Firewall Implicit deny rule not working - manual block rule added



  • Hey Guys,

    I'm having a big problem. All the implicit deny rules are not working. I only found this when I looked at the logs and I had a crazy amount of ssh bruteforce attacks.
    To stop this I had to create a rule on the WANs to deny all traffic at the end of the list, after that is fixed.

    I'm running the latest version, 2.3.2-RELEASE-p1, in a active-standby scenario.

    Any idea what could be causing this? We have other setups that don't share the same problem but they have the same kind of configuration.

    Thanks


  • Rebel Alliance Global Moderator

    dude post up you rules!!



  • Any idea what could be causing this?

    I guarantee you it's either a problem, error or glitch.



  • @johnpoz:

    dude post up you rules!!

    The problem affects all WANs, and for example in this one, there are no RULES!

    If I remove the deny all rule I'm able to SSH from the internet and access the webpanel, etc…

    @KOM:

    Any idea what could be causing this?

    I guarantee you it's either a problem, error or glitch.

    That helps!
    -.-


  • Banned

    What on earth is that interface dropdown? How many interfaces you have on that box? And sure ALL of them have SSH access NOT allowed?



  • 13 LANs
    4 WANs

    In all 4 WANs are no rules for SSH access.
    We have additional ip ranges and we are using them for carp, the behaviour is different for each one.
    The default block rule is supposed to block all the traffic on the interface or only to the interface IP address?
    I'm sure the objective is to block all….


  • Rebel Alliance Global Moderator

    You have anything in your floating?

    You sure you not accessing your wan IP from lan side?



  • The default block rule is supposed to block all the traffic on the interface or only to the interface IP address?

    Of course.  I've seen cases where a corrupt ruleset will fail to load so you end up with nothing, but that is not the case here.



  • @johnpoz:

    You have anything in your floating?

    You sure you not accessing your wan IP from lan side?

    We do have a couple of floating rules, only for internal traffic to outside, none of them are applied to any WAN.
    In one of the WAN interfaces, 03, I have a normal setup. /29 given by the ISP, one IP in each fw + VIP. No rules in the WAN, if I remove my deny all rule I can SSH into the firewall, nothing in the logs…

    I'm using my phone with 3G for testing, when I do hit the block all rule I can see my external IP in the logs.

    @KOM:

    The default block rule is supposed to block all the traffic on the interface or only to the interface IP address?

    Of course.  I've seen cases where a corrupt ruleset will fail to load so you end up with nothing, but that is not the case here.

    Yup, not the case. Every other rule is working.


  • Rebel Alliance Global Moderator



  • @johnpoz:

    post up your full rule set then…

    https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

    That's a lot of sensitive information…

    This is the beginning:

    scrub from any to <vpn_networks> max-mss 1300 fragment reassemble
    scrub from <vpn_networks> to any max-mss 1300 fragment reassemble
    scrub on lagg1_vlan9 all fragment reassemble
    scrub on lagg0 all fragment reassemble
    scrub on lagg1_vlan14 all fragment reassemble
    scrub on lagg1_vlan12 all fragment reassemble
    scrub on lagg1_vlan10 all fragment reassemble
    scrub on lagg0_vlan222 all fragment reassemble
    scrub on lagg0_vlan3 all fragment reassemble
    scrub on lagg0_vlan4 all fragment reassemble
    scrub on lagg0_vlan5 all fragment reassemble
    scrub on lagg0_vlan30 all fragment reassemble
    scrub on lagg0_vlan40 all fragment reassemble
    scrub on lagg0_vlan42 all fragment reassemble
    scrub on lagg0_vlan50 all fragment reassemble
    scrub on lagg0_vlan51 all fragment reassemble
    scrub on lagg0_vlan60 all fragment reassemble
    scrub on lagg0_vlan90 all fragment reassemble
    scrub on lagg0_vlan110 all fragment reassemble
    scrub on lagg0_vlan200 all fragment reassemble
    scrub on ovpnc1 all fragment reassemble
    scrub on ovpnc2 all fragment reassemble
    scrub on ovpnc3 all fragment reassemble
    scrub on ovpnc4 all fragment reassemble
    anchor "relayd/*" all
    anchor "openvpn/*" all
    anchor "ipsec/*" all
    pass in quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    block drop in log quick inet6 all label "Block all IPv6"
    block drop out log quick inet6 all label "Block all IPv6"
    block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
    block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick from <snort2c> to any label "Block snort2c hosts"
    block drop log quick from any to <snort2c> label "Block snort2c hosts"
    block drop in log quick proto carp from (self) to any
    pass quick proto carp all no state</snort2c></snort2c></vpn_networks></vpn_networks>
    

  • Rebel Alliance Global Moderator

    Well just obfuscate any of your public IPs listed in the rules.  Search and replace and change to something that is not actually your IP.



  • Here it is:

    [2.3.2-RELEASE][root@fw1.office]/root: pfctl -sr
    scrub from any to <vpn_networks> max-mss 1300 fragment reassemble
    scrub from <vpn_networks> to any max-mss 1300 fragment reassemble
    scrub on lagg1_vlan9 all fragment reassemble
    scrub on lagg0 all fragment reassemble
    scrub on lagg1_vlan14 all fragment reassemble
    scrub on lagg1_vlan12 all fragment reassemble
    scrub on lagg1_vlan10 all fragment reassemble
    scrub on lagg0_vlan222 all fragment reassemble
    scrub on lagg0_vlan3 all fragment reassemble
    scrub on lagg0_vlan4 all fragment reassemble
    scrub on lagg0_vlan5 all fragment reassemble
    scrub on lagg0_vlan30 all fragment reassemble
    scrub on lagg0_vlan40 all fragment reassemble
    scrub on lagg0_vlan42 all fragment reassemble
    scrub on lagg0_vlan50 all fragment reassemble
    scrub on lagg0_vlan51 all fragment reassemble
    scrub on lagg0_vlan60 all fragment reassemble
    scrub on lagg0_vlan90 all fragment reassemble
    scrub on lagg0_vlan110 all fragment reassemble
    scrub on lagg0_vlan200 all fragment reassemble
    scrub on ovpnc1 all fragment reassemble
    scrub on ovpnc2 all fragment reassemble
    scrub on ovpnc3 all fragment reassemble
    scrub on ovpnc4 all fragment reassemble
    anchor "relayd/*" all
    anchor "openvpn/*" all
    anchor "ipsec/*" all
    pass in quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    block drop in log quick inet6 all label "Block all IPv6"
    block drop out log quick inet6 all label "Block all IPv6"
    block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
    block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick from <snort2c> to any label "Block snort2c hosts"
    block drop log quick from any to <snort2c> label "Block snort2c hosts"
    block drop in log quick proto carp from (self) to any
    pass quick proto carp all no state
    block drop in log quick proto tcp from <sshlockout> to (self) port = 4711 label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout> to (self) port = https label "webConfiguratorlockout"
    block drop in log quick from <virusprot> to any label "virusprot overload table"
    block drop in quick on lagg1_vlan9 from <bogons> to any label "block bogon IPv4 networks from WAN_01_NET_1GB"
    block drop in log on ! lagg1_vlan9 inet from X.X.1.136/29 to any
    block drop in log on ! lagg1_vlan9 inet from X.X.2.0/27 to any
    block drop in log inet from <__automatic_71682137_0> to any
    block drop in log on lagg1_vlan9 inet6 from fe80::6e3b:e5ff:fe51:90d0 to any
    block drop in quick on lagg1_vlan9 inet from 10.0.0.0/8 to any label "Block private networks from WAN_01_NET_1GB block 10/8"
    block drop in quick on lagg1_vlan9 inet from 127.0.0.0/8 to any label "Block private networks from WAN_01_NET_1GB block 127/8"
    block drop in quick on lagg1_vlan9 inet from 172.16.0.0/12 to any label "Block private networks from WAN_01_NET_1GB block 172.16/12"
    block drop in quick on lagg1_vlan9 inet from 192.168.0.0/16 to any label "Block private networks from WAN_01_NET_1GB block 192.168/16"
    block drop in quick on lagg1_vlan9 inet6 from fc00::/7 to any label "Block ULA networks from WAN_01_NET_1GB block fc00::/7"
    block drop in log on ! lagg0 inet from 10.100.0.0/16 to any
    block drop in log inet from 10.100.0.2 to any
    block drop in log on lagg0 inet6 from fe80::6a05:caff:fe20:f410 to any
    pass quick on lagg0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on lagg0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on lagg0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    pass quick on lagg0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    block drop in quick on lagg1_vlan14 from <bogons> to any label "block bogon IPv4 networks from WAN_02_NET_100MB"
    block drop in log on ! lagg1_vlan14 inet from Z.Z.1.48/29 to any
    block drop in log on ! lagg1_vlan14 inet from Z.Z.2.184/29 to any
    block drop in log inet from Z.Z.1.49 to any
    block drop in log inet from Z.Z.2.190 to any
    block drop in log on lagg1_vlan14 inet6 from fe80::6e3b:e5ff:fe51:90d0 to any
    block drop in quick on lagg1_vlan14 inet from 10.0.0.0/8 to any label "Block private networks from WAN_02_NET_100MB block 10/8"
    block drop in quick on lagg1_vlan14 inet from 127.0.0.0/8 to any label "Block private networks from WAN_02_NET_100MB block 127/8"
    block drop in quick on lagg1_vlan14 inet from 172.16.0.0/12 to any label "Block private networks from WAN_02_NET_100MB block 172.16/12"
    block drop in quick on lagg1_vlan14 inet from 192.168.0.0/16 to any label "Block private networks from WAN_02_NET_100MB block 192.168/16"
    block drop in quick on lagg1_vlan14 inet6 from fc00::/7 to any label "Block ULA networks from WAN_02_NET_100MB block fc00::/7"
    block drop in quick on lagg1_vlan12 from <bogons> to any label "block bogon IPv4 networks from WAN_03_NET_100MB"
    block drop in log on ! lagg1_vlan12 inet from Y.Y.Y.32/27 to any
    block drop in log inet from Y.Y.Y.53 to any
    block drop in log inet from Y.Y.Y.50 to any
    block drop in log on lagg1_vlan12 inet6 from fe80::6e3b:e5ff:fe51:90d0 to any
    block drop in quick on lagg1_vlan12 inet from 10.0.0.0/8 to any label "Block private networks from WAN_03_NET_100MB block 10/8"
    block drop in quick on lagg1_vlan12 inet from 127.0.0.0/8 to any label "Block private networks from WAN_03_NET_100MB block 127/8"
    block drop in quick on lagg1_vlan12 inet from 172.16.0.0/12 to any label "Block private networks from WAN_03_NET_100MB block 172.16/12"
    block drop in quick on lagg1_vlan12 inet from 192.168.0.0/16 to any label "Block private networks from WAN_03_NET_100MB block 192.16..."
    block drop in quick on lagg1_vlan12 inet6 from fc00::/7 to any label "Block ULA networks from WAN_03_NET_100MB block fc00::/7"
    block drop in log on ! lagg1_vlan10 inet from 192.168.178.0/24 to any
    block drop in log inet from 192.168.178.24 to any
    block drop in log on lagg1_vlan10 inet6 from fe80::6e3b:e5ff:fe51:90d0 to any
    pass in on lagg1_vlan10 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN_04_ADSL"
    pass out on lagg1_vlan10 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN_04_ADSL"
    block drop in log on ! lagg0_vlan222 inet from 10.222.0.0/24 to any
    block drop in log inet from 10.222.0.2 to any
    block drop in log on lagg0_vlan222 inet6 from fe80::6a05:caff:fe20:f410 to any
    block drop in log on ! lagg0_vlan3 inet from 10.103.0.0/16 to any
    block drop in log inet from 10.103.0.2 to any
    block drop in log inet from 10.103.0.1 to any
    block drop in log on lagg0_vlan3 inet6 from fe80::6a05:caff:fe20:f410 to any
    pass in quick on lagg0_vlan3 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan3 inet proto udp from any port = bootpc to 10.103.0.2 port = bootps keep state label "allow access to DHCP server"
    pass out quick on lagg0_vlan3 inet proto udp from 10.103.0.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan3 inet proto tcp from 10.103.0.3 to 10.103.0.2 port = utime flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan3 inet proto udp from 10.103.0.3 to 10.103.0.2 port = utime keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan3 inet proto tcp from 10.103.0.3 to 10.103.0.2 port = efs flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan3 inet proto udp from 10.103.0.3 to 10.103.0.2 port = router keep state label "allow access to DHCP failover"
    block drop in log on ! lagg0_vlan4 inet from 10.104.0.0/16 to any
    block drop in log inet from 10.104.0.2 to any
    block drop in log inet from 10.104.0.1 to any
    block drop in log on lagg0_vlan4 inet6 from fe80::6a05:caff:fe20:f410 to any
    pass in quick on lagg0_vlan4 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan4 inet proto udp from any port = bootpc to 10.104.0.2 port = bootps keep state label "allow access to DHCP server"
    pass out quick on lagg0_vlan4 inet proto udp from 10.104.0.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan4 inet proto tcp from 10.104.0.3 to 10.104.0.2 port = utime flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan4 inet proto udp from 10.104.0.3 to 10.104.0.2 port = utime keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan4 inet proto tcp from 10.104.0.3 to 10.104.0.2 port = efs flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan4 inet proto udp from 10.104.0.3 to 10.104.0.2 port = router keep state label "allow access to DHCP failover"
    block drop in log on ! lagg0_vlan5 inet from 10.10.0.0/16 to any
    block drop in log inet from 10.10.0.2 to any
    block drop in log inet from 10.10.0.1 to any
    block drop in log on lagg0_vlan5 inet6 from fe80::6a05:caff:fe20:f410 to any
    pass in quick on lagg0_vlan5 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan5 inet proto udp from any port = bootpc to 10.10.0.2 port = bootps keep state label "allow access to DHCP server"
    pass out quick on lagg0_vlan5 inet proto udp from 10.10.0.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    block drop in log on ! lagg0_vlan30 inet from 10.30.0.0/16 to any
    block drop in log inet from 10.30.0.2 to any
    block drop in log inet from 10.30.0.1 to any
    block drop in log on lagg0_vlan30 inet6 from fe80::6a05:caff:fe20:f410 to any
    pass in quick on lagg0_vlan30 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan30 inet proto udp from any port = bootpc to 10.30.0.2 port = bootps keep state label "allow access to DHCP server"
    pass out quick on lagg0_vlan30 inet proto udp from 10.30.0.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan30 inet proto tcp from 10.30.0.3 to 10.30.0.2 port = utime flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan30 inet proto udp from 10.30.0.3 to 10.30.0.2 port = utime keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan30 inet proto tcp from 10.30.0.3 to 10.30.0.2 port = efs flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan30 inet proto udp from 10.30.0.3 to 10.30.0.2 port = router keep state label "allow access to DHCP failover"
    block drop in log on ! lagg0_vlan40 inet from 10.40.0.0/16 to any
    block drop in log inet from 10.40.0.2 to any
    block drop in log inet from 10.40.0.1 to any
    block drop in log on lagg0_vlan40 inet6 from fe80::6a05:caff:fe20:f410 to any
    block drop in log on ! lagg0_vlan42 inet from 10.42.0.0/16 to any
    block drop in log inet from 10.42.0.2 to any
    block drop in log inet from 10.42.0.1 to any
    block drop in log on lagg0_vlan42 inet6 from fe80::6a05:caff:fe20:f410 to any
    block drop in log on ! lagg0_vlan50 inet from 10.50.0.0/16 to any
    block drop in log inet from 10.50.0.2 to any
    block drop in log inet from 10.50.0.1 to any
    block drop in log on lagg0_vlan50 inet6 from fe80::6a05:caff:fe20:f410 to any
    block drop in log on ! lagg0_vlan51 inet from 10.51.0.0/16 to any
    block drop in log inet from 10.51.0.2 to any
    block drop in log inet from 10.51.0.1 to any
    block drop in log on lagg0_vlan51 inet6 from fe80::6a05:caff:fe20:f410 to any
    block drop in log on ! lagg0_vlan60 inet from 10.60.0.0/16 to any
    block drop in log inet from 10.60.0.2 to any
    block drop in log inet from 10.60.0.1 to any
    block drop in log on lagg0_vlan60 inet6 from fe80::6a05:caff:fe20:f410 to any
    pass in quick on lagg0_vlan60 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan60 inet proto udp from any port = bootpc to 10.60.0.2 port = bootps keep state label "allow access to DHCP server"
    pass out quick on lagg0_vlan60 inet proto udp from 10.60.0.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan60 inet proto tcp from 10.60.0.3 to 10.60.0.2 port = utime flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan60 inet proto udp from 10.60.0.3 to 10.60.0.2 port = utime keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan60 inet proto tcp from 10.60.0.3 to 10.60.0.2 port = efs flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan60 inet proto udp from 10.60.0.3 to 10.60.0.2 port = router keep state label "allow access to DHCP failover"
    block drop in log on ! lagg0_vlan90 inet from 10.90.0.0/16 to any
    block drop in log inet from 10.90.0.2 to any
    block drop in log inet from 10.90.0.1 to any
    block drop in log on lagg0_vlan90 inet6 from fe80::6a05:caff:fe20:f410 to any
    pass in quick on lagg0_vlan90 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan90 inet proto udp from any port = bootpc to 10.90.0.2 port = bootps keep state label "allow access to DHCP server"
    pass out quick on lagg0_vlan90 inet proto udp from 10.90.0.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan90 inet proto tcp from 10.90.0.3 to 10.90.0.2 port = utime flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan90 inet proto udp from 10.90.0.3 to 10.90.0.2 port = utime keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan90 inet proto tcp from 10.90.0.3 to 10.90.0.2 port = efs flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan90 inet proto udp from 10.90.0.3 to 10.90.0.2 port = router keep state label "allow access to DHCP failover"
    block drop in log on ! lagg0_vlan110 inet from 10.110.0.0/16 to any
    block drop in log inet from 10.110.0.2 to any
    block drop in log inet from 10.110.0.1 to any
    block drop in log on lagg0_vlan110 inet6 from fe80::6a05:caff:fe20:f410 to any
    pass in quick on lagg0_vlan110 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan110 inet proto udp from any port = bootpc to 10.110.0.2 port = bootps keep state label "allow access to DHCP server"
    pass out quick on lagg0_vlan110 inet proto udp from 10.110.0.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in quick on lagg0_vlan110 inet proto tcp from 10.110.0.3 to 10.110.0.2 port = utime flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan110 inet proto udp from 10.110.0.3 to 10.110.0.2 port = utime keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan110 inet proto tcp from 10.110.0.3 to 10.110.0.2 port = efs flags S/SA keep state label "allow access to DHCP failover"
    pass in quick on lagg0_vlan110 inet proto udp from 10.110.0.3 to 10.110.0.2 port = router keep state label "allow access to DHCP failover"
    block drop in log on ! lagg0_vlan200 inet from 10.200.0.0/16 to any
    block drop in log inet from 10.200.0.2 to any
    block drop in log on lagg0_vlan200 inet6 from fe80::6a05:caff:fe20:f410 to any
    block drop in quick on ovpnc1 from <bogons> to any label "block bogon IPv4 networks from VPN_CITY1"
    block drop in log on ! ovpnc1 inet from 10.8.4.62 to any
    block drop in log inet from 10.8.4.62 to any
    block drop in log on ovpnc1 inet6 from fe80::6a05:caff:fe20:f410 to any
    block drop in quick on ovpnc2 from <bogons> to any label "block bogon IPv4 networks from VPN_CITY2"
    block drop in log on ! ovpnc2 inet from 10.8.2.134 to any
    block drop in log inet from 10.8.2.134 to any
    block drop in log on ovpnc2 inet6 from fe80::6a05:caff:fe20:f410 to any
    block drop in quick on ovpnc3 from <bogons> to any label "block bogon IPv4 networks from VPN_NET_01"
    block drop in log on ! ovpnc3 inet from 10.8.4.10 to any
    block drop in log inet from 10.8.4.10 to any
    block drop in log on ovpnc3 inet6 from fe80::6a05:caff:fe20:f410 to any
    block drop in quick on ovpnc4 from <bogons> to any label "block bogon IPv4 networks from VPN_NET_02"
    block drop in log on ! ovpnc4 inet from 10.8.3.6 to any
    block drop in log inet from 10.8.3.6 to any
    block drop in log on ovpnc4 inet6 from fe80::6a05:caff:fe20:f410 to any
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet from X.X.1.139 to ! X.X.1.136/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet from X.X.2.8 to ! X.X.2.0/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet from X.X.2.10 to ! X.X.2.0/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet from X.X.2.11 to ! X.X.2.0/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet from X.X.2.12 to ! X.X.2.0/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet from X.X.2.13 to ! X.X.2.0/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet from X.X.2.14 to ! X.X.2.0/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet from X.X.1.138 to ! X.X.1.136/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan14 Z.Z.2.189) inet from Z.Z.1.49 to ! Z.Z.1.48/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan14 Z.Z.2.189) inet from Z.Z.2.190 to ! Z.Z.2.184/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan12 Y.Y.Y.49) inet from Y.Y.Y.53 to ! Y.Y.Y.32/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan12 Y.Y.Y.49) inet from Y.Y.Y.50 to ! Y.Y.Y.32/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (lagg1_vlan10 192.168.178.1) inet from 192.168.178.24 to ! 192.168.178.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (ovpnc1 10.8.4.61) inet from 10.8.4.62 to ! 10.8.4.62 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (ovpnc2 10.8.2.133) inet from 10.8.2.134 to ! 10.8.2.134 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (ovpnc3 10.8.4.9) inet from 10.8.4.10 to ! 10.8.4.10 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (ovpnc4 10.8.3.5) inet from 10.8.3.6 to ! 10.8.3.6 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
    anchor "userrules/*" all
    pass in on lagg0_vlan3 route-to (lagg1_vlan12 Y.Y.Y.49) inet proto tcp from any to <blizznet> flags S/SA keep state label "USER_RULE: BlizzNet though blank Line"
    pass in on lagg0_vlan3 route-to (lagg1_vlan12 Y.Y.Y.49) inet proto udp from any to <blizznet> keep state label "USER_RULE: BlizzNet though blank Line"
    pass in on lagg0_vlan4 route-to (lagg1_vlan12 Y.Y.Y.49) inet proto tcp from any to <blizznet> flags S/SA keep state label "USER_RULE: BlizzNet though blank Line"
    pass in on lagg0_vlan4 route-to (lagg1_vlan12 Y.Y.Y.49) inet proto udp from any to <blizznet> keep state label "USER_RULE: BlizzNet though blank Line"
    pass in route-to (lagg1_vlan12 Y.Y.Y.49) inet proto tcp from any to <lolnet> flags S/SA keep state label "USER_RULE: LoLNet though blank Line"
    pass in route-to (lagg1_vlan12 Y.Y.Y.49) inet proto udp from any to <lolnet> keep state label "USER_RULE: LoLNet though blank Line"
    pass in route-to (lagg1_vlan12 Y.Y.Y.49) inet proto tcp from any to <valvenet> flags S/SA keep state label "USER_RULE: ValveNet though blank Line"
    pass in route-to (lagg1_vlan12 Y.Y.Y.49) inet proto udp from any to <valvenet> keep state label "USER_RULE: ValveNet though blank Line"
    pass in route-to (lagg1_vlan12 Y.Y.Y.49) inet proto tcp from any to <wotnet> flags S/SA keep state label "USER_RULE: WotNet though blank Line"
    pass in route-to (lagg1_vlan12 Y.Y.Y.49) inet proto udp from any to <wotnet> keep state label "USER_RULE: WotNet though blank Line"
    pass in quick on lagg0 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan3 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan3 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan4 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan4 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan5 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan5 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan30 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan30 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan40 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan40 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan42 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan42 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan50 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan50 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan51 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan51 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan60 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan60 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan90 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan90 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan110 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan110 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan200 inet proto tcp from 10.0.0.0/8 to 10.10.2.12 flags S/SA keep state label "USER_RULE: allow any to netmon1"
    pass in quick on lagg0_vlan200 inet proto udp from 10.0.0.0/8 to 10.10.2.12 keep state label "USER_RULE: allow any to netmon1"
    pass in quick on enc0 inet all flags S/SA keep state label "USER_RULE"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to <tvftpoffice> port = http flags S/SA keep state label "USER_RULE: NAT tvftpoffice portforward"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <tvftpoffice> port = http keep state label "USER_RULE: NAT tvftpoffice portforward"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to <tvftpoffice> port = ftp flags S/SA keep state label "USER_RULE: NAT tvftpoffice portforward"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <tvftpoffice> port = ftp keep state label "USER_RULE: NAT tvftpoffice portforward"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <vpn_remote> port = 17018 keep state label "USER_RULE: NAT vpn portforward remote"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <vpn_remote> port = 10321 keep state label "USER_RULE: NAT vpn portforward cerberus"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <vpn_remote> port = 13333 keep state label "USER_RULE: NAT vpn portforward external"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to <vpn_remote> port = https flags S/SA keep state label "USER_RULE: NAT vpn portforward webgui "
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to <vpn_remote> port = http flags S/SA keep state label "USER_RULE: NAT vpn portforward"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to <mail1office> port = 2525 flags S/SA keep state label "USER_RULE: NAT mail1office portforward"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <mail1office> port = 2525 keep state label "USER_RULE: NAT mail1office portforward"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <vpn_remote2> port = 17018 keep state label "USER_RULE: NAT vpn2 portforward remote"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <vpn_remote2> port = 10321 keep state label "USER_RULE: NAT vpn2 portforward cerberus"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <vpn_remote2> port = 13333 keep state label "USER_RULE: NAT vpn2 portforward external"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to <host> port = http flags S/SA keep state label "USER_RULE: NAT host portforward"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to <host1> port = 8080 flags S/SA keep state label "USER_RULE: NAT host1 portforward "
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to <host1> port = 8080 keep state label "USER_RULE: NAT host1 portforward "
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to 10.10.1.107 port = 8700 flags S/SA keep state label "USER_RULE: NAT EasyJob Server"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to 10.10.1.107 port = 49319 flags S/SA keep state label "USER_RULE: NAT EasyJob Server"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from any to 10.10.1.107 port = ms-sql-m keep state label "USER_RULE: NAT EasyJob Server"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto icmp from <dcnetz> to any keep state label "USER_RULE: Allow ICMP DC"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto icmp from <pingdom_range> to any keep state label "USER_RULE: Allow ICMP Pingdom"
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from A.A.A.A to 10.10.6.82 port = amqp flags S/SA keep state label "USER_RULE: NAT"
    block drop in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet all label "USER_RULE"
    pass in quick on lagg0 inet from 10.100.0.0/16 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    block drop in quick on lagg1_vlan14 reply-to (lagg1_vlan14 Z.Z.2.189) inet all label "USER_RULE"
    block drop in quick on lagg1_vlan12 reply-to (lagg1_vlan12 Y.Y.Y.49) inet all label "USER_RULE"
    pass in quick on lagg0_vlan222 inet from 10.222.0.0/24 to 10.222.0.0/24 flags S/SA keep state label "USER_RULE: CARP Rule"
    pass in quick on lagg0_vlan3 inet from 10.103.0.0/16 to 10.103.0.0/16 flags S/SA keep state label "USER_RULE: allow internal"
    block drop in quick on lagg0_vlan3 inet from 10.103.0.0/23 to <tv_storages> label "USER_RULE: block dhcp range to storage systems"
    pass in quick on lagg0_vlan3 inet from 10.103.0.0/16 to <tv_storages> flags S/SA keep state label "USER_RULE: allow encoders to storage systems "
    pass in quick on lagg0_vlan3 inet from 10.103.254.0/24 to <streamintern> flags S/SA keep state label "USER_RULE: allow encoder to internal Stream Server"
    pass in quick on lagg0_vlan3 inet from <studio5pcs> to <tv_storages> flags S/SA keep state label "USER_RULE: studio5pcs allow tvstorage systems "
    pass in quick on lagg0_vlan3 inet from <studio4pcs> to <tv_storages> flags S/SA keep state label "USER_RULE: studio4pcs allow tvstorage systems "
    pass in quick on lagg0_vlan3 inet from 10.103.0.0/16 to 10.10.1.69 flags S/SA keep state label "USER_RULE: allow access TV NAS "
    block drop in quick on lagg0_vlan3 inet from 10.103.0.0/23 to <filebase_tvbase> label "USER_RULE: block dhcp range to filebase"
    pass in quick on lagg0_vlan3 inet from 10.103.0.0/16 to <filebase_tvbase> flags S/SA keep state label "USER_RULE: allow encoders to filebase"
    pass in quick on lagg0_vlan3 inet proto tcp from 10.103.2.100 to <negate_networks> port = 1935 flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan3 route-to (lagg1_vlan14 Z.Z.2.189) inet proto tcp from 10.103.2.100 to any port = 1935 flags S/SA keep state label "USER_RULE: Studio 3 Cleanfeed PC stream traffic blank line "
    pass in quick on lagg0_vlan3 inet proto tcp from <streampcs> to <negate_networks> port = 1935 flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan3 route-to (lagg1_vlan14 Z.Z.2.189) inet proto tcp from <streampcs> to any port = 1935 flags S/SA keep state label "USER_RULE: Studio 3 Cleanfeed PC stream traffic blank line "
    block drop in quick on lagg0_vlan3 inet from 10.103.0.0/16 to 10.0.0.0/8 label "USER_RULE: block LAN traffic"
    pass in quick on lagg0_vlan3 inet from 10.103.40.4 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan3 route-to (lagg1_vlan9 X.X.1.137) inet from 10.103.40.4 to any flags S/SA keep state label "USER_RULE: allow streamer access to arena - cleanline "
    pass in quick on lagg0_vlan3 inet from 10.103.30.37 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan3 route-to (lagg1_vlan9 X.X.1.137) inet from 10.103.30.37 to any flags S/SA keep state label "USER_RULE: allow Studio3-Caster-PC2 access to arena - cleanli"
    pass in quick on lagg0_vlan3 inet from <streamingservers> to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan3 route-to (lagg1_vlan14 Z.Z.2.189) inet from <streamingservers> to any flags S/SA keep state label "USER_RULE: encoder range to internet"
    pass in quick on lagg0_vlan3 inet from 10.103.0.0/16 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan3 route-to { (ovpnc3 10.8.4.9), (ovpnc4 10.8.3.5) } round-robin sticky-address inet from 10.103.0.0/16 to any flags S/SA keep state label "USER_RULE: Allow to Internet"
    pass in quick on lagg0_vlan4 inet from 10.104.0.0/16 to (self) flags S/SA keep state label "USER_RULE: allow rule fw services"
    pass in quick on lagg0_vlan4 inet from 10.104.0.2 to 10.103.10.30 flags S/SA keep state label "USER_RULE: allow teamspeak"
    pass in quick on lagg0_vlan4 inet from 10.104.0.0/16 to <streamintern> flags S/SA keep state label "USER_RULE: stream intern allow rule"
    block drop in quick on lagg0_vlan4 inet from 10.104.0.0/16 to <privatenetworks> label "USER_RULE: block internal TE"
    pass in quick on lagg0_vlan4 inet from 10.104.0.0/16 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan4 route-to { (ovpnc3 10.8.4.9), (ovpnc4 10.8.3.5) } round-robin sticky-address inet from 10.104.0.0/16 to any flags S/SA keep state label "USER_RULE: Allow Internet VPN"
    block drop in quick on lagg0_vlan5 inet proto tcp from 10.10.115.122 to any port = https flags S/SA label "USER_RULE: block https for plustek scanner "
    block drop in quick on lagg0_vlan5 inet proto tcp from 10.10.115.122 to any port = http flags S/SA label "USER_RULE: block http for plustek scanner "
    pass in quick on lagg0_vlan5 inet from <cacti> to <arena_studio_switches> flags S/SA keep state label "USER_RULE: cacti to arena/studio switches"
    pass in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> port = 4711 flags S/SA keep state label "USER_RULE: devvms "
    pass in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> port = 27017 flags S/SA keep state label "USER_RULE: devvms "
    pass in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> port = 27018 flags S/SA keep state label "USER_RULE: devvms "
    pass in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> port = 28017 flags S/SA keep state label "USER_RULE: devvms "
    pass in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> port = 28018 flags S/SA keep state label "USER_RULE: devvms "
    pass in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> port = http flags S/SA keep state label "USER_RULE: devvms "
    pass in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> port = https flags S/SA keep state label "USER_RULE: devvms "
    pass in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> port = 5434 flags S/SA keep state label "USER_RULE: devvms "
    pass in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> port = ssh flags S/SA keep state label "USER_RULE: devvms "
    block drop in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to <dcnetz> flags S/SA label "USER_RULE: devvms block"
    block drop in quick on lagg0_vlan5 inet proto icmp from 10.10.6.0/24 to <dcnetz> label "USER_RULE: devvms block"
    block drop in quick on lagg0_vlan5 inet proto tcp from 10.10.6.0/24 to any port = smtp label "USER_RULE: devvms mail block rule "
    block drop in quick on lagg0_vlan5 inet proto udp from 10.10.6.0/24 to any port = smtp label "USER_RULE: devvms mail block rule "
    pass in quick on lagg0_vlan5 inet from 10.10.0.0/16 to 10.0.0.0/8 flags S/SA keep state label "USER_RULE: internal traffic _ PLEASE DELETE"
    pass in quick on lagg0_vlan5 inet from 10.10.100.0/24 to <dcnetz> flags S/SA keep state label "USER_RULE: Allow IT to DC"
    block drop in quick on lagg0_vlan5 inet from 10.10.0.0/16 to <privatenetworks> label "USER_RULE: block internal"
    pass in quick on lagg0_vlan5 inet from 10.10.2.81 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan5 route-to (lagg1_vlan12 Y.Y.Y.49) inet from 10.10.2.81 to any flags S/SA keep state label "USER_RULE: cacti to net100"
    pass in quick on lagg0_vlan5 inet from 10.10.2.82 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan5 route-to (lagg1_vlan14 Z.Z.2.189) inet from 10.10.2.82 to any flags S/SA keep state label "USER_RULE: cacti to NET100"
    pass in quick on lagg0_vlan5 inet from 10.10.2.83 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan5 route-to (lagg1_vlan10 192.168.178.1) inet from 10.10.2.83 to any flags S/SA keep state label "USER_RULE: cacti to ADSL box"
    pass in quick on lagg0_vlan5 inet from <box_clients> to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan5 route-to (lagg1_vlan10 192.168.178.1) inet from <box_clients> to any flags S/SA keep state label "USER_RULE: box rules"
    pass in quick on lagg0_vlan5 inet from 10.10.0.0/16 to any flags S/SA keep state label "USER_RULE: Allow Internet"
    pass in quick on lagg0_vlan30 inet from 10.30.0.0/16 to 10.30.0.0/16 flags S/SA keep state label "USER_RULE: lan access"
    pass in quick on lagg0_vlan30 inet proto tcp from 10.30.0.0/16 to 10.10.0.10 port = 8880 flags S/SA keep state label "USER_RULE: wlan wsus captive portal und voucher webinterface"
    pass in quick on lagg0_vlan30 inet proto tcp from 10.30.0.0/16 to 10.10.0.10 port = 8443 flags S/SA keep state label "USER_RULE: wlan wsus captive portal und voucher webinterface"
    pass in quick on lagg0_vlan30 inet proto tcp from 10.30.0.0/16 to <streamintern> flags S/SA keep state label "USER_RULE: internal stream"
    pass in quick on lagg0_vlan30 inet from 10.30.0.0/16 to 10.10.8.0/24 flags S/SA keep state label "USER_RULE: enable printers from ext vlan"
    pass in quick on lagg0_vlan30 inet from <mr_pcs> to <internal_resources> flags S/SA keep state label "USER_RULE: Allow MR-NUCs to internal services "
    pass in quick on lagg0_vlan30 inet from <mr_pcs> to 10.10.100.32 flags S/SA keep state label "USER_RULE: Allow MR-NUCs to anw pc"
    block drop in quick on lagg0_vlan30 inet from 10.30.0.0/16 to <privatenetworks> label "USER_RULE: block internal"
    pass in quick on lagg0_vlan30 inet from 10.30.0.0/16 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan30 route-to { (ovpnc3 10.8.4.9), (ovpnc4 10.8.3.5) } round-robin sticky-address inet from 10.30.0.0/16 to any flags S/SA keep state label "USER_RULE: Internet Rule VPN"
    pass in quick on lagg0_vlan60 inet from 10.60.0.0/16 to 10.60.0.0/16 flags S/SA keep state label "USER_RULE"
    pass in quick on lagg0_vlan60 inet from 10.60.0.0/16 to 10.10.115.242 flags S/SA keep state label "USER_RULE: rule for ztp server"
    pass in quick on lagg0_vlan60 inet from 10.60.0.0/16 to 10.10.222.123 flags S/SA keep state label "USER_RULE: rule for ztp server"
    pass in quick on lagg0_vlan60 inet from 10.60.0.0/16 to 10.10.250.100 flags S/SA keep state label "USER_RULE: rule for ztp server"
    pass in quick on lagg0_vlan60 inet from 10.60.0.0/16 to 10.10.100.80 flags S/SA keep state label "USER_RULE: rule for ztp server"
    pass in quick on lagg0_vlan60 inet from 10.60.0.0/16 to 10.10.100.88 flags S/SA keep state label "USER_RULE: rule for ztp server"
    pass in quick on lagg0_vlan60 inet from 10.60.0.0/16 to <nutanixdataservices> flags S/SA keep state label "USER_RULE: rule for ztp server"
    block drop in quick on lagg0_vlan60 inet from 10.60.0.0/16 to <privatenetworks> label "USER_RULE: block internal"
    pass in quick on lagg0_vlan60 inet proto tcp from 10.60.1.159 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan60 route-to (lagg1_vlan9 X.X.1.137) inet proto tcp from 10.60.1.159 to any flags S/SA keep state label "USER_RULE"
    pass in quick on lagg0_vlan60 inet from 10.60.0.0/16 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan60 route-to (lagg1_vlan12 Y.Y.Y.49) inet from 10.60.0.0/16 to any flags S/SA keep state label "USER_RULE: allow Internet"
    pass in quick on lagg0_vlan90 inet proto udp from 10.90.0.0/16 to (self) keep state label "USER_RULE: allow dhcp"
    block drop in quick on lagg0_vlan90 inet from 10.90.0.0/16 to <privatenetworks> label "USER_RULE: block private"
    pass in quick on lagg0_vlan90 inet from 10.90.0.0/16 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on lagg0_vlan90 route-to (lagg1_vlan10 192.168.178.1) inet from 10.90.0.0/16 to any flags S/SA keep state label "USER_RULE: allow internet ADSL"
    pass in quick on lagg0_vlan110 inet proto udp from 10.110.0.0/16 to any port = domain keep state label "USER_RULE: DNS, DO NOT REMOVE"
    pass in quick on lagg0_vlan110 inet from 10.110.0.0/16 to any flags S/SA keep state label "USER_RULE: allow all"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet proto udp from (self) to G.G.G.148 port = isakmp keep state label "IPsec: FI_DC_IPSec - outbound isakmp"
    pass in on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from G.G.G.148 to (self) port = isakmp keep state label "IPsec: FI_DC_IPSec - inbound isakmp"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet proto udp from (self) to G.G.G.148 port = sae-urn keep state label "IPsec: FI_DC_IPSec - outbound nat-t"
    pass in on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto udp from G.G.G.148 to (self) port = sae-urn keep state label "IPsec: FI_DC_IPSec - inbound nat-t"
    pass out route-to (lagg1_vlan9 X.X.1.137) inet proto esp from (self) to G.G.G.148 keep state label "IPsec: FI_DC_IPSec - outbound esp proto"
    pass in on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto esp from G.G.G.148 to (self) keep state label "IPsec: FI_DC_IPSec - inbound esp proto"
    anchor "tftp-proxy/*" all
    anchor "miniupnpd" all</negate_networks></privatenetworks></negate_networks></negate_networks></privatenetworks></nutanixdataservices></negate_networks></privatenetworks></mr_pcs></internal_resources></mr_pcs></streamintern></box_clients></negate_networks></box_clients></negate_networks></negate_networks></negate_networks></privatenetworks></dcnetz></dcnetz></dcnetz></dcnetz></dcnetz></dcnetz></dcnetz></dcnetz></dcnetz></dcnetz></dcnetz></dcnetz></arena_studio_switches></cacti></negate_networks></privatenetworks></streamintern></negate_networks></streamingservers></negate_networks></streamingservers></negate_networks></negate_networks></streampcs></negate_networks></streampcs></negate_networks></filebase_tvbase></filebase_tvbase></tv_storages></studio4pcs></tv_storages></studio5pcs></streamintern></tv_storages></tv_storages></pingdom_range></dcnetz></host1></host1></host></vpn_remote2></vpn_remote2></vpn_remote2></mail1office></mail1office></vpn_remote></vpn_remote></vpn_remote></vpn_remote></vpn_remote></tvftpoffice></tvftpoffice></tvftpoffice></tvftpoffice></wotnet></wotnet></valvenet></valvenet></lolnet></lolnet></blizznet></blizznet></blizznet></blizznet></bogons></bogons></bogons></bogons></bogons></bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></vpn_networks></vpn_networks>
    

    To help, lagg0 is LAN and lagg1 is WAN


  • Rebel Alliance Global Moderator

    Well right there is your default block rule

    block drop in log inet all label "Default deny rule IPv4"

    So you must have something before that allowing it.




  • That's the weird part!
    Tell me where for example in this interface? There is no floating allowing this as you can see.

    I can still SSH and HTTPs to the firewall when I remove my "denyall" rule…


  • Rebel Alliance Global Moderator

    You running ssh on standard port 22?  I see some rules allowing on odd ports..

    And where is this rule?
    pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to <vpn_remote>port = https flags S/SA keep state label</vpn_remote>



  • SSH is running in a higher port, but this was tested with port 22 too.
    That rule is in one of the WANs but the NAT is applied only for a specific IP address of the range, not one being used by the firewall.

    Since lagg_vlan9 has a lot of rules I think it's easier to focus on the others.
    lagg_vlan14 and lagg_vlan12 are both WANs without any rules, in both without my denyall rule I can SSH both 22 and higher port and https to the firewall.


  • Rebel Alliance Global Moderator

    If ssh is running on a higher port, how is it your able to ssh to 22?

    I see the default deny rule, so unless that is not being loaded. Or you have a state open already anything that is not actually allowed would be blocked.

    But you stay your other rules are working, and there is nothing in the logs about failures of loading rules?  Then there must be something allowing it.

    I see listing of nats in your rules.. But your screenshot shows no nat rules.. So what specific interface are you hitting on the wan?


  • Banned

    Well, I think you are in a need of paid support. Beyond your ~20 interfaces, laggs and VLANs and VPNs and policy routings, what on earth are your WANs? And what's said above - do you even know where are you connecting?



  • Well, I'm coming here as a last resort, I'm doing a lot of pfsense deploys and can't find the problem.

    The SSH is now a high port as I said, what I meant is that if I change it back to 22 the behaviour is the same.

    4 WANs are 4 different internet providers with different circuits and I do know where I'm connecting.

    Another thing to add, I'm not the first person looking at this, had at least 2 more colleagues with experience in pfsense looking at it.

    I have no NAT on the 2 WAN interfaces that I mentioned, lagg_vlan14 and lagg_vlan12

    I can't see anything in the logs that could be related to this problem, the only thing I can see which I still didn't fix is this error:

    Dec  9 00:01:49 fw1 kernel: interrupt storm detected on "irq18:"; throttling interrupt source
    

    irq18 is one of the bge interfaces and this only happens betweek 11:55pm and 00:10am

    I guess paid support or reinstall is the only way then…


  • Netgate

    Yeah you need to stop being so cagy and tell us exactly what is not working. For example, why would you say "ssh is on a high port" and not say which port?

    Please scrub and post the contents of /tmp/rules.debug

    Please do it in a manner to it is possible to trace your WAN IP addresses all the way through.  Like WAN1 to W.W.W.123 all the way through. WAN2 to X. X. X. 123, etc.


  • Banned

    You cannot find the problem, well… because the thing must make everyone's head to spin! What's up with the network design? Like this:

    
    pass in quick on lagg0_vlan5 inet from 10.10.0.0/16 to 10.0.0.0/8 flags S/SA keep state label "USER_RULE: internal traffic _ PLEASE DELETE"
    pass in quick on lagg0_vlan5 inet from 10.10.100.0/24 to <dcnetz>flags S/SA keep state label "USER_RULE: Allow IT to DC"</dcnetz> 
    

    That 10.10.100.0/24 is already a part of the 10.10.0.0/16. And now what's that 10.0.0.0/8 there? Trying to supernet exactly what?

    And again here:

    
    pass in quick on lagg0_vlan3 inet from 10.103.0.0/16 to <tv_storages>flags S/SA keep state label "USER_RULE: allow encoders to storage systems "
    pass in quick on lagg0_vlan3 inet from 10.103.254.0/24 to <streamintern>flags S/SA keep state label "USER_RULE: allow encoder to internal Stream Server"</streamintern></tv_storages> 
    

    So, the loads of VLANs are not enough, and you are trying to subnet things inside the VLANs as well? Then I can see some CARP stuff there as well? Would need a full network diagram and tons more information to even have a slim chance of understanding the network.


  • Netgate

    I can still SSH and HTTPs to the firewall when I remove my "denyall" rule…

    Then the traffic is probably being passed by a floating rule without quick set.


  • Rebel Alliance Global Moderator

    Yeah floating rules do not need quick set, they are evaluated first..

    With dok, from looking at what amounts to a partial list of rules.. Since he mentioned bunch other vlans and wans etc. Which I did not see in his posting. Clearly the default rule is there.. So something is allowing it before that is hit.  A screenshot of floating might be easier and quicker to go over..