Firewall rules.



  • So when I click on the red X next to the blocked traffic, it spits out what rule blocked the traffic.
    How does that number translate to what rule?
    In the attached picture it states "The rule that triggered this action is: @3(100000010) block drop in log net all label "Default deny rule IPv4"
    Where is this rule? Most of the logged traffic are the android devices contacting *.1e100.net and compute-1.amazon.com, and I don't want to see this traffic, so I don't want to log the traffic, however I'm thinking it should be allowed through, or perhaps not, IDK.
    ![Screenshot from 2017-10-15 20-42-53.png](/public/imported_attachments/1/Screenshot from 2017-10-15 20-42-53.png)
    ![Screenshot from 2017-10-15 20-42-53.png_thumb](/public/imported_attachments/1/Screenshot from 2017-10-15 20-42-53.png_thumb)


  • Rebel Alliance Global Moderator

    ""Default deny rule IPv4""

    This is the default deny Rule.. It is not shown in the gui.. This is the rule that is on every interface when traffic is not allowed via a rule before it.

    What are the rules on your lan.. Are you blocking 443?  find that unlikely since that would pretty much break the whole internet.. You sure that is just not out of state traffic being logged?  Look at the full log not just the widget.  It will show you if out of state or not via flag S, FA, etc..



  • johnpoz, thanks for your reply.

    How can I tell what rules are ahead or behind it if I can't see it in the gui?

    As you can see from the first photo, I tried to apply some "easy rules", but they are not working.

    I clicked on the i widget on the second photo, and listed the flags.

    I think ideally, I just want that traffic to pass, specifically for the android and amazon devices that are on the network. Three android phone, and at least 4 amazon devices. As you can see, the ip addresses that the traffic is going to change, and there are a great many of them.

    Thank you.

    ![Screenshot (18).png](/public/imported_attachments/1/Screenshot (18).png)
    ![Screenshot (18).png_thumb](/public/imported_attachments/1/Screenshot (18).png_thumb)
    ![Screenshot (19).png](/public/imported_attachments/1/Screenshot (19).png)
    ![Screenshot (19).png_thumb](/public/imported_attachments/1/Screenshot (19).png_thumb)



  • The "Default rule" is by default the last rule. All other rules come before it. It defaults to blocking the out of state traffic. If no other rule matches the packet, the default rule will catch and block it.



  • Well at least now I know where it stands in the rules line-up.
    So why does it specifically block the androids and amazon's?

    Actually I found my answers here https://forum.pfsense.org/index.php?topic=39960.0 and here https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

    Thank you.


  • Galactic Empire

    I'd also move your block IPv6 traffic up under the second block.

    Might as well dump all the IPv6 ASAP rather than checking it further down.



  • Thank you Nog.
    I moved it up underneath the first rule.



  • mtarbox…it looks like your Easy rules are not being triggered, based on the State column? Your state column shows "0/0 B" while your default "Any" rule is showing "246/4.42 GiB"...

    Are you trying to tighten up your firewall and remove the "Any" rule? Try moving the Easy rules up the priority above the default "Any" rule...drag, drop the rule and hit save. Make sure to reset "States" and "Reload" rules....


  • Rebel Alliance Global Moderator

    Notice all those entries are FA, FPA - that means they are out of state traffic..  So yes the default deny will block them.

    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection

    This can quite often point to an asymmetrical routing problem.. Wifi client can cause this a lot.. If they change from using say sell to wifi without creating a new session.  Or they attempt to use a session that has timed out on the firewall, etc.  See the linked article for info.

    If you were seeing S for SYN, then that would mean that traffic was blocked by the default deny because it never saw an allow rule that matched.

    Traffic is evaluated inbound into an interface, top down first rule to trigger wins - no other rules are evaluated.. The only time you should see default deny rules hit is when you are not allowing the traffic or the traffic is out of state.

    edit: Ah I see you found the link on your own.  Great.. If you have any questions about order of rules, out of state traffic, etc.. just ask happy to answer pretty much any question you could have.. If I can not answer it then sure there are others here that can.