Question about rules

JonH

I'm new to pfSense, just put a SG-2440 into service, it's a steep learning curve for me…

In my firewall LAN log I am seeing my tablet blocked by the LAN firewall.

 	Sep 4 15:37:45 	LAN 	192.168.1.41:43668		216.58.194.174:443		TCP:PA
	Default deny rule IPv4 (1000000103)

Source, x.41 is a Nexus tabet.  The Destination is a Google Server.  I am trying to pass this, without success.
I first tried adding the destination to an alias but that didn't help.

This is the LAN RULE created by Easy Rule:

 	States 	Protocol 	Source 	    Port 	   Destination 	   Port 	   Gateway 	Queue 	Schedule 	Description 	Actions
		0/0 B     	IPv4 TCP 	192.168.1.41   *        216.58.194.174  443 (HTTPS) 	*       	none 	  Easy Rule: Passed from Firewall Log View 

On the LAN interface I have the Reserved Networks traffic unchecked.
On the WAN interface (192.168.1.1) I have the Block Bogon Networks checked.

What do I have to do to fix this problem?
thanks, jon

Derelict

Is something actually failing or are you just seeing firewall logs?

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

JonH

Derelict.

I'll puzzle over that link you posted some more and see if I can determine if these are false positives.  I'm not running any web servers or other services at this time.

All of my mobile devices seem to have the same type log entry, except of course, for different destinations.  I've only gotten the firewall up 2 days ago so not enough time to determine if I'm actually having a 'failure' with these devices.

I presume the log entries are a response to pushed data, maybe weather, news, or whatever.  The android tablet showed 3 consecutive log entries each with a slightly different destination IP, as if the tablet was trying really hard to make a connection with Google, falling over to backup IP's.  I've seen multiple consecutive entries for an iPhone.

My wireless AP operates as an access point on my network with it's own IP from pfSense rather than being directly connected to the internet via an OPT port.  All mobile devices are getting their IP from pfSense.

I'll try to capture some packets and see if that tells me anything.

Thanks for your comment.

Derelict

If an outbound connection was actually being blocked, it would be a block of a SYN (S) packet. PA is PSH,ACK which is part of an already-established connection. The state for that connection has already been dropped by the firewall.

JonH

Thanks, I wondered what the PA meant.

Jon, at the other end of ur State

JonH

The info posted above about syn on tcp packets really helped me to understand which traffic in the firewall log was actually not getting through vs only showing blocked when not actually blocked.

I have another example I'd like help with.  I have an alias to whitelist some common networks that push data to my mobile devices.  One entry I have in the alias is for apple.com.  I have it set to pass 17.0.0.0/8 which is the entire range of Apple's network.

My whitelist does not seem to be working as I have traffic from 17.x apparently being blocked.  Maybe I am not setting this up correctly?

My WAN rules are:

        States 	Protocol 	Source 	Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description 	Actions
	0/0 B   * 	    Reserved     	* 	       * 	* 	          * 	    * 		                Block bogon networks
                            Not assigned by IANA 	
	0/0 B  IPv4+6 *     My Whitelist  * 	LAN net 	            *   	* 	       none 	  		
        0/0 B  IPv4 TCP     17.0.0.0/8 	5223 	* 	          * 	     * 	               none 	  	        Apple Push Notification Service 	
        0/0 B  IPv4 UDP   17.178.104.100 * 	x.x.x.x 	     41235 	    * 	               none 	  	Easy Rule: Passed from Firewall Log View 

Is a destination of 'LAN net' on a WAN rule improper?  Should it be 'WAN net'?  If so, how would the packet know where to go once it passed the WAN?

The last two lines were added due to problems with traffic pushed from Apple.
The States show no traffic for the last serveral hours on 'My Whitelist' even tho I know that is not true.
The last two lines were just added due to being blocked, it may take many more hours before I know if they actually work. 
The x's are my external IP that I've masked.

The entries from my firewall log are:

	Sep 5 18:30:01 	WAN 	17.178.104.100:16387		x.x.x.x:41235		UDP
	Default deny rule IPv4 (1000000103)
	Sep 5 18:30:02 	WAN 	17.178.104.100:16387		x.x.x.x:41235		UDP
	Default deny rule IPv4 (1000000103)
	Sep 5 18:30:03 	WAN 	17.178.104.100:16387		x.x.x.x:41235		UDP
	Default deny rule IPv4 (1000000103)
	Sep 5 18:31:00 	WAN 	17.178.104.100:16387		x.x.x.x:41235		UDP
	Default deny rule IPv4 (1000000103)
	Sep 5 18:31:00 	WAN 	17.178.104.100:16387		x.x.x.x:41235		UDP
	Default deny rule IPv4 (1000000103)

I don't really know what traffic was being pushed here.  Or perhaps it was just an "is anyone home?" packet.  But since it keeps repeating I presume it is really blocked and not merely an incorrect entry in the log.

Why is the alias apparently not working, even though it covers the range of this IP and is set on the WAN as 'any port' 'any protocol'?

KOM

Is a destination of 'LAN net' on a WAN rule improper?

Yes

Should it be 'WAN net'?

***** will do nicely.

If so, how would the packet know where to go once it passed the WAN?

Your NAT/port-forward rule defines where the packet is forwarded to, and the firewall rule allows it.  Do you have anything forwarded?

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

JonH

@KOM:

Thanks, I'll try *

Your NAT/port-forward rule defines where the packet is forwarded to, and the firewall rule allows it.  Do you have anything forwarded?

I don't have any port forwarding rules defined.  The network ranges defined in the whitelist are all network ranges that intermittently push data to multiple mobile & desktop devices, android, osX, Linux, & iOS, such as news notifications, etc.

Derelict

Apple push notifications do not require inbound firewall rules. The device connects outbound.

I would delete that rule immediately. As in immediately.

JonH

@Derelict:

Apple push notifications do not require inbound firewall rules. The device connects outbound.

I would delete that rule immediately. As in immediately.

Thank you.  Since it is called 'push' I did not realize it was requested by the device.

Whitelist alias has been deleted on WAN & disabled on LAN.

But what about connections from Google to android, akamai pushing updates, and Tivo pushing programming?  These servers are all in my whitelist (currently disabled).  Maybe Tivo requests, I'll find out soon enuf.

When I set this up on Saturday I was missing a lot of stuff I expected, perhaps due to wrongly configured.  That is why I made the whitelist alias.  There is no byte count under 'states' showing on the WAN rules which why I asked.  I don't know if an alias would show a byte count in states but it made me suspicious of a misconfiguration.

Derelict

I know of nothing like that that requires inbound firewall rules. If it did none of it would work anywhere the users don't have access to make firewall changes.

All of that should work fine with no rules on WAN whatsoever. The only time a typical user requires firewall rules on WAN is when they are running some type of server, such as OpenVPN, maybe a port-forwarded web server, etc.

JonH

@Derelict:

All of that should work fine with no rules on WAN whatsoever.

OK, I'll see how it goes then.  I had a bunch of stuff Sunday that seemed to not be working right so I started making a whitelist.
That said, I also have snort installed and found it blocking a bunch of stuff.  I turned off blocking after that.  Perhaps that was causing my issues.

Guess I need to let this thing run longer before I start making assumptions.