Problems with all floating rules setup?
-
Can you show us any specific examples?
Seeing TCP:A traffic blocked can just be because the state closed and some host is still sending traffic. Not necessarily an issue.
Do you actually see any connections fail you expect to be passed?
See: https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
Steve
-
@stephenw10 Unfortunately because work stuff I can't really share too many specifics.
To your point about dropped TCP:A traffic not necessarily being an issue, I'd agree except that I've done everything to make it go away and it's still happening. I have the firewall set to conservative and I have allow IP options and all TCP flags checked on my allow all rule. Should that not catch things like this, or am I not understanding something?
Seems like everything is working as expected, so no major complaints.
-
You'd need sloppy states set too if you actually want to allow out-of-state TCP packets. But you probably don't. That traffic should almost always be blocked.
-
@stephenw10 Does that mean that the TCP flags setting doesn't do anything unless I set sloppy states?
-
It doesn't do nothing but otherwise pf tracks tcp connections and expects to see them in the correct order. If you've got some route asymmetry or similar you have to stop it doing that to pass them.
But you almost certainly don't want to pass those!
-
@stephenw10 Well that is unless you're doing what I'm doing and trying to make a router that logs traffic. And there is some asymmetric routing going on in my environment by design. We're testing out various network security tools and inventive routing is sometimes part of that.
I've found what's either a bug or an undocumented requirement of using the TCP flags feature of a rule. If you create a rule (floating or otherwise) with the protocol set to any or TCP/UDP and then check TCP flags any, the rule will actually show up as flags S/SA in pfctl. Only if you set the rule's protocol to TCP will the TCP flags feature have any affect.
-
It actually shows that in
pfctl -vsr?Interesting. And, yes, if you intentionally have asymmetric routing you will need that. Or add stateless rules both ways.
-
@stephenw10 said in Problems with all floating rules setup?:
It actually shows that in pfctl -vsr?
Yes, definitely. I got into work this morning and added a TCP rule with flags any above my any protocol rule and it immediately resolved all the blocked traffic I was seeing.
I can understand this was maybe done by design? Like I see the logic in "if they want to do weird TCP flag stuff, they should only be doing it in a TCP only rule." I just wish it was documented in the UI, or at least the docs site. Would have saved me a lot of head scratching. Reading through the pf documentation, I can't seem to find anything saying you can't do a flags any with proto any. So could be a bug or a similarly undocumented "feature."
In the end it turns out that it had nothing to do with floating rules, that was just where I noticed it. For me this really about explaining the behavior that wasn't making sense to me.
What's the procedure for reporting this? I've never had an issue I've actually needed to file before.
-
Open an issue for it in redmine: https://redmine.pfsense.org/
I don't see anything open for it currently. Which is surprising.
-
@stephenw10 I'll get that submitted tonight. Thanks for talking through this with me.
