Firewall "Pass" rules are not processing non-SYN tcp packets

pfuser23409 · Jan 8, 2019, 7:08 PM

I suppose this is normal function, considering TCP packets without a SYN should be referenced in the state table, and thus allowed. But I've got pfblocker rejecting traffic out to this set of IPs. I want to Allow (pass) this traffic, even if there is no state existing in the table.

I can see the firewall matching on this traffic if Action set to Match. But not when the Action is set to Pass.
I have played around with various TCP flag settings, without luck.

Can anyone help?

johnpoz · Jan 8, 2019, 7:58 PM

Why would you want/need to pass traffic that is out of state? That screams asymmetrical traffic flow that should be avoided not allowed.

If you need/want to allow for asymmetrical, etc.. See that section in the docs
https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

They suggest a few work arounds... But would really think to why you would want to allow non state traffic through your firewall.

pfuser23409 · Jan 20, 2019, 6:56 AM

Long story, short... I have an IOT device on an internal VLAN... and as much as I don't like/understand its behavior, it is what it is. It beacons out at an interval using TCP PUSH/ACK packets (I suppose for keep-alive)... and if the firewall rules (default deny or pfblocker) deny or reject... it doesn't care, it will continue to act like it doesn't know. I hoped that having those packets "rejected" with a Reset/ACK, that the IOT Device would, you know, reset and start the TCP handshake over again. No luck though.

So I did try the asymmetric fix by changing TCP flags to Any Flags, and a State Type of Sloppy State. But it doesn't seem to do anything. Probably because, as I stated, PASS rules don't get processed unless the SYN flag is set. MATCH and other BLOCK/DENY actions do seem to work with TCP flags and Sloppy settings though.

I really want to keep all of the pfBlocker rules applied to this interface, because of every other benefit,... and wanted a PASS rule on this interface for the IP addresses I selected. But if anything happens to the state (which does happen), there is no recovery, because it'll start blocking those keep-alive packets, which won't actually reset or restart the TCP handshake.

jimp · Jan 21, 2019, 8:12 PM

When you do manual rules to pass with any flags and sloppy state, note that you have to do them twice: Once for traffic entering the firewall, and again where that traffic will exit. So you need a rule on the interface tab and then an outbound floating rule on the WAN or whatever interface it leaves.

By default, TCP rules only match on flags S/SA (meaning SYN set, ACK not set), but when you set flags to ANY, that behavior is changed to match any flag combination.