Default deny rule IPv4

CLOUDFACILE

Hello everyone, I have a firewall pfsense community edition 2.4.2-RELEASE-p1.
Today, suddenly, the firewall has begun to block traffic to one of our webservers.
On pfsense I installed reverse proxy to manage the addressing to different webservers.
In the firewall logs I find this line Default deny rule IPv4 (1000000103) or Default deny rule IPv4 (1000000104) for the TCP: R protocol.
I can not understand why this happened suddenly, until this morning everything worked and it's been months that everything worked perfectly.
Has anyone encountered this problem and can help me solve it?
Thank you and good job to everybody.
Luke

slim2016

https://forum.pfsense.org/index.php?topic=17029.msg88467#msg88467

Just out curiosity have you tried rebooting everything?

CLOUDFACILE

Hi I have already read this post, but my problem persists.
I have already restarted everything, but nothing changes, the firewall continues to block the TCP: R without any reason and prevents the resource from working.
Thanks.

johnpoz

"TCP: R"

So a RST (reset).. Yeah that is going to be blocked if there is no state.. And if there was a state that normally tears it down the FAST way… Normally tcp sessions are ended all nice and proper with a fin, fin,ack and everyone is done talking and the firewall sees this and removes the state.. Do you understand what a state is and how a tcp session is created and torn down?

A RST in a nutshell in TCP a shut the F up sort of way of tearing down the session.

What exactly is not working? And we can move forward in fixing your problem... But your default rule blocking out of state traffic is normal..
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

CLOUDFACILE

Hello,
I thank you for the answer and I attach 3 pages with screenshots and my comments to better explain the configuration of pfsense and the problem.

![SCREENSHOT AND COMMENT-page-001.jpg](/public/imported_attachments/1/SCREENSHOT AND COMMENT-page-001.jpg)
![SCREENSHOT AND COMMENT-page-001.jpg_thumb](/public/imported_attachments/1/SCREENSHOT AND COMMENT-page-001.jpg_thumb)
![SCREENSHOT AND COMMENT-page-002.jpg](/public/imported_attachments/1/SCREENSHOT AND COMMENT-page-002.jpg)
![SCREENSHOT AND COMMENT-page-002.jpg_thumb](/public/imported_attachments/1/SCREENSHOT AND COMMENT-page-002.jpg_thumb)
![SCREENSHOT AND COMMENT-page-003.jpg](/public/imported_attachments/1/SCREENSHOT AND COMMENT-page-003.jpg)
![SCREENSHOT AND COMMENT-page-003.jpg_thumb](/public/imported_attachments/1/SCREENSHOT AND COMMENT-page-003.jpg_thumb)

johnpoz

And sorry but a R sent to your wan IP yes would be blocked.. Only a SYN would be allowed and open a state…

Vs looking at what is just in your firewall rules, why don't you do a packet capture and watch the traffic... Be more than happy to send traffic to your domain/IP so you can sniff and sees what happens, etc.

CLOUDFACILE

I solved the problem, I reinstalled pfsense, then I restored the backup and everything works perfectly.
Thanks anyway for your help.

johnpoz

I am glad your not seeing the issue you were having.. But such a solution is not really a solution…. Since you have no idea what was the root.. Blocking RST to the wan is what should happen.. If there was no state or was after a state was closed..

A sniff would of be very very informative to what the problem actually was.

jean-louis.abegg

Hello Everyone,
Just to add a track: i had the same trouble with a pfsense.
Rule allow all on top, however the Default deny rule IPv4 happened.
In my case, that was due to the transparent proxy, with the option : Do not forward traffic to Private Address Space (RFC 1918 and IPv6 ULA) destinations.
Explenations: the address i needed to browse, was a private address...
By disabling this option (so enabling proxying private address), that solved the trouble.

Thank to comunity