Firewall vs NAT - processing order -
-
I know this is a question potentially asked many times before but I am seeing IP addresses that are explicitly banned appearing in my mail server logs.
Now I know the documentation states that traffic should go tcpdump -> NAT -> rules
So how is an explicitly blocked IP address able to start a TLS session with my emal server ?
The block is against 64.225.1.215, it is on a floating rule applied to all my incoming connections.
I also have a pfblockerNG TBL blacklist entry for internet-measurement.com - which is proving equally useless.
How can I debug what's going on and why blocked IP's are able to traverse NAT.
-
@benkenobe you need to make sure states are cleared.. States are looked at before block rules.
So if you put in a block rule to stop some IP from talking to your wan, you need to make sure there are not states for the rule to be evaluated.
-
@johnpoz Thanks - I'll make sure they're cleared and continue to observe -
-
@benkenobe Yeah say you see a guy talking to your wan that you don't want to.. So you put in a block rule.
You can hope he gives up for long enough to the state to clear on its own via timing out. Or you need to look at the state table and kill that specific state.
-
@johnpoz I've wiped all the states although I didn't see the offender in there. The offending address has been blocked for some time which is why I was surprised to see it pop op on an SNMP alert.