Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    FW Blocking traffic even with an allow rule

    Firewalling
    3
    6
    2129
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jsmwalker last edited by

      Hi guys,

      Hopeing someone can help, I have an interface that pretty much has an allow all rule, however I still see packets been blocked, on the default block rule, has anyone any ideas? See attached image

      Dec 16 20:43:54

      IPT_CONTROL  10.100.29.36:5010 10.100.20.52:55833 TCP:A

      Even using the quick add rule makes no difference, using 2.0-RELEASE (amd64) built on Tue Sep 13 17:05:32 EDT 2011

      Cheers

      J

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        Not enough info there to say for sure, but you most likely have asymmetric routing somewhere, can't statefully filter traffic if the firewall doesn't see both directions.

        1 Reply Last reply Reply Quote 0
        • J
          jsmwalker last edited by

          Hi there,

          Thanks for quick reply, not sure it is asymmetric routing, as there is only a single route between the 2 networks (is an internal EPN network) however yes it does appear to point to a state issue, what additional info would help? As a quick overview we have 8 interfaces, only one of which is an external route to the internet, the others are part of the internal EPN network and connect 4 buildings together with various different remote networks.

          Thanks in advance

          J

          1 Reply Last reply Reply Quote 0
          • C
            cmb last edited by

            You're blocking ACKs, which means either someone is spoofing ACKs without opening the TCP connection first with a SYN, or the firewall isn't seeing the SYN because of the routing.

            1 Reply Last reply Reply Quote 0
            • J
              joako last edited by

              The only thing I can think of: if the interface is an opt interface with a private ip, make sure under Interfaces > [ Interface Name ] you have block private networks unchecked.

              1 Reply Last reply Reply Quote 0
              • J
                jsmwalker last edited by

                Hi there,

                Yep is an optional interface, but no blocking private IP's. I think CMB is on the right lines, but need to do some wireshark packet captures to try and discover what is going on, but not back in the office till the New Year so will come back then.

                J

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post