allowed.
@KOM:
There is no problem with pfSense and NATs/port-forwards. You are doing something wrong.
-
how freaking hard is it to paste a screen shot of your rules and nats Really…
-
Yes, if you have a rule that blocks all TCP just before your NAT rule, you're going to have a bad time.
This would have been easy to spot with a simple screenshot of the WAN rules.
-
Here they are. The firewall rules are in 2 parts.
-
So anything tcp/udp below this rule would be blocked
Rules are evaluated top down, first rule to fire wins. So here your blocking ipv4&6 tcp/udp here, so those rules below are never going to be seen.
Move your rules above that rule, or just delete that rule and let the default rule block stuff you do not allow in rules. Your not even logging on that rule. So what traffic would you see blocked on your wan?
Your rules to * dest are bad idea on wan that is for sure as well!! They should be limited to the IP your forwarding too.
-
I didn't create that rule and have no idea about why it's there. I'll try moving that rule to the bottom and test later, when I have time. On my way to work now.
-
Well it sure is not a default, and it sure didn't create itself ;) You running something like pfblocker that can create rules?
-
No, I'm not running pfblocker.
I suppose that rule won't cause any harm, if left at the end of the list. However, I assume pfSense has an implicit deny all rule. In other firewalls I've worked with (IPchains, IPTables and Cisco), there's always an implicit deny all and you'd only create a specific deny all rule, if you want something more, such as logging.
The only rules I've added are the ones to pass various protocols.
BTW, moving that rule to the bottom cleared the problem.
-
Yes, that hidden rule is called the Default Deny rule. There has been debate over the years as to whether it should be hidden at all, or just unavailable but visible so you can see it but not edit or delete it.
-
Lots of UI issues with that. For instance the default deny rule is not at the bottom of the rule set. It is at the top without quick set. So where should it be displayed?
People have a difficult enough time with this stuff already.
