Rules not being matched as expected



  • I'm having trouble with a new pfsense installation. My rules aren't being matched as I would expect them
    to be. The default rule is being
    triggered, even though it is farther down in the list and there are rules above the default rule that I would
    expect to be matched, but aren't:

    (bge0 is the LAN interface)

    From pfctl -s rules -vv  :
    @108 pass in quick on bge0 all flags S/SA keep state label "USER_RULE: catchall"
    .
    .
    .
    @115 block drop in log quick all label "Default deny rule"

    A log entry:
    pf: 710005 rule 115/0(match): block in on bge0: (tos 0x0, ttl 63, id
    14015, offset 0, flags [DF], proto TCP (6), length 64) 10.x.y.z.80 >
    72.30.xxx.xxx.54707: S, cksum 0xb09a (correct),
    1222312383:1222312383(0) ack 2341411941 win 49232 <nop,nop,timestamp<br>12784312 1491842314,mss 1460,nop,wscale 0,nop,nop,sackOK>

    The ip's on the inside (10.x.y.z) are not on the LAN subnet, but are
    on other internal subnets that are being routed to pfsense. There are
    static routes for the internal networks that point to the inside
    router that pfsense is connected to.

    So…. why is rule 115 getting matched and not 108?

    I had the same thing happen on the WAN side too, no one can get to the
    web server:

    @55 pass in quick on bge1 inet proto tcp from any to 10.x.y.z port =
    http flags S/SA keep state label "USER_RULE: web server"
    .
    .
    .
    @87 block drop in log quick on bge1 all label "USER_RULE: catchall"

    Log:
    pf: 054917 rule 87/0(match): block in on bge1: (tos 0x0, ttl 245, id
    11247, offset 0, flags [none], proto TCP (6), length 40)
    68.58.xx.xx.36288 > 10.x.y.z.80: R, cksum 0x5544 (correct), 0:0(0) win
    0

    10.x.y.z is setup as a 1:1 NAT.

    Why is rule 55 not being matched?</nop,nop,timestamp<br>


Locked