Firewall Implicit deny rule not working - manual block rule added
-
Yeah you need to stop being so cagy and tell us exactly what is not working. For example, why would you say "ssh is on a high port" and not say which port?
Please scrub and post the contents of /tmp/rules.debug
Please do it in a manner to it is possible to trace your WAN IP addresses all the way through. Like WAN1 to W.W.W.123 all the way through. WAN2 to X. X. X. 123, etc.
-
You cannot find the problem, well… because the thing must make everyone's head to spin! What's up with the network design? Like this:
pass in quick on lagg0_vlan5 inet from 10.10.0.0/16 to 10.0.0.0/8 flags S/SA keep state label "USER_RULE: internal traffic _ PLEASE DELETE" pass in quick on lagg0_vlan5 inet from 10.10.100.0/24 to <dcnetz>flags S/SA keep state label "USER_RULE: Allow IT to DC"</dcnetz>
That 10.10.100.0/24 is already a part of the 10.10.0.0/16. And now what's that 10.0.0.0/8 there? Trying to supernet exactly what?
And again here:
pass in quick on lagg0_vlan3 inet from 10.103.0.0/16 to <tv_storages>flags S/SA keep state label "USER_RULE: allow encoders to storage systems " pass in quick on lagg0_vlan3 inet from 10.103.254.0/24 to <streamintern>flags S/SA keep state label "USER_RULE: allow encoder to internal Stream Server"</streamintern></tv_storages>
So, the loads of VLANs are not enough, and you are trying to subnet things inside the VLANs as well? Then I can see some CARP stuff there as well? Would need a full network diagram and tons more information to even have a slim chance of understanding the network.
-
I can still SSH and HTTPs to the firewall when I remove my "denyall" rule…
Then the traffic is probably being passed by a floating rule without quick set.
-
Yeah floating rules do not need quick set, they are evaluated first..
With dok, from looking at what amounts to a partial list of rules.. Since he mentioned bunch other vlans and wans etc. Which I did not see in his posting. Clearly the default rule is there.. So something is allowing it before that is hit. A screenshot of floating might be easier and quicker to go over..