Strange Firewall block logs, pfsense blocks traffic from LAN interface



  • Here is how it looks:

    pf: 4. 812458 rule 79/0(match): block in on em0: (tos 0x0, ttl 128, id 55852, offset 0, flags [DF], proto TCP (6), length 40) 10.1.1.124.1287 > 127.0.0.1.80: F, cksum 0xe314 (correct), 0:0(0) ack 1 win 64051

    Where 10.1.1.124 is an computer on the LAN.

    And Nov 26 11:24:13  LAN  10.1.1.116:4331  194.218.x.xxx:443  TCP

    "the rule that triggered this action is": @78 default deny rule.

    I only have one rule for the LAN, and that is allow everything from the LAN.

    Everything seems to be working correct. I have Squid/squidguard setup as an external proxy. Clients can reach the web.

    What have I done wrong??

    I´m running 1.2.1 RC2



  • That may have been  spoofed. so the firewall blocked it.



  • I'm having the same problem but haven't had any luck figuring out the cause. Just out of curiosity are you using the firewall transparently? If you are and wouldn't mind testing something for me, go into the system log - settings and remove the check mark in  Log packets blocked by the default rule then check to see if your firewall is still generating the log entry for your "strange firewall blocks".

    Regard
    M3



  • I am running squid in transparet mode. And, after unticking the Log packets blocked by the default rule the log entrys is removed. But, i guess the firewall keeps blocking and so on. A lot of my really strange firewall logs have been removed after that checkbox is unticked.

    But, still quite curious to why the error is there in the first place.



  • I'm having a similar problem:

    Sometimes,

    Jan 8 10:40:16  LAN  192.168.115.5:49153  192.168.115.6:221  TCP

    or

    Jan 8 10:10:41  LAN  192.168.115.21:43511  88.79..:80  TCP

    But in LAN rules:
    *  *  *  *  *  *    Default LAN -> any

    (192.168.115.0/24 is the LAN subnet)





  • Is this something new since 1.2.1 and above?  I do not recall ever observing this behavior under 1.2



  • You are seeing what me and others are seeing, there is a rule blocking traffic on your LAN segment not originating from that segment. In my case I have a wireless access point in router mode that is being blocked. pftop from the shell will give you a clue to what is going on. Also look at \tmp\rules.debug the affecting rule should be around the number that you mentioned prior. hope this helps, I know where the problem is I don't know how to manually change the rules since it looks like it can't be done from the gui.



  • We are having the same problem. Its very annoying.

    We have a 100/100 conenction and this update added much needed cpu speed but with this problem we are thinking of downgrading pack to 1.2


Locked