"Google 1e100 addresses" & Google invaled certificates "Common Name invalid2.invalid"
-
@louis2 said in "Google 1e100 addresses" & Google invaled certificates "Common Name invalid2.invalid":
how to get rid of this frequently occurring problem
I just wouldn't log that noise.. Such traffic from sleeping devices is the devices problem.. Device A creates a session to somewhere that is allowed, ie state is created..
As long as that state is active the connection is allowed. Now if this device say goes to sleep and couple of hours later wakes up and still thinks it can use that same session, its going to fail with a out of state block like that PA, FPA - those are all acks and firewall blocks because there is no state. State is created from a SYN [S]
Yeah this is common sort of log that can show up with say wireless devices, that switch from say cell to wireless and try and maintain same session. Or devices that go to sleep and try and wake up and reuse some old session.
If something wants to talk to something else, and old session fails - it will create a new session, ie it will send syn. What your seeing almost always points to out of state sessions, or asymmetrical traffic - where pfsense didn't see the start of the conversation, ie the syn. But those are normally seen as SYN,ACK blocks [SA].
If your concern is just all the blocks in the log, then don't log them. You can just log SYN traffic if you want. I log that on my wan. This is not really a pfsense issue, this is a stateful firewall thing with devices too stupid to think hey I haven't used this session in X amount of time.. Should prob just start a new one.
You could up the timeout on sessions, but these could lead to state exhaustion and then you got bigger problems. I don't log default blocks for pretty much this very reason - keep my logs cleaner and easier to read.. If I feel maybe something is being blocked, I can always turn default logging back on with a click to troubleshoot.
I log only syn and some common udp ports on my wan - because its interesting to see such traffic. I log specific rules, some allowed some blocked for the traffic I want to see. But I don't care at all if my phone thinks it can try and use some old session. If its wants to talk to the mother ship and its old session isn't working - then it will try a new session, etc.
-
Yeah, you could try setting the firewall optimisation to conservative if you want to allow that traffic:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-optimization-optionsOr you can block it without logging if you really don't want to see it.
As stated though it's not really a problem.
You can always just disable wifi in standby in Android.
Steve
-
I tried to get rid of the messages by adding two rules at the end of the firewall. The disadvantage of all those messages, is regretfully more important than the extra info ....
It looks like this now
The first row should filter on TCP-S and log
The second row is there to show for test purposes, to log what is blocked <> TCP-S
The third row is my normal end-rule showing what has not on purpose being blocked.One problem .... it does not work ..... the first two rules, do not capture any passing tcp frames ...... which are there ....
In the first row I am doing something which might be wrong ....
I tried this, but I am not sure it is correct ...
Below part of the logging showing that the failing tcp-package did not trigger one of the tcp-rules ..... but the final blocking rule ........
So:
- why is the second rule selecting on just TCP not triggered !?
- is the rule intended to filter tcp-s correct !?
-
stephenw10 Netgate Administratorlast edited by stephenw10 May 25, 2022, 5:33 PM May 25, 2022, 5:33 PM
The first rule should never match anything. New connections, TCP:SYN, should always be passed.
You want to block without logging TCP:ACK.
Steve
-
Stephen,
I just not know, in principle everything which is allowed to pass is/should be passed via rules above these final rules.
I would like to log all things which are not passed by the rules above these end rules, with the exception of the tcp-rules having states like "RA / PA / FPA"
So for that reason three end rules:
- first one intended to log tcp-S (because I would like to see what I perhaps should have passed)
- the second rule is "not to log" the rest of the blocked tcp (the RA / PA / FPA etc). (for this test the log is on)
- and the final rule is to log the rest (not being tcp)
As said my problem is that the first two rules, intended to deal with TCP, do not work !! WHY O WHY !?
-
What does the second rule actually look like?
The first rule should only match anything if the pass rules above are wrong. So that fact it isn't is a good thing!
You either need one rule to block anything TCP:ACK or you need three rules for each of those flah combinations. You can't match all three specific combinations with one rule.
Steve
-
-
There are no flags set on that second rule. So it won't match.
Change the first rule from SYN to ACK. Remove the second rule.
-
..... I do not understand any thing related to rules which have to capture a certain tcp state ....
I tried
three rules in a row where I did expect the first rule to trigger on tcp packages having "RA / PA / FPA"
I used
there and did also test with ^out of "ack"^. In both cases nothing triggered the ruleSo I tried the second rule, setting ^TCP Flags^ to ^Any flags^. This rule seems to fetch the FA etc.
However, I really do not understand
-
Ah, OK. No that needs to be this:
It means: The ACK flag must be set, only check the ACK flag.
The rule that you have says: check all flags and match packets that have only ACK set. Which wouldn't include any of the blocked traffic you were seeing that all has multiple flags set.
Steve
-
I am using these two rules now, which seems to work
First rule is defined like this (I did try that before, but not likely good enough)
Still wondering what "Any Flag" is supposed to do
-
@louis2 I personally wouldn't do it that way ;)
I would just turn off the default log. This removes all the other unwanted log stuff like multicast broadcasts and the like, stuff from link-local addresses, etc.
And then create a rules at the end to block, and only log stuff that has syn set. And then a rule to log any sort of common udp ports you want to see..
-
The 'Any flags' box will cause it to match TCP packets with any combination of flags. That means you can pass traffic that is asymmetric for example.
Steve
-
The Filter TCP-ACK rule works, however ....... does change the firewall behavoir in a couple of ways. Suddenly new loggings occur which where not there before.
Conclusion is that this rule must be changing some FW internal state table ....
Let me start with the logging above. I did never see that message before, but apart from that, it is communication between two devices in the same subnet. And communication within one subnet normally does not pass the FW. Where this is of course a strange situation, since one of the communication parties is the FW itself.
Here we see a second effect. A message from the floating rule set "Default deny rule ipv4".
Here a set of the same "Default deny rule ipv4", however it is different since the source is somewhere on the internet (google / amazon)
Switching off the TCP-ACK filter rule stops this "new" FW behavoir, we are back to the same situation as before.
So this TCP-ACK filter, has unexpected and unwanted side effects .......
-
I suggest that all of those are because the IP you're testing from hit locked out of the firewall dues to excessive login attempts and the it's existing states were cleared. That applies before the user rules so it still hit and logged.
The arrow there shows it was blocked outbound on PCLAN_1G whicb is almost always out-of-state traffic because the state was closed.
The extra rule you have added does nothing more than block some traffic without logging before it hits your block everything rule anyway.
Steve
