[SOLVED] Help understanding firewall rule behaviour
-
Hi,
I'm running two pfsense devices in HA running 2.3.5.
On our Guest wifi rule I have initially created a temporary allow any rule (allow ipv4 any any).
When I checked the firewall logs I noticed that some traffic is still being blocked by the default ipv4 block all rule.So I created a new explicit block all rule as my last firewall rule to confirm that the traffic matches this rule and sure enough the traffic is passing the allow any rule and getting blocked by the explicit block all rule.
The pattern that I'm noticing is that all of the traffic that is matching the default block all rule is tcp port 80 and 443. The protocol is mostly TCP:PA or TCP:FA but sometimes it is TCP:PFA.
I added specific allow rules from the source net to tcp port 80 and tcp port 443, but I'm still seeing traffic missing these rules and hitting the explicit block all rule.
Under what criteria could this happen?
Is the firewall maybe not generating states and thus subsequent packets in the flow being blocked because the state doesnt exist? Or possibly some parts of the traffic flow going through one firewall and the rest through the other, preventing a complete state from being formed (asymmetric traffic flow..)?
If so, how would I go about troubleshooting this?Thanks for the help.
Shane
-
Out of state packets maybe :-
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
-
Cellphones are notorious for these invalid states.
-
^ yup!!! They are horrible at them.. Especially noticed them with my son's android. I just turned off default logging and set a rule to only log syn.. So to remove the log spam of out of state traffic.
-
Thanks everyone! It was indeed out of state packets.
