Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Logs Not Matching Rules (GUI)

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      Id Est
      last edited by

      Hello all.  I recently upgraded from 1.2 RC4 to 1.2.2.  Before I upgraded I was creating some rules to prepare for restricting outbound traffic.  I hadn't created the ominous all blocking rule yet.  The only restrictive rule I had was Block, LanNet, Any, port 53.  The second to last rule I have is allowing my own IP to go anywhere:  Pass, 10.0.0.10, Any, Any.  When I look at the firewall logs my own IP, 10.0.0.10, is being blocked from legitimate traffic, let's say this forum web site but I actually can go to this web page.

      Reason for block:
      @119 pass in log quick on em1 inet from 10.0.0.0/24 to any flags S/SA keep state label "USER_RULE: Allow ANY: ANY -> ANY (*)"

      Questions:
      1.  Most of the above I understand but some of it I'm unfamiliar with.  (is this the 119th rule?  quick?  flags S/SA?)
      2.  Is it likely this is from the upgrade?  How do I check?
      3.  Can the GUI be trusted to reflect what rules are actually being implemented?
      4.  I'd like to get 2 books:  One for firewall rule logic (vendor independent) and one for FreeBSD pf (something to guide me beyond the GUI).  Any suggestions?  (I wish the pfSense book was out!)

      Thanks for any and all help,

      Id

      1 Reply Last reply Reply Quote 0
      • I Offline
        Id Est
        last edited by

        Here's another example where my IP, 10.0.0.10, was blocked from a web site but for a different reason/rule.  Again in reality I can get to the site.

        Firewall log:

        Mar 25 13:33:13 LAN 10.0.0.10:51953 69.64.6.21:80 TCP

        Different reason for blocking the same site:

        @126 block drop in log quick all label "Default deny rule"

        Id Est

        1 Reply Last reply Reply Quote 0
        • B Offline
          brasilnut
          last edited by

          FYI:

          There's another current thread that is related to this.
          However, no one seems to want to reply.

          Look for: "strange outgoing traffic"
          in the Firewalling forum.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.