Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules not being matched as expected

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Buckbeak
      last edited by

      I'm having trouble with a new pfsense installation. My rules aren't being matched as I would expect them
      to be. The default rule is being
      triggered, even though it is farther down in the list and there are rules above the default rule that I would
      expect to be matched, but aren't:

      (bge0 is the LAN interface)

      From pfctl -s rules -vv  :
      @108 pass in quick on bge0 all flags S/SA keep state label "USER_RULE: catchall"
      .
      .
      .
      @115 block drop in log quick all label "Default deny rule"

      A log entry:
      pf: 710005 rule 115/0(match): block in on bge0: (tos 0x0, ttl 63, id
      14015, offset 0, flags [DF], proto TCP (6), length 64) 10.x.y.z.80 >
      72.30.xxx.xxx.54707: S, cksum 0xb09a (correct),
      1222312383:1222312383(0) ack 2341411941 win 49232 <nop,nop,timestamp<br>12784312 1491842314,mss 1460,nop,wscale 0,nop,nop,sackOK>

      The ip's on the inside (10.x.y.z) are not on the LAN subnet, but are
      on other internal subnets that are being routed to pfsense. There are
      static routes for the internal networks that point to the inside
      router that pfsense is connected to.

      So…. why is rule 115 getting matched and not 108?

      I had the same thing happen on the WAN side too, no one can get to the
      web server:

      @55 pass in quick on bge1 inet proto tcp from any to 10.x.y.z port =
      http flags S/SA keep state label "USER_RULE: web server"
      .
      .
      .
      @87 block drop in log quick on bge1 all label "USER_RULE: catchall"

      Log:
      pf: 054917 rule 87/0(match): block in on bge1: (tos 0x0, ttl 245, id
      11247, offset 0, flags [none], proto TCP (6), length 40)
      68.58.xx.xx.36288 > 10.x.y.z.80: R, cksum 0x5544 (correct), 0:0(0) win
      0

      10.x.y.z is setup as a 1:1 NAT.

      Why is rule 55 not being matched?</nop,nop,timestamp<br>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.