Bug in filtering/rules? Packets are transmitted, without rule
-
Hi,
I use pfSense 2.0.1 on a FWA-3030 (6 interfaces : LAN - DMZ - Wifi_Public - aDSL - sDSL 4Mb - sDSL 8Mb).
This pfSense is connected on 2 other in my company, with IPsec.
Everything is ok from lasts months: communication between networks (3 sites), OpenVPN for laptops, the FailOver with 2 or 3 internet connection, etc.)
The DMZ is newly configured. I added a server in this DMZ (ubuntu, with OCS on SSH, Http and Https)
After testing access on this serveur with a rule that allow everything, I disbaled this rule = problem, I can access on this server with SSH, https and Https ! (?!)
On bottom rule's list, I have a rule for web acces (access to internet, on port 80 and 443).
If in this rule a gateway is configured (or a gateway group), I can access to the server in DMZ!
Why ?
I don't found any logical answer.
I forgot anything ?If I delete gateway on this rule, I can't access in DMZ, until I add a good rule.
Please, if you have an idea…
thanks -
Nmap confirm my tests.
I have the same problem with my company's wans (with IPsec VPN) (I see DNS port available on the Wan's pfSense if I enable Gateway in the "web access" rule (http and https, only).
With server on internet (destination) it's ok (my provider's smtp server or other server on internet). When I scan, I have the same (normal) résult, with or without gateway configured.
-
Packet capture (on DMZ interface) showed 1 000 ports tested with a regular scan (Nmap) to server in DMZ, packet pass!
With a rule who autorize only HTTP and HTTPs.If I disable the gateway in this rule, packet capture showed only that is permitted : 80 and 443.
(rule = allow web access on internet with a specific connection).
Any idea?
-
The policy routing negation rule may be the culprit there, it can be disabled in 2.0.2 and newer versions. Posting /tmp/rules.debug would confirm or deny that.
-
Is the DMZ configured as a bridge with another interface?
-
Podilarius : No.
I have the same problem with DMZ and Wan too (wan connected via VPN IPsec).
From my principal office, I can reach DNS port on pfsense on distant office (when gateway is configured in a rule that permit only 80 and 443).CMB : I'm not sure to undertsand you. I not use negation in any rule on my 3 pfSense.
I will post rules.debug soon.
-
Here, the rules.debug.txt file.
Do you understand?
I can't continue to configure our network, the deployment of our new network is in standby.
Thanks a lot for your help! -
table <negate_networks>{ 62.62.63.56/30 10.138.8.0/24 10.138.188.0/24 80.80.91.60/32 92.92.93.144/28 192.168.38.0/24 10.175.8.0/24 10.175.8.0/24 192.168.75.0/24 10.138.9.0/24 10.138.9.0/24 10.175.8.0/24 10.138.9.0/24 10.138.88.0/24 }</negate_networks>pass in quick on $INT_LAN proto { tcp udp } from 10.138.8.0/24 to <negate_networks> keep state label "NEGATE_ROUTE: Negate policy routing for destination"</negate_networks>pass in quick on $INT_SDSL_STELLA proto tcp from $Al_Hosts_Admin_FW_PrincipalSite to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"</negate_networks>pass in quick on $INT_WIFI_PUB proto tcp from 192.168.38.1/24 to <negate_networks> flags S/SA keep state dnpipe ( 2, 1) label "NEGATE_ROUTE: Negate policy routing for destination"</negate_networks>those might or might not be relevant to your situation.
If they seem relevant you might consider updating to 2.0.2 or 2.0.3 . then you have the option of disabling the automatically generated negate rules -
They seem to be very relevant to his setup. Seems like the auto negation rule is active and contains his network.
-
Thanks for your help!
I'm lost. I don"t understand the "negate" idea.
Can you explain methe work?I will backup and update the pfSense.
-
I know the concept, but I am not sure how pfSense is utilizing it. I think its using the auto negate rule in VPN, but I am not 100% sure of that.
-
i've had similar unexpected behaviour in the past. You basically have 2 options
-or you add reject/block rules to over-rule the negate rules. This way you can miss a few things that you want blocked, but it shouldn't break much
-or you disable the auto-creation of negate rules (this can be done from >=2.0.2 by using the webgui). This way makes sure everything is blocked unless you specify it shouldn't be, this might result in lots of things that worked before that are now getting blocked and in need of a PASS rule -
So:
- I updated my pfsense to 2.0.2
- I tried SYSTEM > ADVANCED > FIREWALL/NAT > Disable Negate rule on policy routing rules (checked).
Résults :
- Without gateway in WEB rule (80+443), I can reach host in DMZ on only 80/443 ports (normal).
- With gateway in Web Rule (aDSL connection), I can't reach host in DMZ!
-
Because trafic is forced to pass in aDSL gateway, it can't reach DMZ ? it's the idea?
-
I don't understand the mechanism before "Disable Negate rule on policy routing rules"/2.0.2. Why all traffic is autorised (on my privates LAN/WAN/DMZ) when I added a gateway in a simple rule to access to the web (80/443)?! Here, I'm totaly lost.
Excuse me, can you answer in a simple english ? :D This subject is delicate.
Thanks a lot, my problem is solved !
-
- Because trafic is forced to pass in aDSL gateway, it can't reach DMZ ? it's the idea?
yes that's the idea.
policy routing is when you specify some advanced options in your firewall rule (like specifying a gateway).the negate rules autmagically create "hidden" pass rules for locally attached subnets, to over-rule the policy routing, so you can still reach them.
in most scenarios this is ok. in some it can lead to situations like yours where you don't want that behaviour.personally i understand why the negate rules are on by default, in most cases you want access to them subnets and add block rules for the ones you don't.
i do think it should be more obvious that there are "hidden" rules, because like yourself i've spend a lot of time wondering why the hell traffic is passing when you think it shouldn't.