Blocked Outgoing IPV4 and IPv6 LAN Traffic



  • I had a lot of guests in my home last night and I noticed my firewall log was flooded with blocked outgoing LAN traffic. It was being blocked by the default ipv4 and ipv6 deny rules. I tried relaxing the rules by setting the state type to sloppy and allowing any flags. It might have made a bit of difference, but not much.

    Here is an example of blocked traffic:

    Oct 23 10:32:34 LAN [2001:470:X:XXX:d417:9458:a623:a103]:48640 [2607:f8b0:400a:800::200a]:443 TCP:PA
    Oct 23 10:36:22 LAN 10.28.92.240:34497 216.58.216.142:443 TCP:PA

    Coincidentally, both are from the same android phone and both are to *.1e100.net, which is a google address. The source address was configured using SLAAC.

    With over 30 guests, many having android phones, there were a lot of these messages in the log. I also noticed similar messages to content providers such as amazon.

    I have no objection to this traffic being allowed, but I'm not clear why it's being blocked or how to allow it.


  • LAYER 8 Global Moderator

    And those are both out of state packets… So yeah they would be blocked..

    Most likely its from the phone switching from cell connectivity to wifi and not reopening a connection and just trying to use the same connection.  Notice the PA on the tcpflags.

    This is typical noise for a stateful firewall, and devices like phones..

    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection



  • @johnpoz:

    And those are both out of state packets… So yeah they would be blocked..

    Most likely its from the phone switching from cell connectivity to wifi and not reopening a connection and just trying to use the same connection.  Notice the PA on the tcpflags.

    This is typical noise for a stateful firewall, and devices like phones..

    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection

    Thanks for the reply.

    The particular case I posted above is for a specific android phone that doesn't have a data plan. It only uses wifi for data. However, other android phones seem to generate the same traffic. These messages are generated on a continuous basis. Switching the rule to sloppy and allowing tcp flags didn't allow it past the default deny rule. Is there a way?

    The messages are also coming from wired devices such as PCs. Here is an example:

    Oct 23 15:24:18 LAN 10.28.92.102:54934 52.84.18.65:443 TCP:RA

    The destination is cloudfront.net, which is amazon content delivery. I'm pretty sure is legitimate in this case. Same question, is there a way to allow it?


  • LAYER 8 Global Moderator

    Allow what an Out of STATE connection??  Who says the other end is there? Why and the F would you want to allow it??

    If you don't want to log the noise then don't log the noise.  I only log blocked syn traffic..

    The whole point of a stateful firewall is to block traffic that is not in state ;)  You do understand a R flag means RST.. So its trying to close something?
    https://doc.pfsense.org/index.php/What_are_TCP_Flags

    A RST is tcp speak for F Off ;) I don't want to talk to you!!



  • @johnpoz:

    Allow what an Out of STATE connection??  Who says the other end is there? Why and the F would you want to allow it??

    If you don't want to log the noise then don't log the noise.  I only log blocked syn traffic..

    The whole point of a stateful firewall is to block traffic that is not in state ;)  You do understand a R flag means RST.. So its trying to close something?
    https://doc.pfsense.org/index.php/What_are_TCP_Flags

    A RST is tcp speak for F Off ;) I don't want to talk to you!!

    Thanks for your reply. I did some reading about these flags at https://en.wikipedia.org/wiki/Transmission_Control_Protocol so I see where you are coming from.

    Here is another example of consecutive log messages from an android device to a google address:

    Oct 26 10:40:05 LAN [2001:470:b❌y:z:bf56:90bb]:47662 [2607:f8b0:400a:801::2008]:443 TCP:FPA
    Oct 26 10:40:04 LAN [2001:470:b❌y:z:bf56:90bb]:47662 [2607:f8b0:400a:801::2008]:443 TCP:FPA
    Oct 26 10:40:04 LAN [2001:470:b❌y:z:bf56:90bb]:47662 [2607:f8b0:400a:801::2008]:443 TCP:FPA
    Oct 26 10:40:04 LAN [2001:470:b❌y:z:bf56:90bb]:47662 [2607:f8b0:400a:801::2008]:443 TCP:FA
    Oct 26 10:40:03 LAN [2001:470:b❌y:z:bf56:90bb]:47662 [2607:f8b0:400a:801::2008]:443 TCP:FA
    Oct 26 10:40:03 LAN [2001:470:b❌y:z:bf56:90bb]:47662 [2607:f8b0:400a:801::2008]:443 TCP:PA

    Here are some consecutive messages from a wired pc to amazonaws.com:

    Oct 26 11:00:53 LAN 10.1.1.212:63434 54.164.239.10:443 TCP:FA
    Oct 26 11:00:48 LAN 10.1.1.212:63434 54.164.239.10:443 TCP:FA
    Oct 26 11:00:46 LAN 10.1.1.212:63434 54.164.239.10:443 TCP:FA
    Oct 26 11:00:45 LAN 10.1.1.212:63434 54.164.239.10:443 TCP:FA
    Oct 26 11:00:44 LAN 10.1.1.212:63434 54.164.239.10:443 TCP:FA

    There are many other similar log entries. I'm not going to second guess why the android device sent something 6 times in three seconds or why the pc sent something 5 times in 9 seconds. Maybe in both cases, the transmissions are erroneous, but even if they are, what can be done about them? SFA. Since that's the case, I guess I don't see the point of blocking or logging the messages. I tried to modify the default LAN allow rules, but unfortunately, since these messages are being blocked by the default deny rules, there's no way to either change the behavior without completely disabling the rules, because they fire first.


  • LAYER 8 Global Moderator

    The default deny does not fire first..

    If there is no state for this traffic then none of the allow rules would allow it since its NOT syn to open a conversation.

    No sate then blocked.  Unless your starting a conversation with SYN.. and the port your going to with this SYN is allowed.

    All of those packets are FIN.. ie your private IP is done with the conversation..

    TCP will retans if doesn't get answer.. So if I want to close and I send you Fin,ACK proper close is send Fin back.. If he doesn't see the fin back he will try and send again..  Hey buddy I am done talking to you, are you done too..  Normally what would happen is if he doesn't get answer back from his fin, he would send a RST saying hey not sure if you got my fin.. But I am DONE talking to you..

    Why a state is missing in your firewall no idea?  Do you have pfsense reset states on loss of gateway?  This might be the default behavior?  So if your wan goes down, pfsense can reset all the states.  If that happens and you had a client that was having a conversation - he doesn't know that and just keeps trying to talk, etc.  Which those would be logged as blocked.

    You could try sniffing all the conversations from one of your phones.  And then match those up to your log entries to when you see out of state, etc.  Or you could just not log it and don't worry about it until some complains that something is not working.  I don't log that stuff, I just log blocked SYN packets.


Log in to reply