Firewall "Pass" rules are not processing non-SYN tcp packets



  • I suppose this is normal function, considering TCP packets without a SYN should be referenced in the state table, and thus allowed. But I've got pfblocker rejecting traffic out to this set of IPs. I want to Allow (pass) this traffic, even if there is no state existing in the table.

    I can see the firewall matching on this traffic if Action set to Match. But not when the Action is set to Pass.
    I have played around with various TCP flag settings, without luck.

    Can anyone help?


  • LAYER 8 Global Moderator

    Why would you want/need to pass traffic that is out of state? That screams asymmetrical traffic flow that should be avoided not allowed.

    If you need/want to allow for asymmetrical, etc.. See that section in the docs
    https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

    They suggest a few work arounds... But would really think to why you would want to allow non state traffic through your firewall.



  • Long story, short... I have an IOT device on an internal VLAN... and as much as I don't like/understand its behavior, it is what it is. It beacons out at an interval using TCP PUSH/ACK packets (I suppose for keep-alive)... and if the firewall rules (default deny or pfblocker) deny or reject... it doesn't care, it will continue to act like it doesn't know. I hoped that having those packets "rejected" with a Reset/ACK, that the IOT Device would, you know, reset and start the TCP handshake over again. No luck though.

    So I did try the asymmetric fix by changing TCP flags to Any Flags, and a State Type of Sloppy State. But it doesn't seem to do anything. Probably because, as I stated, PASS rules don't get processed unless the SYN flag is set. MATCH and other BLOCK/DENY actions do seem to work with TCP flags and Sloppy settings though.

    I really want to keep all of the pfBlocker rules applied to this interface, because of every other benefit,... and wanted a PASS rule on this interface for the IP addresses I selected. But if anything happens to the state (which does happen), there is no recovery, because it'll start blocking those keep-alive packets, which won't actually reset or restart the TCP handshake.


  • Rebel Alliance Developer Netgate

    When you do manual rules to pass with any flags and sloppy state, note that you have to do them twice: Once for traffic entering the firewall, and again where that traffic will exit. So you need a rule on the interface tab and then an outbound floating rule on the WAN or whatever interface it leaves.

    By default, TCP rules only match on flags S/SA (meaning SYN set, ACK not set), but when you set flags to ANY, that behavior is changed to match any flag combination.