Default rule - fail



  • It would appear that a default block rule is targetting my outgoing LAN connection - why ?

    block
    Aug 30 09:10:40 LAN 192.168.1.8:45473 74.125.24.138:443 TCP:FA
    block
    Aug 30 09:10:24 LAN 192.168.1.8:45473 74.125.24.138:443 TCP:FA
    block
    Aug 30 09:10:15 LAN 192.168.1.8:45473 74.125.24.138:443 TCP:FA

    this is a legitimate connection to a secure server from a mobile device. These are my LAN rules - pretty basic

    • BTVision * * * OPT1 none
    • LAN net * * * * none   Default allow LAN to any rule

    The first rule contains the IP address of my BT Vision box so that it is 'routed' to the appropriate line (I have two - one business, the WAN, and one private - OPT1), the second rule 'should' pass all other traffic without interference to the 'default' gateway. I have both WAN and OPT1 combined as a load balancing group i.e. both WAN and OPT1 are Tier 1, sticky connections are enabled.

    I can find no logical or valid reason for this 'blocking' behaviour - but then it isn't possible to see the 'default block any' rule



  • cat /tmp/rules.debug

    and post the results.





  • Yup I read that but it is inconclusive and since sticky connections are enabled that should not happen - once a session is established it should remain on whatever gateway the session was established on, there is no way for remote session holders to know both my domain IP's for a single session.

    While both networks are from the same provider one is a business i.e. fixed IP etc, and one is private any old IP.

    Here is the rule.debug … notice the redirects are sending to 127.0.0.1 when this is NOT the appropriate NAT destination - 127.0.0.1 will fail since it doesn't have any 443 capable service running - it's pfSense !!  - I'd expect a NAT redirect to get turned back to the appropriate internal address.

    Not withstanding that the connection that's getting blocked is actually the wifes phone trying to connect to GMail which is external, there are no blocks whatsoever on traffic from the LAN subnet outbound - but still pfSense is blocking port attempts 443 from her phone.

    set limit tables 3000
    set optimization normal
    set limit states 198000
    set limit src-nodes 198000

    #System aliases

    loopback = "{ lo0 }"
    WAN = "{ pppoe0 }"
    LAN = "{ re0 }"
    OPT1 = "{ pppoe1 }"

    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot># User Aliases
    table <blockdrs>{  14.148.131.59  23.25.216.129  24.123.56.246  24.199.42.34  37.209.31.239  46.246.119.139  50.121.152.110  50.34.10.50  50.39.90.242  50.84.168.222  62.49.22.147  63.252.106.18  64.52.155.10  64.82.225.246  65.171.64.218  66.183.52.139  66.64.240.218  66.64.6.154  68.213.103.27  69.86.213.68  70.184.122.160  70.43.109.131  70.80.28.38  71.46.210.226  72.89.191.60  74.11.126.243  74.84.111.214  74.95.89.172  75.127.236.194  75.149.2.246  75.151.241.229  75.181.131.19  78.111.75.125  78.55.254.111  79.129.19.99  79.144.190.144  80.13.177.2  80.177.69.146  80.33.151.18  81.70.233.60  82.165.134.70  83.136.86.135  83.175.212.125  83.223.112.138  83.223.112.142  87.23.197.245  87.28.147.41  88.149.180.8  88.2.247.204  88.91.75.223  89.87.130.233  90.220.107.13  91.135.4.116  93.64.20.6  94.80.4.82  94.89.253.73  94.91.131.100  95.224.107.100  95.225.148.31  95.230.52.125  95.231.96.15  95.240.32.27  98.174.235.103  108.162.17.130  108.64.133.67  113.78.39.61  114.42.129.55  114.42.130.32  114.44.101.116  114.44.101.166  116.23.198.153  116.246.22.38  120.146.193.153  134.255.242.243  142.59.240.51  151.78.252.4  168.188.35.248  173.162.251.81  183.236.40.118  183.57.193.149  187.65.74.210  188.229.7.200  189.13.198.57  190.188.202.39  190.224.126.164  195.228.228.53  200.68.86.253  201.42.103.181  201.49.69.250  201.72.166.242  202.64.64.68  203.147.88.10  203.45.114.24  203.45.134.40  211.25.222.226  212.235.31.158  212.92.23.168  213.153.47.1  213.82.200.130  216.1.42.19  217.159.181.170  217.40.3.237  220.165.5.7  222.231.33.164  69.162.123.36  31.101.203.142 }
    BlockDRS = "<blockdrs>"
    table <blockranges>{  114.43.5.0/24  114.42.0.0/12  14.222.0.0/12  220.128.0.0/16  186.18.128.0/18  202.104.251.200/27 }
    BlockRanges = "<blockranges>"
    table <btipranges>{  178.79.195.0/24  213.248.117.0/24  195.59.54.0/24  80.239.171.0/24  193.113.8.0/24  66.193.112.0/24  86.151.173.0/24 }
    BTIPRanges = "<btipranges>"
    table <btvision>{  192.168.1.64  192.168.1.252 }
    BTVision = "<btvision>"
    table <easyruleblockhostsopt1>persist
    EasyRuleBlockHostsOPT1 = "<easyruleblockhostsopt1>"
    table <easyruleblockhostswan>persist
    EasyRuleBlockHostsWAN = "<easyruleblockhostswan>"
    table <edf>{  195.59.168.0/24 }
    EDF = "<edf>"
    table <gbserver>{  192.168.1.253 }
    GBServer = "<gbserver>"
    table <office>{  192.168.1.250 }
    Office = "<office>"

    Gateways

    GWWAN = " route-to ( pppoe0 85.139.96.6 ) "
    GWOPT1 = " route-to ( pppoe1 212.33.142.8 ) "
    GWLoadBalance = "  route-to { ( pppoe0 85.139.96.6 ) ( pppoe1 212.33.142.8 )  }  round-robin  sticky-address  "

    set loginterface re0

    set skip on pfsync0

    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    Outbound NAT rules

    Subnets to NAT

    tonatsubnets = "{ 192.168.1.0/24 127.0.0.0/8  }"
    nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 172.135.178.20/32 port 500 
    nat on $WAN  from $tonatsubnets to any -> 172.135.178.20/32 port 1024:65535

    nat on $OPT1  from $tonatsubnets port 500 to any port 500 -> 219.57.132.72/32 port 500 
    nat on $OPT1  from $tonatsubnets to any -> 219.57.132.72/32 port 1024:65535

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"
    rdr pass on pppoe0 proto udp from any to any port tftp -> 127.0.0.1 port 6969
    rdr pass on re0 proto udp from any to any port tftp -> 127.0.0.1 port 6969
    table <negate_networks>{ 172.135.178.20/32 192.168.1.0/24 219.57.132.72/32 }

    NAT Inbound Redirects

    rdr on pppoe0 proto tcp from any to 172.135.178.20 port 80 -> $GBServer

    Reflection redirects

    rdr on re0 proto tcp from any to 172.135.178.20 port 80 tag PFREFLECT -> 127.0.0.1 port 19000

    rdr on pppoe0 proto tcp from any to 172.135.178.20 port 443 -> $GBServer

    Reflection redirects

    rdr on re0 proto tcp from any to 172.135.178.20 port 443 tag PFREFLECT -> 127.0.0.1 port 19001

    rdr on pppoe0 proto tcp from any to 172.135.178.20 port 21 -> $GBServer

    Reflection redirects

    rdr on re0 proto tcp from any to 172.135.178.20 port 21 tag PFREFLECT -> 127.0.0.1 port 19002

    rdr on pppoe0 proto tcp from any to 172.135.178.20 port 110 -> $GBServer

    Reflection redirects

    rdr on re0 proto tcp from any to 172.135.178.20 port 110 tag PFREFLECT -> 127.0.0.1 port 19003

    rdr on pppoe0 proto tcp from any to 172.135.178.20 port 995 -> $GBServer

    Reflection redirects

    rdr on re0 proto tcp from any to 172.135.178.20 port 995 tag PFREFLECT -> 127.0.0.1 port 19004

    rdr on pppoe0 proto tcp from any to 172.135.178.20 port 25 -> $GBServer

    Reflection redirects

    rdr on re0 proto tcp from any to 172.135.178.20 port 25 tag PFREFLECT -> 127.0.0.1 port 19005

    rdr on pppoe0 proto tcp from any to 172.135.178.20 port 465 -> $GBServer

    Reflection redirects

    rdr on re0 proto tcp from any to 172.135.178.20 port 465 tag PFREFLECT -> 127.0.0.1 port 19006

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    #---------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    Block all IPv6

    block in quick inet6 all
    block out quick inet6 all

    Snort package

    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

    webConfigurator lockout

    block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
    antispoof for pppoe0

    block anything from private networks on interfaces with the option set

    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    antispoof for re0

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    block in log quick on $OPT1 from <bogons>to any label "block bogon networks from OPT1"
    antispoof for pppoe1

    block anything from private networks on interfaces with the option set

    antispoof for $OPT1
    block in log quick on $OPT1 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $OPT1 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $OPT1 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $OPT1 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

    loopback

    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( pppoe0 85.139.96.6 ) from 172.135.178.20 to !172.135.178.20/32 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( pppoe1 212.33.142.8 ) from 219.57.132.72 to !219.57.132.72/32 keep state allow-opts label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    pass in quick on re0 proto tcp from any to (re0) port { 80 } keep state label "anti-lockout rule"

    NAT Reflection rules

    pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"

    User-defined rules follow

    anchor "userrules/*"
    block  on {  pppoe0  pppoe1  }  from  $BlockDRS to any  label "USER_RULE"
    block  on {  pppoe0  pppoe1  }  from  $BlockRanges to any  label "USER_RULE"
    pass  in  quick  on $WAN reply-to ( pppoe0 85.139.96.6 )  proto tcp  from any to  $GBServer port 80  flags S/SA keep state  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( pppoe0 85.139.96.6 )  proto tcp  from any to  $GBServer port 443  flags S/SA keep state  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( pppoe0 85.139.96.6 )  proto tcp  from any to  $GBServer port 21  flags S/SA keep state  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( pppoe0 85.139.96.6 )  proto tcp  from any to  $GBServer port 110  flags S/SA keep state  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( pppoe0 85.139.96.6 )  proto tcp  from any to  $GBServer port 995  flags S/SA keep state  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( pppoe0 85.139.96.6 )  proto tcp  from any to  $GBServer port 25  flags S/SA keep state  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( pppoe0 85.139.96.6 )  proto tcp  from any to  $GBServer port 465  flags S/SA keep state  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( pppoe0 85.139.96.6 )  proto igmp  from any to 172.135.178.20 keep state  label "USER_RULE"
    pass  in  quick  on $WAN reply-to ( pppoe0 85.139.96.6 )  inet proto icmp  from any to 172.135.178.20 keep state  label "USER_RULE"
    pass  in log  quick  on $LAN  from  $BTVision  to <negate_networks>keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in log  quick  on $LAN  $GWOPT1  from  $BTVision to any keep state  label "USER_RULE"
    pass  in  quick  on $LAN  from 192.168.1.0/24  to <negate_networks>keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in  quick  on $LAN  $GWLoadBalance  from 192.168.1.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
    pass  in  quick  on $OPT1 reply-to ( pppoe1 212.33.142.8 )  proto igmp  from any to 219.57.132.72 keep state  label "USER_RULE"
    pass  in  quick  on $OPT1 reply-to ( pppoe1 212.33.142.8 )  inet proto icmp  from any to 219.57.132.72 keep state  label "USER_RULE"
    pass  in  quick  on $OPT1 reply-to ( pppoe1 212.33.142.8 )  proto igmp  from  212.33.142.8 to  224.0.0.1 keep state  label "USER_RULE: Easy Rule: Passed from Firewall Log View"

    VPN Rules

    anchor "tftp-proxy/*"</negate_networks></negate_networks></bogons></bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></office></office></gbserver></gbserver></edf></edf></easyruleblockhostswan></easyruleblockhostswan></easyruleblockhostsopt1></easyruleblockhostsopt1></btvision></btvision></btipranges></btipranges></blockranges></blockranges></blockdrs></blockdrs></virusprot></snort2c></webconfiguratorlockout></sshlockout>



  • Thats an epic novel you posted there.

    Not sure whats up, but seeing as how you seem to have two connections there and this is usually cause when connections don't enter and exit along the same routes that they should, my guess is that your connections are not near as sticky as you would like to believe.

    Maybe set up manual outbound NAT with a outbound route per interface?


  • Banned

    @kejianshi:

    my guess is that your connections are not near as sticky as you would like to believe.

    Yeah, bingo.



  • If they aren't sticky then the option in pfSense for sticky connections doesn't work correctly - this is supposed to be a 'stateful' firewall.

    The ONLY place the stickiness can fail is outbound - it can't fail inbound because the remote session is utterly unaware of the 'other' IP - meaning the only place that's common is pfSense not applying 'states' correctly and ensuring that a session started on WAN stays on WAN and the load balancing should respect that 'state'.

    I can't possibly start a bunch of outgoing NAT - makes a nonsense of load balancing to do so - besides I'd need different nat for different devices to either WAN or OPT1 - I might as well run two seperate pfSense boxes if that's the case. If states aren't being respected then that's a bug IMHO.



  • Anyone know how to log which packets are going via which 'network' - packet capture can only work on one at a time.

    I checked the state tables and it isn't indicated 'which' network the state belongs to - merely that a state exists. - I take that back - it calls it router -  :o

    I can't see the incoming 'router' though only the outgoing …

    Thinking about this it still doesn't explain WHY an attempt to reach GMail via port 443 from the LAN is being blocked - it should be permitted - there ARE no block rules in place outbound on LAN, WAN or OPT1 .... inbound yes but there are no user defined OUTBOUND blocks.



  • Can't see the NAT for port 443



  • This has nothing to do with NAT or Load Balancing.  It is the normal blocking of the final session packets FIN ACK because the firewall has already closed the connection due to receiving a RST from the destination or has otherwise closed the session

    http://doc.pfsense.org/index.php/Logs_show_"blocked"_for_traffic_from_a_legitimate_connection,_why%3F

    http://forum.pfsense.org/index.php?topic=58827.0



  • Hmmmm - If thats the case, then am I to understand that there has been no actual call drops or offline states being cause?  Only some log noise?
    Everything on the network works fine then?



  • BenKenobe, on the mobile device are you actually being blocked from accessing gmail, or is it that you just see these blocked packets in the logs?

    If you are actually being blocked and you just happened to post the log snippet that only contains the blocked FIN ACK packets, then you probably have a real problem, otherwise you are likely seeing the session reset packets only being blocked.

    In your syslog do you see any other packets blocked by this default rule with flags different than FA such as SYN, SYN/ACK, etc.?



  • Yeah - I have a log full of these:

    127.0.0.1:3128 TCP:FA

    I ignore them.  Everything is working fine.

    Wouldn't it be nice if we could enter in a setting some place things to not log?
    Like TCP:FA, TCP:FPA etc, etc….  It would make the logs more meaningful.



  • I never asked her and she doesn't complain, I asked and her response is that mostly it is OK, occasionally it times out but not all the time.

    If these 'blocks' are normal behaviour (which I appreciate) why log them at all - as has been said it would be nice to be able to clean up what is and isn't reported.

    I'm just a little perplexed why a stateful firewall would block ANY outgoing packets unless explicitly told to do so, incoming I can buy into but outgoing - just doesn't seem right - why would the other side of the connection close the session - surely that's the session initiators job ?



  • Yeah….  and...  Did I mention...

    I have a log full of these:

    127.0.0.1:3128    TCP:FA

    I ignore them.  Everything is working fine.

    Wouldn't it be nice if we could enter in a setting some place things to not log?
    Like TCP:FA, TCP:FPA etc, etc....  It would make the logs more meaningful.

    Maybe a regular expression filter as a package?  Devs?  Anyone...

    (I hear crickets chirping...)


Log in to reply