Firewall "Pass" rules are not processing non-SYN tcp packets
pfuser23409 last edited by
I suppose this is normal function, considering TCP packets without a SYN should be referenced in the state table, and thus allowed. But I've got pfblocker rejecting traffic out to this set of IPs. I want to Allow (pass) this traffic, even if there is no state existing in the table.
I can see the firewall matching on this traffic if Action set to Match. But not when the Action is set to Pass.
I have played around with various TCP flag settings, without luck.
Can anyone help?
Why would you want/need to pass traffic that is out of state? That screams asymmetrical traffic flow that should be avoided not allowed.
If you need/want to allow for asymmetrical, etc.. See that section in the docs
They suggest a few work arounds... But would really think to why you would want to allow non state traffic through your firewall.
pfuser23409 last edited by
Long story, short... I have an IOT device on an internal VLAN... and as much as I don't like/understand its behavior, it is what it is. It beacons out at an interval using TCP PUSH/ACK packets (I suppose for keep-alive)... and if the firewall rules (default deny or pfblocker) deny or reject... it doesn't care, it will continue to act like it doesn't know. I hoped that having those packets "rejected" with a Reset/ACK, that the IOT Device would, you know, reset and start the TCP handshake over again. No luck though.
So I did try the asymmetric fix by changing TCP flags to Any Flags, and a State Type of Sloppy State. But it doesn't seem to do anything. Probably because, as I stated, PASS rules don't get processed unless the SYN flag is set. MATCH and other BLOCK/DENY actions do seem to work with TCP flags and Sloppy settings though.
I really want to keep all of the pfBlocker rules applied to this interface, because of every other benefit,... and wanted a PASS rule on this interface for the IP addresses I selected. But if anything happens to the state (which does happen), there is no recovery, because it'll start blocking those keep-alive packets, which won't actually reset or restart the TCP handshake.
When you do manual rules to pass with any flags and sloppy state, note that you have to do them twice: Once for traffic entering the firewall, and again where that traffic will exit. So you need a rule on the interface tab and then an outbound floating rule on the WAN or whatever interface it leaves.
By default, TCP rules only match on flags S/SA (meaning SYN set, ACK not set), but when you set flags to ANY, that behavior is changed to match any flag combination.