How is this possible? Firewall IP filtering magic...



  • There is a server I am accessing remotely, call it IP A.B.C.D, and I can connect to port 443 but cannot ping (ICMP) it. When I say "I can access it", I am referring to a source network behind a pfSense firewall with a single public IP address. However I tried accessing that same server IP A.B.C.D from 4 different networks on 4 different continents (one the same province than I am in) and cannot connect at all to that IP on port 443.

    Here is the catch: They cannot be performing IP address filtering as the public IP of my source network has changed 5 times over the past year and I can always access that server from this network. They cannot be performing MAC filtering because my MAC changed twice and it always works. However, like I said, the moment I connect from another source network the server is not responding to my TCP packets. They cannot be performing geofiltering as I can not connect from another network in the same province than I.

    Specifically, from my source network I send SYN, I get SYN,ACK and I send ACK and the handshake works.

    From any other network I send SYN and I never get back a SYN, ACK.

    How would this work? I do not know the firewall type on the server side.



  • Do you have a dynamic DNS hostname they might be using in their rule?
    Ping is a different protocol (ICMP) than TCP/443 and would need a separate rule. We generally disallow ICMP to web servers we host for instance.



  • Sure (regarding ICMP) - it is not relevant here as it is not dependent on the source network - they just block it outright, I should have excluded that info as it is not important.

    I did not think about that - I indeed do have a dynamic DNS host name for my IP... How could I have forgotten that! Thanks for clearing up my D'OH moment.


Log in to reply