Alias firewall block rule not blocked!


  • LAYER 8 Netgate

    No. The state was re-established after you rebooted because a firewall rule passed the traffic.



  • I restored the firewall rules to an earlier date and rebooted the machine. The alias is still the same and now the .17 again gets access. How to find out what rule is the problem?pf1.jpg


  • LAYER 8 Netgate

    pfctl -vvss | grep -A3 192.168.1.17

    Find the state you think should not be there out of that. Post it.



  • @Derelict said in Alias firewall block rule not blocked!:

    pfctl -vvss | grep -A3 192.168.1.17

    igb4 udp 192.168.1.1:53 <- 192.168.1.17:50872       NO_TRAFFIC:SINGLE
       age 00:00:55, expires in 00:00:05, 1:0 pkts, 56:0 bytes, rule 164
       id: 010000005cd28985 creatorid: 3dddfb2a
    igb4 udp 192.168.1.255:32414 <- 192.168.1.10:55418       NO_TRAFFIC:SINGLE
    --
    igb4 udp 192.168.1.1:53 <- 192.168.1.17:43906       NO_TRAFFIC:SINGLE
       age 00:00:55, expires in 00:00:05, 1:0 pkts, 59:0 bytes, rule 164
       id: 010000005cd28988 creatorid: 3dddfb2a
    igb5 ipv6-icmp ff02::1[192] <- fe80::201:5cff:fe6b:e046[192]       NO_TRAFFIC:NO_TRAFFIC
    --
    igb4 udp 114.55.218.176:32100 <- 192.168.1.17:27288       NO_TRAFFIC:SINGLE
       age 00:00:48, expires in 00:00:12, 1:0 pkts, 32:0 bytes, rule 178
       id: 010000005cd28a38 creatorid: 485eb46e
    igb4 udp 47.91.90.222:32100 <- 192.168.1.17:27288       NO_TRAFFIC:SINGLE
       age 00:00:48, expires in 00:00:12, 1:0 pkts, 32:0 bytes, rule 178
       id: 010000005cd28a39 creatorid: 485eb46e
    igb4 udp 192.168.1.1:161 <- 192.168.1.10:56756       MULTIPLE:MULTIPLE
    --
    igb4 udp 107.20.134.235:32100 <- 192.168.1.17:27288       NO_TRAFFIC:SINGLE
       age 00:00:48, expires in 00:00:12, 1:0 pkts, 32:0 bytes, rule 178
       id: 000000005cd28acc creatorid: 485eb46e
    igb4.300 udp 8.8.8.8:53 <- 10.0.2.2:45009       NO_TRAFFIC:SINGLE
    --
    igb4 udp 192.168.1.1:53 <- 192.168.1.17:51499       SINGLE:MULTIPLE
       age 00:00:33, expires in 00:00:00, 1:1 pkts, 56:72 bytes, rule 181
       id: 000000005cd28c1a creatorid: b13ad8d2
    igb5 udp 2a02:8071:800:0:527:2af9:a20f:552a[41679] -> 2001:8d8:fe:53:0:d9a0:52c2:100[53]       MULTIPLE:SINGLE
    --
    igb4 udp 107.20.134.235:32100 <- 192.168.1.17:25029       SINGLE:MULTIPLE
       age 00:00:33, expires in 00:00:00, 1:1 pkts, 32:48 bytes, rule 181
       id: 000000005cd28c1b creatorid: b13ad8d2
    igb5 udp xxx:64148 -> 217.160.83.194:53       MULTIPLE:SINGLE
    --
    igb5 udp xxx:57526 (192.168.1.17:25029) -> 107.20.134.235:32100       MULTIPLE:SINGLE
       age 00:00:33, expires in 00:00:00, 1:1 pkts, 32:48 bytes, rule 141
       id: 000000005cd28c1c creatorid: b13ad8d2
    igb5 udp 2a02:8071:800:0:527:2af9:a20f:552a[45428] -> 2001:503:e239::3:2[53]       MULTIPLE:SINGLE
    --
    igb4 udp 192.168.1.1:53 <- 192.168.1.17:35486       SINGLE:MULTIPLE
       age 00:00:33, expires in 00:00:00, 1:1 pkts, 61:77 bytes, rule 181
       id: 010000005cd28c21 creatorid: b13ad8d2
    igb4 udp 107.20.134.235:32100 <- 192.168.1.18:10092       MULTIPLE:MULTIPLE
    --
    igb4 udp 114.55.218.176:32100 <- 192.168.1.17:25029       NO_TRAFFIC:SINGLE
       age 00:00:33, expires in 00:00:27, 1:0 pkts, 32:0 bytes, rule 181
       id: 010000005cd28c22 creatorid: b13ad8d2
    igb5 udp xxx:41955 (192.168.1.18:10092) -> 107.20.134.235:32100       MULTIPLE:MULTIPLE
    --
    igb5 udp xxx:10147 (192.168.1.17:25029) -> 114.55.218.176:32100       SINGLE:NO_TRAFFIC
       age 00:00:33, expires in 00:00:27, 1:0 pkts, 32:0 bytes, rule 141
       id: 010000005cd28c23 creatorid: b13ad8d2
    igb4 udp 2a02:8071:889:c500:4262:31ff:fe07:2bdc[53] <- 2a02:8071:889:c500:f525:878c:30fa:1bb5[50603]       SINGLE:MULTIPLE
    --
    igb4 udp 47.91.90.222:32100 <- 192.168.1.17:25029       SINGLE:MULTIPLE
       age 00:00:33, expires in 00:00:00, 1:1 pkts, 32:48 bytes, rule 181
       id: 010000005cd28c24 creatorid: b13ad8d2
    igb4 udp 192.168.1.1:53 <- 192.168.1.122:53655       SINGLE:MULTIPLE
    --
    igb5 udp xxx:51011 (192.168.1.17:25029) -> 47.91.90.222:32100       MULTIPLE:SINGLE
       age 00:00:33, expires in 00:00:00, 1:1 pkts, 32:48 bytes, rule 141
       id: 010000005cd28c25 creatorid: b13ad8d2
    igb4 udp 114.55.218.176:32100 <- 192.168.1.18:21763       NO_TRAFFIC:SINGLE
    

  • LAYER 8 Netgate

    @mrsunfire OK, help me out. Which state should not be there?



  • All of the igb5 (WAN) connections from or to the 192.168.1.17.


  • LAYER 8 Netgate

    @mrsunfire Pick one.



  • @mrsunfire said in Alias firewall block rule not blocked!:

    igb5 udp xxx:10147 (192.168.1.17:25029) -> 114.55.218.176:32100 SINGLE:NO_TRAFFIC
    age 00:00:33, expires in 00:00:27, 1:0 pkts, 32:0 bytes, rule 141
    id: 010000005cd28c23 creatorid: b13ad8d2

    igb5 udp xxx:10147 (192.168.1.17:25029) -> 114.55.218.176:32100 SINGLE:NO_TRAFFIC
    age 00:00:33, expires in 00:00:27, 1:0 pkts, 32:0 bytes, rule 141
    id: 010000005cd28c23 creatorid: b13ad8d2


  • LAYER 8 Netgate

    @mrsunfire said in Alias firewall block rule not blocked!:

    pfctl -vvsr | grep -A3 '^@141('

    pfctl -vvsr | grep -A3 '^@181('



  • @Derelict said in Alias firewall block rule not blocked!:

    pfctl -vvsr | grep -A3 '^@141('

    @141(1000011161) pass out route-to (igb5 134.3.212.1) inet from xxx to ! 134.3.212.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 1218      Packets: 12419     Bytes: 8152153     States: 167   ]
      [ Inserted: pid 49753 State Creations: 183   ]
    @142(1000011162) pass out route-to (igb5 fe80::201:5cff:fe6b:e046) inet6 from 2a02:8071:xxx to ! 2a02:8071:xxx::/56 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    

  • LAYER 8 Netgate

    [insert final jeopardy theme here.]



  • Right now the alias is working again and I can't get it to not work. I did nothing but now it is blocking. Sorry, I don't see the error there and will give it a try again in the future. Thanks for your help so far.


  • LAYER 8 Netgate

    What was rule 181 in that rule set? Inquiring minds want to know!



  • This is a rule that passed the traffic from one client on LAN to my Cable Modem interface:

    @181(1526110841) pass in quick on igb4 route-to (igb5 134.3.212.1) inet from 192.168.1.20 to 192.168.100.1 flags S/SA keep state label "USER_RULE: PC TC4400 Modem"
      [ Evaluations: 1048      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 79204 State Creations: 0     ]
    @182(1417115627) pass in quick on igb4 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Allow ALL IPv4"
    

  • LAYER 8 Netgate

    @mrsunfire said in Alias firewall block rule not blocked!:

    Does pfctl -vvsr | grep -A3 1526110841 show anything more?


  • LAYER 8 Netgate

    Are you mixing and matching current data with old?



  • Right now the old config works. But I post it anyways:

    @181(1526110841) pass in quick on igb4 route-to (igb5 134.3.212.1) inet from 192.168.1.20 to 192.168.100.1 flags S/SA keep state label "USER_RULE: PC TC4400 Modem"
      [ Evaluations: 946       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 41920 State Creations: 0     ]
    @182(1417115627) pass in quick on igb4 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Allow ALL IPv4"
    

  • LAYER 8 Netgate

    Are the states that you posted citing rule 181 old data or new?

    We need to be looking at the same rule set as the state table or we are just wasting time.



  • They were the same rule set. I restored the config againto that point. But this time its working.

    I will try to get the problem up again and post the same things again...



  • OK I've now checked the latest config again and now here are connections to WAN, I'm really confused:

    pf2.jpg

    igb4 udp 114.55.218.176:32100 <- 192.168.1.17:10085       MULTIPLE:MULTIPLE
       age 00:28:43, expires in 00:00:48, 54:33 pkts, 3840:1352 bytes, rule 175
       id: 000000005cd29094 creatorid: 732cab7f
    igb5 udp xxx:65411 (192.168.1.17:10085) -> 114.55.218.176:32100       MULTIPLE:MULTIPLE
       age 00:28:43, expires in 00:00:48, 54:33 pkts, 3840:1352 bytes, rule 139
       id: 000000005cd29095 creatorid: 732cab7f
    lo0 tcp 127.0.0.1:6379 <- 127.0.0.1:26058       ESTABLISHED:ESTABLISHED
    --
    igb4 udp 107.20.134.235:32100 <- 192.168.1.17:10085       MULTIPLE:MULTIPLE
       age 00:28:43, expires in 00:00:48, 54:54 pkts, 3840:2208 bytes, rule 175
       id: 000000005cd29098 creatorid: 732cab7f
    igb5 udp xxx:17644 (192.168.1.17:10085) -> 107.20.134.235:32100       MULTIPLE:MULTIPLE
       age 00:28:43, expires in 00:00:48, 54:54 pkts, 3840:2208 bytes, rule 139
       id: 000000005cd29099 creatorid: 732cab7f
    lo0 tcp ::1[3493] <- ::1[26068]       ESTABLISHED:ESTABLISHED
    --
    igb4 udp 47.91.90.222:32100 <- 192.168.1.17:10085       MULTIPLE:MULTIPLE
       age 00:23:35, expires in 00:00:48, 45:41 pkts, 3200:1680 bytes, rule 182
       id: 000000005cd295e5 creatorid: d0585f4d
    igb5 udp xxx:46591 (192.168.1.17:10085) -> 47.91.90.222:32100       MULTIPLE:MULTIPLE
       age 00:23:35, expires in 00:00:48, 45:41 pkts, 3200:1680 bytes, rule 141
       id: 000000005cd295e6 creatorid: d0585f4d
    igb3 udp 255.255.255.255:4944 <- 0.0.0.0:6134       NO_TRAFFIC:SINGLE
    --
    igb4 udp 192.168.1.1:53 <- 192.168.1.17:44606       SINGLE:MULTIPLE
       age 00:00:06, expires in 00:00:24, 1:1 pkts, 59:128 bytes, rule 182
       id: 000000005cd2a1af creatorid: d0585f4d
    igb4.200 udp 8.8.8.8:53 <- 10.0.1.5:11824       SINGLE:MULTIPLE
    

  • LAYER 8 Netgate

    So what are rules 175, 139, 182, and 141 in the current rule set?



  • 175 is forcing a VOIP client to use a specific gateway (Multi WAN config).

    @175(10000001) pass in quick on igb4 inet proto udp from 192.168.1.19 to <negate_networks:2> keep state label "NEGATE_ROUTE: Negate policy routing for destination"
      [ Evaluations: 1632      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 41920 State Creations: 0     ]
    @176(1524056818) pass in quick on igb4 route-to (igb5 134.3.212.1) inet proto tcp from 192.168.1.19 to any flags S/SA keep state label "USER_RULE: VOIP UM Gateway"
    
    @139(1000011065) pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
      [ Evaluations: 16781     Packets: 3841      Bytes: 285161      States: 0     ]
      [ Inserted: pid 41920 State Creations: 13    ]
    @140(1000011066) pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    
    @182(1417115627) pass in quick on igb4 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Allow ALL IPv4"
      [ Evaluations: 2225      Packets: 471566    Bytes: 563093528   States: 42    ]
      [ Inserted: pid 41920 State Creations: 1750  ]
    @183(1525366696) pass in quick on igb4 inet6 from 2a02:8071:xxx::/64 to any flags S/SA keep state label "USER_RULE: Allow ALL IPv6"
    
    @141(1000011161) pass out route-to (igb5 134.3.212.1) inet from xxx to ! 134.3.212.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 8760      Packets: 477427    Bytes: 563273095   States: 76    ]
      [ Inserted: pid 41920 State Creations: 4639  ]
    @142(1000011162) pass out route-to (igb5 fe80::201:5cff:fe6b:e046) inet6 from 2a02:8071:xxx to ! 2a02:8071:800::/56 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    


  • Oh I see that the second host in that Alias (192.168.1.18) also is not working and passes the traffic to WAN! That's new.

    pfTop: Up State 1-6/6 (673), View: default, Order: bytes
    PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
    udp       In  192.168.1.18:10090            107.20.134.235:32100             MULTIPLE:MULTIPLE     00:41:52  00:00:22      150     8412
    udp       Out xxx:50497           107.20.134.235:32100             MULTIPLE:MULTIPLE     00:41:52  00:00:22      150     8412
    udp       In  192.168.1.18:10090            114.55.218.176:32100             MULTIPLE:MULTIPLE     00:41:52  00:00:22      114     6940
    udp       Out xxx:22381           114.55.218.176:32100             MULTIPLE:MULTIPLE     00:41:52  00:00:22      114     6940
    udp       In  192.168.1.18:10090            47.91.90.222:32100               MULTIPLE:MULTIPLE     00:31:10  00:00:22       98     5704
    udp       Out xxx:2161            47.91.90.222:32100               MULTIPLE:MULTIPLE     00:31:10  00:00:22       98     5704
    

  • LAYER 8 Netgate

    @mrsunfire said in Alias firewall block rule not blocked!:

    igb4 udp 47.91.90.222:32100 <- 192.168.1.17:10085 MULTIPLE:MULTIPLE
    age 00:23:35, expires in 00:00:48, 45:41 pkts, 3200:1680 bytes, rule 182
    id: 000000005cd295e5 creatorid: d0585f4d

    @182(1417115627) pass in quick on igb4 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Allow ALL IPv4"
    [ Evaluations: 2225 Packets: 471566 Bytes: 563093528 States: 42 ]
    [ Inserted: pid 41920 State Creations: 1750 ]

    Was not blocked. I still maintain you are confused. I have no idea what state things are in, what should be blocked and what is or isn't because you keep saying you are restoring configs, etc. Stick with ONE configuration, detail exactly what you think should or should not be happening, don't click around trying to fix it, and we might be able to find out where the misconfiguration is.



  • The 182 is the LAN to WAN allow any:any rule.


  • LAYER 8 Netgate

    Yeah I know.



  • I‘m still at the same config. Now I rebooted and it works again. I will try to reboot and see if the problem reappears.



  • Remember that the block rule was above the 182. I don‘t get it why that rule passes for that host.


  • LAYER 8 Netgate

    Was it? I would need to see it in the current active rule set at the time the state was created.


  • LAYER 8 Global Moderator

    Dude stop rebooting and restoring old configs and work with what is there and can find out what you have misconfigured..



  • Well I did that because I want to find out what was the problem with the old config. Right now it works. Maybe after next boot it's not working anymore. I don't know.


  • LAYER 8 Global Moderator

    @mrsunfire said in Alias firewall block rule not blocked!:

    Maybe after next boot it's not working anymore. I don't know.

    nonesense.. Unless you change freaking your confings around again.... Or you have problems with the rules loading? in general? Or you have delay in aliases working.. But if your putting in IP vs fqdn there should be no delay like resolving them.. that could maybe cause a problem.

    But if your trying to figure out what is allowing something out you have to work with current rules and states, and don't reboot in the middle, etc.



  • Thats the actual state:

    pf3.jpg

    And nothin in pfTop. How it should be. But it's the same as the old config. Thats what confused me.


  • LAYER 8 Global Moderator

    That is not a "STATE"



  • Well thats how it is right now. I only did a reboot to find out if this results in something and it looked like as you see above. Sometimes it was not working, after next reboot it was.


  • LAYER 8 Global Moderator

    That is not a state, that is just your firewall rule and and what is in the alias... A "state" would be in your "state table" jimp already went over in great detail how to track down which rule created a specific state that could be allowing traffic through... If traffic is blocked then no states would be created..



  • @mrsunfire said in Alias firewall block rule not blocked!:

    Thats the actual state:

    pf3.jpg

    And nothin in pfTop. How it should be. But it's the same as the old config. Thats what confused me.

    Are these all of the rules defined on the interface? Are we looking at only a partial screen shot? What is the full text of that rule at the top (the one withi PROTO "any" and SRC "any")? The pop-up tooltip window is obscuring the rest of the rule. That rule, at least what appears in the screen, would allow all traffic and thus your block rules never get evaluated.



  • That's all, nothing special.

    pf4.jpg



  • I now again recovered my old config from that date before I created this thread and everything works fine. I can't get it do not work anymore. And yes, I saved my config before I started to try anything last month.


Log in to reply