A "pass" rule with "invert match" blocks traffic
-
Hi!
I'm trying to configure a firewall rule that allows hosts on my HOME VLAN to access the Internet. I thought I was being clever by making a rule that is "Pass" on all destination IPs that are not private IP ranges. But I'm seeing strange results and I want to ask here if I'm getting this all wrong…
Here's my rule:
And my Alias:
But checking the logs, I see that some packets are blocked by this rule:
I get that 224.0.0.22 is not in my
A_Private_Networksalias so it should be blocked. What I don't get is why it's my "Internet access" rule that blocks it rather than "Default deny rule IPv4". I thought that a "Pass" rule could never block things.Checking the docs makes me non the wiser. Reading the Action, section, it says:
Pass: A packet matching this rule will be allowed to pass through the firewall.
And when trying to read about "invert match" for the Destination section, I find nothing! But I do find this for "invert match" under Source:
Selecting Invert Match will negate the match so that all traffic except this source value will trigger the rule.
So I really don't get why my "Pass" rule can ever turn up as a "Block" action in the logs. This is probably just me being stupid, but wanted to check here if you think that this is either a documentation or implementation bug.
Thank you!
-
-
Wow that's quick! You are clearly spot-on! Thanks a bunch!
-
@lindhe this has come up a few times already ;) I was just going to post to one of the other threads, but it was quicker to just point to the info in the docs ;)
