Firewall defaulting to "Default deny rule"



  • Hi,

    Something randomly occurred today. Running 1.23. Everything was working fine, I hadn't logged into the web interface for more than a week.

    Now the firewall is blocking all traffic from one IP (111.65.225.105.25), others are working fine. It's hitting the "Default deny rule" for all traffic:

    032665 rule 158/0(match): block in on em1: 111.65.225.105.25 > 208.75.123.193.39626: [|tcp]
    056940 rule 158/0(match): block in on em1: 111.65.225.105.80 > 85.118.193.145.4994: [|tcp]
    054671 rule 158/0(match): block in on em1: 111.65.225.105.80 > 85.118.193.145.48485: [|tcp]
    007487 rule 158/0(match): block in on em1: 111.65.225.105.80 > 132.234.107.59.4862: [|tcp]
    034468 rule 158/0(match): block in on em1: 111.65.225.105.80 > 203.97.101.10.50310: [|tcp]
    023962 rule 158/0(match): block in on em1: 111.65.225.105.80 > 203.97.101.10.50311: [|tcp]
    134041 rule 158/0(match): block in on em1: 111.65.225.105.80 > 75.61.119.45.62501: [|tcp]
    200011 rule 158/0(match): block in on em1: 111.65.225.105.80 > 203.79.97.58.50405: [|tcp]
    199965 rule 158/0(match): block in on em1: 111.65.225.105.80 > 111.65.227.47.53948: [|tcp]

    But for other IP's I have in that public subnet traffics flowing as usual. I've added an allow everything rule, but it doesn't seem to make any difference.  I've had to disable the "Default deny rule"'s in the mean time.

    Any ideas?

    Thanks

    -Mark



  • That's almost certainly reply traffic since the source ports are a flip of common destination ports, probably SYN ACKs for which the firewall doesn't see the SYN. If the SYN doesn't traverse any firewall, the SYN ACK will be blocked because it's not legit traffic to a stateful firewall. How or why the SYN wouldn't be seen by the firewall is hard to say from the info there, would need more details on your setup. Generally it's because the server in question has a default gateway other than the firewall that takes the egress traffic some different route.



  • Thanks for the reply, my networking/tcpip isn't all that good but I think I follow. That traffic is indeed going out a default gateway which isn't the pfsense server.

    I was a bit suspect about the fact that interface em1 is on local network 192.168.6.1, and my WAN interface is em0 (111.65.225.101). The pfsense server is running on vmware esxi, each interface on a virtual switch

    Could the fact that the traffic isn't coming in on em0 (111.65.225.101) be causing the block to occur?



  • Hi

    There was a routing misconfiguration on the server which was being blocked, it had 2 default routes set and for some reason today it decided to start sending traffic down the default route bound to the LAN interface as far as I can tell. Anyone, there is now one correct default gw and i'm looking good

    Thanks again

    -Mark


Log in to reply