Firewall blocks explicitly allowed traffic

RKiFkRyCevGvpLeXMove

---------- Update ----------

After further investigation, this appears to only be an issue at startup. It seems that pfSense loads the firewall rules in reverse order, or loads blocks before allows (even if they are normally not in that order).

pfSense reports that upon boot, it blocked over 37,000 packets, for outgoing port 853 on the LOCAL_SERVERS interface. That's a lot. But once startup completed, pfSense allowed the connections from my DNS servers to Quad9 and Cloudflare via 853 (after the system has fully loaded, it works as intended).

I've sort-of resolved the rest of the issues, which were apparently caused by a timeout issue with Quad9 and the software that makes the TLS DNS connections. I think that the initial firewall blocks (as described above) are causing the software to believe that Quad9 is down, and so moved to Cloudflare as backup, and never used Quad9 again, even though it was set as the top preference.

---------- Original Post ----------

[All local IP addresses and hostnames are sanitized for privacy.]

---------- Setup ----------

25.07.1-RELEASE (amd64), Netgate 4200

I have firewall aliases:

DNS_Local_IP: Host(s) 203.0.113.41, 203.0.113.42
DNS_Quad9_IP: Host(s) 9.9.9.9, 149.112.112.112, dns9.quad9.net, dns.quad9.net
DNS_Cloudflare_IP: Host(s) 1.1.1.2, 1.0.0.2, security.cloudflare-dns.com

I have an IPv4 interface, just for local servers:

LOCAL_SERVERS 203.0.113.1/24

I have firewall rules on the LOCAL_SERVERS interface:

Allow IPv4 TCP/UDP DNS_Local_IP * DNS_Quad9_IP 853 *
Allow IPv4 TCP/UDP DNS_Local_IP * DNS_Cloudflare_IP 853 *
Block IPv4 TCP/UDP LOCAL_SERVERS subnets * * 853 *

---------- Problem ----------

The firewall will ignore the allow rule

DNS_Local_IP -> DNS_Quad9_IP 853

(in the logs it is giving credit to the block rule)

but the firewall does not ignore the allow rule

DNS_Local_IP -> DNS_Cloudflare_IP 853

So my DNS servers cannot access Quad9 853, but they can access Cloudflare 853.

---------- Temporary Solution ----------

Change firewall rule to use interface instead of DNS server alias

Allow IPv4 TCP/UDP LOCAL_SERVERS subnets * DNS_Quad9_IP 853 *
Allow IPv4 TCP/UDP LOCAL_SERVERS subnets * DNS_Cloudflare_IP 853 *
Block IPv4 TCP/UDP LOCAL_SERVERS subnets * * 853 *

The problem is that all of the IPs on the LOCAL_SERVERS subnets can do TLS DNS lookups on Quad9 and Cloudflare. I only want the DNS_Local_IP servers to have this access.

---------- Remarks ----------

It makes no sense that the Quad9 rule is being ignored. Further, it makes no sense that if the Quad9 rule is being ignored, that the Cloudflare rule is not also being ignored.

This has been an issue for the last couple of years, through many updates and restarts. It is legit crazymaking.

Edit: Even with the temporary solution, it will still ignore the allow rules briefly at startup (in the logs it is giving credit to the block rule).

SteveITS

@RKiFkRyCevGvpLeXMove in general, the source or destination or port isn’t matching. Check the aliases in Diagnostics > Tables.

johnpoz

@RKiFkRyCevGvpLeXMove said in Firewall blocks explicitly allowed traffic:

LOCAL_SERVERS subnets can do TLS DNS lookups on Quad9 and Cloudflare

what exactly is doing dot, ie port 853? Clients mostly use doh (443) for trying to do lookups over tls.

RKiFkRyCevGvpLeXMove

@johnpoz As an aside, I've blocked DOH / 443 to a list of about 1,000 public DNS servers. No hits on that rule (for my local DNS servers - and all other local DNS traffic is funneled to my local DNS servers - and the firewall blocks requests to 53 / 443 / 853 to public DNS servers otherwise). My local DNS servers do lookups exclusively to the Quad9 and Cloudflare servers via TLS / 853.

RKiFkRyCevGvpLeXMove

@SteveITS Interesting. In the tables, pfSense has added IPv6 versions of the aliased IPv4 IPs, even though IPv6 is disabled in pfSense.

But the IPv4 addresses in the tables are the IPv4 addresses that I have in the aliases.

johnpoz

@RKiFkRyCevGvpLeXMove said in Firewall blocks explicitly allowed traffic:

pfSense has added IPv6 versions of the aliased IPv4 IPs, even though IPv6 is disabled in pfSense.

having pfsense not talk ipv6 doesn't stop dns from resolving a fqdn to a IPv6 address (AAAA). If you create an alias that says resolve dns.whatever.tld and it has A and AAAA (ipv6) records then that is what it will resolve.

Resolving something to IPv6 doesn't mean you can talk to it on IPv6 if rules do not allow it.