Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default Deny Rule in IPv4

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 14.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wiz561
      last edited by

      Hi!

      I'm attempting to get out to do a nmap scan on the net (I'm a pen tester), and I've configured the firewall to exclude the IP of my scanning machine.  However, I keep seeing this in the logs…

      @1 scrub in on bge1 all fragment reassemble
      @1 block drop in log inet all label "Default deny rule IPv4"

      In my firewall rules, I see nothing that explains the default deny rule in ipv4.  However, in the rules.debug, I see the following...

      anchor "relayd/*"
      #---------------------------------------------------------------------------

      default deny rules

      #---------------------------------------------------------------------------
      block in log inet all label "Default deny rule IPv4"
      block out log inet all label "Default deny rule IPv4"
      block in log inet6 all label "Default deny rule IPv6"
      block out log inet6 all label "Default deny rule IPv6"

      Does anybody know how I can just send the packet out without the firewall blocking it?  Does it have to do with the "IP Do-Not-Fragment compatible" option?  I've unchecked it and got the above, I checked it and got a different "all fragment reassemble" in the logs, but it still drops the packet.  Can I make it not drop it?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You are probably seeing out-of-state traffic getting blocked. That is, traffic from a state that was removed but still received a packet (usually a TCP FIN) after the removal happened.

        If you really want to bypass both the rules and the states, you could try adding floating rules to pass the traffic from that machine in and out on lan and wan with a state type of "no state". I haven't tried it so I can't say for sure how well it would work, but it may be worth trying.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • W
          wiz561
          last edited by

          thanks for the info, i'll give it a shot.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.