Firewall Implicit deny rule not working - manual block rule added

johnpoz

Well right there is your default block rule

block drop in log inet all label "Default deny rule IPv4"

So you must have something before that allowing it.

EditioN

That's the weird part!
Tell me where for example in this interface? There is no floating allowing this as you can see.

I can still SSH and HTTPs to the firewall when I remove my "denyall" rule…

johnpoz

You running ssh on standard port 22?  I see some rules allowing on odd ports..

And where is this rule?
pass in quick on lagg1_vlan9 reply-to (lagg1_vlan9 X.X.1.137) inet proto tcp from any to <vpn_remote>port = https flags S/SA keep state label</vpn_remote>

EditioN

SSH is running in a higher port, but this was tested with port 22 too.
That rule is in one of the WANs but the NAT is applied only for a specific IP address of the range, not one being used by the firewall.

Since lagg_vlan9 has a lot of rules I think it's easier to focus on the others.
lagg_vlan14 and lagg_vlan12 are both WANs without any rules, in both without my denyall rule I can SSH both 22 and higher port and https to the firewall.

johnpoz

If ssh is running on a higher port, how is it your able to ssh to 22?

I see the default deny rule, so unless that is not being loaded. Or you have a state open already anything that is not actually allowed would be blocked.

But you stay your other rules are working, and there is nothing in the logs about failures of loading rules?  Then there must be something allowing it.

I see listing of nats in your rules.. But your screenshot shows no nat rules.. So what specific interface are you hitting on the wan?

doktornotor

Well, I think you are in a need of paid support. Beyond your ~20 interfaces, laggs and VLANs and VPNs and policy routings, what on earth are your WANs? And what's said above - do you even know where are you connecting?

EditioN

Well, I'm coming here as a last resort, I'm doing a lot of pfsense deploys and can't find the problem.

The SSH is now a high port as I said, what I meant is that if I change it back to 22 the behaviour is the same.

4 WANs are 4 different internet providers with different circuits and I do know where I'm connecting.

Another thing to add, I'm not the first person looking at this, had at least 2 more colleagues with experience in pfsense looking at it.

I have no NAT on the 2 WAN interfaces that I mentioned, lagg_vlan14 and lagg_vlan12

I can't see anything in the logs that could be related to this problem, the only thing I can see which I still didn't fix is this error:

Dec  9 00:01:49 fw1 kernel: interrupt storm detected on "irq18:"; throttling interrupt source

irq18 is one of the bge interfaces and this only happens betweek 11:55pm and 00:10am

I guess paid support or reinstall is the only way then…

Derelict

Yeah you need to stop being so cagy and tell us exactly what is not working. For example, why would you say "ssh is on a high port" and not say which port?

Please scrub and post the contents of /tmp/rules.debug

Please do it in a manner to it is possible to trace your WAN IP addresses all the way through.  Like WAN1 to W.W.W.123 all the way through. WAN2 to X. X. X. 123, etc.

doktornotor

You cannot find the problem, well… because the thing must make everyone's head to spin! What's up with the network design? Like this:

pass in quick on lagg0_vlan5 inet from 10.10.0.0/16 to 10.0.0.0/8 flags S/SA keep state label "USER_RULE: internal traffic _ PLEASE DELETE"
pass in quick on lagg0_vlan5 inet from 10.10.100.0/24 to <dcnetz>flags S/SA keep state label "USER_RULE: Allow IT to DC"</dcnetz> 

That 10.10.100.0/24 is already a part of the 10.10.0.0/16. And now what's that 10.0.0.0/8 there? Trying to supernet exactly what?

And again here:

pass in quick on lagg0_vlan3 inet from 10.103.0.0/16 to <tv_storages>flags S/SA keep state label "USER_RULE: allow encoders to storage systems "
pass in quick on lagg0_vlan3 inet from 10.103.254.0/24 to <streamintern>flags S/SA keep state label "USER_RULE: allow encoder to internal Stream Server"</streamintern></tv_storages> 

So, the loads of VLANs are not enough, and you are trying to subnet things inside the VLANs as well? Then I can see some CARP stuff there as well? Would need a full network diagram and tons more information to even have a slim chance of understanding the network.

Derelict

I can still SSH and HTTPs to the firewall when I remove my "denyall" rule…

Then the traffic is probably being passed by a floating rule without quick set.

johnpoz

Yeah floating rules do not need quick set, they are evaluated first..

With dok, from looking at what amounts to a partial list of rules.. Since he mentioned bunch other vlans and wans etc. Which I did not see in his posting. Clearly the default rule is there.. So something is allowing it before that is hit.  A screenshot of floating might be easier and quicker to go over..