Default deny rule on in-state (TCP:SA) traffic



  • Hi. A strange one. I have "Default deny rule IPv4 (1000000103)" coming up on LAN traffic on the same subnet. It's not out-of-state traffic. I have the default allow LAN to all rule in place, but it's not firing on this traffic. Any ideas what's going on please? In the logs, I'm trying to access 192.168.117.35 from 192.168.117.2. It looks like the Syn is being sent, but the Syn-Ack being blocked.

    0_1532986257967_Capture1.JPG

    0_1532986422016_Capture2.JPG


  • Netgate

    Looks like asymmetric routing since the source and destination hosts are likely the same network.

    The firewall should probably not be seeing those replies at all. The incoming connections are probably hitting the web server in via another path.

    With that being the case that reply traffic would be, in fact, out-of-state.



  • Yes, I think that's exactly what's happening. Thank you.