System Logs in GUI
Let me explain the scenario and ask my question:
I am testing pfsense 2.0. As you can see from the "rules.jpg", there are lan rules having lan network as source. These rules work perfect.
From a machine in lan network, we try to establish a connection having spoofed source address as 220.127.116.11(sourcetraffic.jpg). Here the destination address is a machine attached to OPT2 interface.
In fwtraffic.jpg, we see that traffic comes to fw from lan interface. As we expect, fw blocks the connection. What i could not understand is that system logs in the web gui about this traffic(guilogs.jpg). When we click the cross sign in the logs it says the default block rule, but the interface is WAN interface (i think it should be LAN interface) and destination address is 18.104.22.168 (i think 22.214.171.124 should be the source address.)
Can anybody explain me why this is so? The logs must show the logs related to lan traffic that is blocked. It has nothing related to the wan interface in this scenario.
Here i am testing antispoofing features in pfsense. I expect to see spoofed adresses could not come from lan interface and a log about this feature actually. Is there a comment about this feature also? Thanks.
Because what you are seeing is actually the second half of the connection attempt.
It would appear from the logs that the first packet, the TCP:SYN packet, was actually passed to your machine on the DMZ.
The DMZ machine then replied with a TCP:SYN/ACK packet, the next step in establishing a connection. This was blocked going out WAN, because no state existed and it was not starting a new connection.
Not sure how it made it that far unless the IP you used was actually an IP on the firewall, or something else along those lines. Without a lot more information about the addresses and layout of the network it's really hard to speculate.
The rules of lan interface is simple. There are rules having only lan network (192.168.1.0) as source address. Because packet that comes the pfsense lan interface has spoofed source adress 126.96.36.199, TCP:SYN packet should not be passed to DMZ machine. Am i wrong? Normally, I should see that first packet is blocked from the logs. But i could not.
What is also strange is that considering pfsense passes the TCP:SYN packet, why i could not see any logs that shows me first packet is passed to DMZ machine. Only log i see in pfsense lan interface through tcmpdump.
What kind of additional information is needed to interpret and solve this situation? Thanks.