[Solved] Firewall blocking but not logging for some…



  • I have had this problem for a while and searching the forum doesn't reveal any solution for me.

    It happens often that I have apps wanting to update but are blocked by pfsense somewhere.
    I have found how to determine via logs when it is squid proxy blocking it.

    However I am having problems with the pfsense log. From time to time I allow an app through the squid proxy but it still can't update and there is no log entry to say it is blocked.
    I have the option Status>System Logs>Settings Log packets blocked by the default rule enabled and do see some default deny log entries.
    I have one other blocking rule in the rules and have turned on logging for it.
    However my apps still cant get through and there is no log entry. I gather it must be the firewall blocking it because when I create an "allow all traffic" rule for the machine I'm working on at the time it gets through and updates.
    I must be missing something real basic, can anyone give me a tip please.

    TIA,
    Karl



  • OK, so I have logging turned on for my one blocking rule and I have the check box checked in "Status>System Logs>Settings Log packets blocked by the default rule" but I still don't get notification when the firewall is blocking. Does anyone have clues as to where to go to find where traffic is being blocked? :-\


  • Rebel Alliance Developer Netgate

    Do you have any filter rules which are set to block but not log?

    If not, then it isn't the firewall blocking that traffic. It's probably getting lost somewhere in squid (you could watch the access log as you try) or going somewhere unexpected.

    You may need to monitor the interfaces with tcpdump (packet capture) in order to determine what is happening for certain.



  • Thanks for your  response jimp. No, I have no blocking rules with logging turned off. And yes I thought it must be something somewhere else blocking but when I create a firewall rule to allow all from my ip address it goes through fine. Doesn't that suggest that it's the firewall blocking it then? I've had a look at a tcpdump - raw data as well as with wireshark but it takes some deciphering to understand what's going on and where stuff is being blocked. The fact that an allow all from this ip address firewall rule allows things to work steers me to a firewall problem but I could be wrong.



  • OK, found it - using Wireshark and trawling through the data. The problem was with the proxy - my original request was being redirected to a mirror - I had allowed the original site through the proxy but had no overt indication that I was being redirected to a mirror. I entered the mirror address into the proxy ACL whitelist and Voila!


Log in to reply