Default Deny Rule in IPv4



  • Hi!

    I'm attempting to get out to do a nmap scan on the net (I'm a pen tester), and I've configured the firewall to exclude the IP of my scanning machine.  However, I keep seeing this in the logs…

    @1 scrub in on bge1 all fragment reassemble
    @1 block drop in log inet all label "Default deny rule IPv4"

    In my firewall rules, I see nothing that explains the default deny rule in ipv4.  However, in the rules.debug, I see the following...

    anchor "relayd/*"
    #---------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log inet all label "Default deny rule IPv4"
    block out log inet all label "Default deny rule IPv4"
    block in log inet6 all label "Default deny rule IPv6"
    block out log inet6 all label "Default deny rule IPv6"

    Does anybody know how I can just send the packet out without the firewall blocking it?  Does it have to do with the "IP Do-Not-Fragment compatible" option?  I've unchecked it and got the above, I checked it and got a different "all fragment reassemble" in the logs, but it still drops the packet.  Can I make it not drop it?

    Thanks!


  • Rebel Alliance Developer Netgate

    You are probably seeing out-of-state traffic getting blocked. That is, traffic from a state that was removed but still received a packet (usually a TCP FIN) after the removal happened.

    If you really want to bypass both the rules and the states, you could try adding floating rules to pass the traffic from that machine in and out on lan and wan with a state type of "no state". I haven't tried it so I can't say for sure how well it would work, but it may be worth trying.



  • thanks for the info, i'll give it a shot.


Log in to reply