Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    A "pass" rule with "invert match" blocks traffic

    Scheduled Pinned Locked Moved
    Firewalling
    2
    4
    278
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lindheL
      lindhe
      last edited by

      Hi!

      I'm trying to configure a firewall rule that allows hosts on my HOME VLAN to access the Internet. I thought I was being clever by making a rule that is "Pass" on all destination IPs that are not private IP ranges. But I'm seeing strange results and I want to ask here if I'm getting this all wrong…

      Here's my rule:
      bee9cb8d-8a5d-42eb-8408-e15303db7e20-image.png

      And my Alias:
      3ec88f15-9844-4f6f-9c89-61e3d25035e0-image.png

      But checking the logs, I see that some packets are blocked by this rule:
      Screenshot from 2024-06-06 12-15-56.png

      I get that 224.0.0.22 is not in my A_Private_Networks alias so it should be blocked. What I don't get is why it's my "Internet access" rule that blocks it rather than "Default deny rule IPv4". I thought that a "Pass" rule could never block things.

      Checking the docs makes me non the wiser. Reading the Action, section, it says:

      Pass: A packet matching this rule will be allowed to pass through the firewall.

      And when trying to read about "invert match" for the Destination section, I find nothing! But I do find this for "invert match" under Source:

      Selecting Invert Match will negate the match so that all traffic except this source value will trigger the rule.

      So I really don't get why my "Pass" rule can ever turn up as a "Block" action in the logs. This is probably just me being stupid, but wanted to check here if you think that this is either a documentation or implementation bug.

      Thank you!

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @lindhe
        last edited by

        @lindhe

        https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#packets-with-ip-options

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 1
        • lindheL
          lindhe
          last edited by

          Wow that's quick! You are clearly spot-on! Thanks a bunch!

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @lindhe
            last edited by

            @lindhe this has come up a few times already ;) I was just going to post to one of the other threads, but it was quicker to just point to the info in the docs ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            1 Reply Last reply Reply Quote 0
            • First post
              Last post