FW Blocking traffic even with an allow rule



  • Hi guys,

    Hopeing someone can help, I have an interface that pretty much has an allow all rule, however I still see packets been blocked, on the default block rule, has anyone any ideas? See attached image

    Dec 16 20:43:54

    IPT_CONTROL  10.100.29.36:5010 10.100.20.52:55833 TCP:A

    Even using the quick add rule makes no difference, using 2.0-RELEASE (amd64) built on Tue Sep 13 17:05:32 EDT 2011

    Cheers

    J



  • Not enough info there to say for sure, but you most likely have asymmetric routing somewhere, can't statefully filter traffic if the firewall doesn't see both directions.



  • Hi there,

    Thanks for quick reply, not sure it is asymmetric routing, as there is only a single route between the 2 networks (is an internal EPN network) however yes it does appear to point to a state issue, what additional info would help? As a quick overview we have 8 interfaces, only one of which is an external route to the internet, the others are part of the internal EPN network and connect 4 buildings together with various different remote networks.

    Thanks in advance

    J



  • You're blocking ACKs, which means either someone is spoofing ACKs without opening the TCP connection first with a SYN, or the firewall isn't seeing the SYN because of the routing.



  • The only thing I can think of: if the interface is an opt interface with a private ip, make sure under Interfaces > [ Interface Name ] you have block private networks unchecked.



  • Hi there,

    Yep is an optional interface, but no blocking private IP's. I think CMB is on the right lines, but need to do some wireshark packet captures to try and discover what is going on, but not back in the office till the New Year so will come back then.

    J


Log in to reply