UDP firewall rule being skipped
-
I have 3 sites communicating with each other via IPsec VTIs and I want to limit UDP traffic to a specific port (8472).
I tried adding the following rule:
However, according to the firewall logs, packets are being caught by the default deny rule and are, therefore, being dropped:
If I change the rule to allow any port (or a range of 1 to 65535) then packets are no longer dropped.
Ideally I'd be able to limit the source and destination as well, which is the rule I originally created however found the same problem (packets being dropped).I tried resetting the firewall state table and also confirmed the rule was correctly created, using
pfctl -srand found it was:
pass in quick on enc0 inet proto udp from any to any port = 8472 keep state label "USER_RULEl <redacted_for_brevity>"Is there something I'm missing or have done wrong?
Any insight would be greatly appreciated.
-
@Ryuu-0 The "From" and "To" do not mean "Source port" "Destination port"... They mean "First port of destination port range" "last port of destination port range".
See...
Click on advanced on source and just set both "from" boxes to 8472. -
@Ryuu-0 If I understood what you wanted correctly, anyway...
-
@Ryuu-0 Or maybe you mean you only want traffic on this port and no other? In that case:
-
@NightlyShark Thank you for your replies.
The "From" and "To" do not mean "Source port" "Destination port"... They mean "First port of destination port range" "last port of destination port range".
See...
I understand. I tried that with no luck (please check the first screenshot I shared).
Or maybe you mean you only want traffic on this port and no other? In that case:
Yes, I only want to allow UDP traffic on port 8472.
SurelyInvert Matchwill allow traffic whose destination is any port except the specified port (8492 in your screenshot).
If so then this is the opposite of what I'm trying to do. -
@Ryuu-0 You use a block rule, and below that an allow any to any rule.
-
@NightlyShark Why a block rule? pfsense firewalls are default deny, so what block rule are you suggesting?
-
@Ryuu-0 You override the default block rule by an allow all rule, and you override that by a block all except 8492 rule
-
@Ryuu-0 Imagine the default deny rule as being under your rule list. PfSense rules are processed top to bottom, so...
-
@Ryuu-0 You said that this failed:
-
@Ryuu-0 That is what you need:
-
@NightlyShark Sorry, that's not what I said. My screenshot is, unfortunately, missing the "Action: Pass" field. But that's what I tried and what's failing (pasting again for convenience)
-
@Ryuu-0 What rule drops those packets? Can you see in the logs?
-
@NightlyShark Yeah. It's being blocked by the default rule:
-
@Ryuu-0 Do you by any chance have the IPsec profile setup as an interface? Because then all rules at the IPsecServerXYZ tab take precedence over the general IPsec tab (for all IPsec connections/profiles), including the default deny one.
-
@NightlyShark Yeah, it's set up as a Virtual Tunnel Interface.
I'll take a quick look at those settings. -
@Ryuu-0 Then you need to create an interface and set the rules on that tab.
-
@Ryuu-0 I just checked, there are no extra tabs, in Firewall Rules, for the IPsec interfaces.
The only tab is the general IPsec tab -
@Ryuu-0 What is the destination address for the packets, PfSense?
-
Does anyone else have an insight as to what's going wrong?
Something I didn't make clear is that there are no UDP rules other than the one I'm trying to add, i.e. it's not a case of traffic being blocked by a different rule; I in fact don't have any block rules, only pass and rely on the default rule to block any traffic which doesn't match a pass rule
