FreeBSD Firewall sometimes restrictive



  • the FreeBSD / Pfsense firewall filters seem very restrictive.

    It does block for no reason incoming SSH traffic on the WAN interface with TCP PSH flag. Is it a nomal behavior ?

    Should pass because it is a trafic initiated from the LAN.

    Is it blocked because the packets are malformed because of bit errors ?

    I have other examples of similar blocking with http trafic.



  • from what i understand any uninitiated incoming (traffic from the wan interface) traffic is blocked by default unless you create a rule.
    i have no problem with ssh http smtp or imap traffic coming from wan via NAT rules and all outgoing traffic works fine.

    you should give specific examples.  I will admit to a slight learning curve to pfsense over other firewall/router programs but i LOVE the control i have and just the sheer amount of features….commercial routers that do what my pfsense box does cost 10 fold what this system cost me



  • Yes you are right. Commercial hardware is very often closed, and as soon as you need a new function, like IPv6 for sure in the comming years, you have to change everything.

    The only problem with opensource is that sometimes when you need a specific advanced function to work, and that it is actually bugged, it is sometimes difficult to find someone to help you because of interlocking between projects.

    For example if you need a 10 Gbps bonding driver, you have no way with Opensource, because this is unsupported by the OS, and very few people have the knowledge to help you to write a low level driver.

    So as soon as you need big setups, you still need to call big manufacturers. But this begin to change, as FreeBSD and Linux becomes more and more powerfull and reliable.

    My philosophy is to use opensource everywhere, except for very sensible tasks, like zero delay routing, absolutly needed in a telcom environnement.



  • yes, exactly.

    Did you get your firewall issues sorted out?  Also, when i first started using pfsense i was thrown by the log files because i would see lots of blocks that looked like legitimate traffic but it turns out that it wasn't really getting blocked.  Apparently some connections will send packets that you've already responded to so the second instance shows up as blocked.



  • Ok, perhaps this is a log problem with redundant paquets.

    If i open the corresponding inbound traffic with a rule, i do not see those blocked paquets, so it is for sure related to the statefull firewall tables.

    Yes and no, i didn't solve all problems for sure. I had a problem with an Aastra 57i phone located on the Internet two days ago, loosing registration every 20 seconds or less. The rules was ok, allowing the right traffic and making the needed inbound port forwarding to the IPbX.
    Everything in the phone setup was ok, with right settings for NAT, IPbX was ok as well, restarting the phone did not help, restarting PFsense solved the problem…

    I need to make more tests, but according to what i've seen, version 1.2.3 seems to sometimes need reboots to work ok after some changes. It would be nice if reboots were not needed, even when creating vlans, because in a production setup it is sometimes difficult or impossible to reboot, specially when 24h/24 world trafic is passing through the box.

    I do not know exactly why, perhaps because i have a failover outbound load balancing setup, but sometimes after setup changes or link failover i need to clear the state tables.

    I tried to use the AFC (after filter change) util from the Fit123 package to reset the state table after a failover, but it seems that it works only from the backup interface to the main one, does not work when switch occur from main to failover interface.

    Perhaps i should try to reduce the state table timeout for telephony traffic, or even suppress the statefull function for telephony traffic.

    It is not the first time i see problems on routers with telephony trafic as soon as you are using NAT and statefull. The problem does not come from SIP design, known to be difficult with NAT as i have seen the same problems with IAX trafic using only one port for audio and signalisation.

    In one case i've discovered a real Linux bug (related to PPPoE restart and NAT), in another cases, it's very difficult to diagnose from where does come from problems if you don't have a Linux engineer at hand.

    Discussing with telcom operators, i've discovered that they do not like NAT at all. There is certainly a reason.

    So my advice when deploying a NAT system in production, is to carefully test every equipments, specially when failovers occur, to be sure that a bunch of phones or telephony switches will not loose connectivity at the first IP connectivity problem.



  • some phones handle it better than others but you're right….telephone stuff can be tricky.  I wish i knew more about your specific issue....i'm sure someone here does.

    I've also noticed the exact issue you mean regarding settings and reboots.  I was following a guide in one of the forums regarding transparent squid and the traffic shaper and it simply would not take the settings via filter reset (like the guide said)  I too had to reboot in order to make the settings function properly but i've had better luck with 1.2.3 than i have with 1.2.1 (the newer one works with my hardware better)



  • "I've also noticed the exact issue you mean regarding settings and reboots."

    This is certainly FreeBSD problems. Those kind of problems who need nights, weeks or monthes to solve, or never solved ;=( or need a complete rewrite of some parts :=)

    This is an example of projects interlock. Without FreeBSD updates, OS problems will remain inside PFsense. Except if there is a good communication and / or financial exchanges between each group to get motivation :=)

    It would be nice if medium sized companies helped a bit more Opensource communities instead of using silently opensource in their products. This would produce for sure really better products than best commercial ones…

    Opensource is a chance to destroy monopolistic situations. Everyone should help opensource and open economy projects. This would help to solve for sure the actual crisis, removing money where it does not need to go :=(



  • i agree but at the same time, just look how far we've come.  10 years ago you wouldn't hear of it and even just 5 years ago it was still very much reserved for the technical elite…now we have grandmothers using ubuntu....i mean...opensource is really starting to go somewhere...and some major companies really did a lot to make that happen.....ibm...novel...sun...but really it's the volunteers and the end users that make the most difference in my opinion.

    Take the Debian project....it's estimated to be worth 13 BILLION dollars.
    opensource is the future...



  • Yes, Opensource is the futur. Opensource is simply one of the best effect of the Internet media.

    Nevertheless a lot of companies do not trust it enough, specially companies not having advanced internal computer knowledge.

    Opensource has a good effect about code clarity and reliability. More, if a project go in the wrong direction or become to dirty, it is generaly forked by a new group. (see the recent Asterisk - Freeswitch fork).

    I think that if Microsoft did Opensource since the beggining, the code would have been more reliable, avoiding tons of support issues never answered or adressed very slowly.

    This time is past. Internet does give us the collaborative tool to get better products. It is time now to join definitively this new world. This is a good oppurtunity to change the old style economy where biggest companies decide our futur, steal silently our money and push everyone in a big crisis when they make fundamental errors.



  • Can be when the big companies use mainly opensource pfsense (freebsd), and they can save costs, particularly costs for the purchase of licenses.
    And compensation so that companies who use opensource (pfsense, freebsd) can give contributions that opensource can be developed better.
    Without adequate funding support that can be impossible to compete with opensource software licensed.



  • "Without adequate funding support that can be impossible to compete with opensource software licensed"

    This is not always true in the Opensource World.

    A couple of hard working and smart managers and programmers can be enough to create and maintain very successfull, usefull and big projects without million dollars.



  • not to mention huge companies like ibm, sun, and novell who spend millions developing open source technology and pass that on to us.



  • In the case of maintenance so it can be. However, in the development program must continue to be developed. Including working with the developer tool severity. Because it could not be denied again that the device will be very hard to support the performance of the software itself. However, the funding from the side at the minimalist


Log in to reply