Firewall rules ignored or overridden?
-
Disclaimer:
I have no floating rules or rule groups before someone suggests a rule precedence issue. Also, I am running the current version of pfsense (2.3.2-RELEASE-p1). All of the following rules are applied on the LAN interface.Issue:
LAN Interface has the rule:
Pass IPv4+6* LAN net * * * * noneFirewall System Logs show:
Block [timestamp] LAN [Device on my LAN] [mail server]:993 TCP:[various flags]How is it possible for this traffic to get blocked? Clearly these packets should be allowed by the above rule. The more specific rule below appears to have no effect on passing this traffic.
Pass IPv4+6 TCP LAN net * * 993(IMAP/S) * none
My workstation has both IPv4 and IPv6 addresses and packets for both addresses get blocked. Similarly I am contacting several different mail servers and all of them show up in the logs with blocked packets. Note that email works so some packets are getting through. My question is not how do I get IMAP working. The question is why are these explicitly allowed packets being blocked since they are whitelisted? TCP flags of the blocked packets include FPA, PA, RPA, RA, A. Similarly, I see the reply traffic for these packets also being blocked in the logs such as below.
Block [timestamp] WAN [mail server]:993 [Device on my LAN] TCP:[various flags]
-
Looks like I posted prematurely. After playing around with the advanced rule settings I managed to resolve the issue by setting "statetype" = "sloppy state".
-
If that is required you probably have an asymmetric routing issue.
-
If you have a any any rule and your seeing blocks, to some specific IP with anything other than Syn as your flag - then yeah you either have out of state traffic from like a cell phone or wifi or something that was in standby mode for a long time. Or as mentioned a asymmetrical routing issue.
Why don't you draw up your network so we can take a look see. You for sure should not have to set sloppy state on your rules.
-
"statetype" = "sloppy state" did not resolve the issue. I guess I didn't wait long enough for the error to recur last night. I am still having the same problem with 993 packets showing up as blocked in the log.
Network diagram couldn't be simpler.
ISP -> Modem -> Pfsense -> Workstation -
Since the service is email which get polled periodically, perhaps the sessions go stale between polling the service for new emails. If I set the rule with a really high state timeout does anyone think that will solve the issue?
In System -> Advanced -> Firewall & NAT -> Firewall Optimization Options = Normal. Perhaps this causing sessions to be closed too early.
-
No. The default settings should be fine. What are the "Various flags" you're seeing on TCP.
If it's not just plain```
[s] you are seeing likely out-of-state traffic which should be harmless.Is anything actually not working or are you just looking at the logs?
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection[/s]
-
Recent flags include the following sets: PA, RA, R, A, FA
Also, 6min of traffic is enough to completely fill the last 50 entries visible in the system logs making it hard to see any other traffic.
-
Did you read that doc link?
Then filter on the information you're looking for.
-
I just read that doc link. I have no clustering or load balancing and no multi-WAN. Also, there are no gateways set on the LAN interface settings. If Asymmetric Routing is occurring then it must be on Comcast's backend network since my computer only has a single routable path to the Internet.
As per the manual fix in that document, I have reenabled "State Type" = "sloppy state" and this time added "TCP flags" = "Any flags". Also, I added the same rule on the LAN in the outbound direction using a floating rule. It will take a couple of hours to collect enough traffic to know if this solution works or not. I will report back once I know for sure.
Thanks for the helpful suggestions.
-
The top section. If the other sections are N/A, they're N/A.
-
Not sure what your doing but if this is what you have
ISP -> Modem -> Pfsense -> WorkstationI really don't see how its possible you could have asymmetrical routing. Unless you have wifi and wired connected on your workstation at the same time. you for sure should not have to set any sort of sloppy states on any rules.
Did you read the link about legit traffic blocked in the logs Derelict provided? Can you post up a sample of what your seeing via a screenshot not some ascii art.
You know you can increase the number of logs displayed in the log in the gui, you can also go to the actual files. What exactly are you seeing blocked. Badly written code that doesn't send keep alives and doesn't talk for hours and then tries to continue the conversation could cause out of state blocks. Because the firewall will after a specific time not seeing any traffic on a specific state will close that state. If it then sees traffic it would be blocked for being out of state.
-
I understand that legitimate traffic will be blocked and usually I see that in the logs as a few orphan packets coming in when a session has ended or expired. What I don't expect to see is over 50 blocked packets every 11min completely filling up my logs and making logging useless. Either these packets should be dropped silently or better yet the appropriate rule should be identified to pass the traffic through. I have included a screenshot of the System Log Firewall page. Due to the length of the scrollable page it took three images. Also, I have redacted my public IP for privacy.
-
Lots of blocks outbound on WAN? What did you do in floating rules?
-
According to the logs, the rules causing the blocks are as follows:
The rule that triggered this action is:
@8(1000000106) block drop out log inet6 all label "Default deny rule IPv6"AND
The rule that triggered this action is:
@5(1000000103) block drop in log inet all label "Default deny rule IPv4"There are no floating rules except for some VOIP QoS rules created by the Traffic Shaper wizard which are completely unrelated. I removed the previous floating rule because I think we can all agree that this is not an Asymmetric Routing issue. The previous rule I created was the one listed in the document that was linked to which said to create a floating rule on the LAN for outbound traffic for IPv4 TCP 993 traffic with ANY flags and Sloppy State. I have also reverted the pass rule on the LAN for TCP 993 so that the advanced option ANY flags is removed and Sloppy State is back to keep.
-
If you think those are log spam, go to Status > System Logs, Settings tab and uncheck Log firewall default blocks.
-
While I agree that disabling logging of the default rule would remove these packets from the log, that doesn't really help. I would like to be able to see what packets are being blocked by the firewall and hiding all blocked packets just to get rid of the ones from port 993 is overkill. If the solution is to hide these packets from the log instead of passing them through the firewall, then I would want to create a more specific block rule that only matched these packets with no logging so that I could continue to see packets blocked by the default rule.
-
Your IMAP client is trying to use a connection after the state has been deleted for inactivity or it is otherwise misbehaving.
What isn't working other than the logs you are seeing?
The default timeout for an established TCP state is:
tcp.established 86400s
One whole day. With zero activity.
Not sure how long you think the states should be kept around but feel free to adjust that.
-
I'm fine with 1day but I suspect that sessions are closed after 1hr or less.
Where do you see that setting? I do not see an entry for tcp.established in /tmp/rules.debug. Also, is that the default setting when "Firewall Optimization Options" = Normal? Or is that for a different setting like conservative?
-
That is the setting for Normal.
This is an existing IMAP state for my mail client:
igb0_vlan223 tcp 192.0.2.96:143 <- 192.168.223.6:52466 ESTABLISHED:ESTABLISHED
[3857059653 + 131008] wscale 1 [3105376859 + 66608] wscale 5
age 94:39:32, expires in 23:59:54, 64046:44625 pkts, 11286281:32760196 bytes, rule 283
id: 00000000585fc42a creatorid: 5297d028
igb1 tcp 192.51.100.226:13887 (192.168.223.6:52466) -> 192.0.2.96:143 ESTABLISHED:ESTABLISHED
[3105376859 + 66608] wscale 5 [3857059653 + 131008] wscale 1
age 94:39:32, expires in 23:59:54, 64046:44625 pkts, 11286281:32760196 bytes, rule 211You can get the same thing with:
pfctl -vvss | grep -a2 mailserverip:993
Existing state timeouts:
pfctl -st