Some traffic bocked with explicit port forward

dillbilly

I'm trying to determine the source of some unexpected behaviour regarding port forwarding and traffic being logged as blocked by the firewall. I had set up an alias combining several ports to forward to my internal server, but I continued to see those ports show up in my firewall as being blocked by the default rule, though some connections are still being made to the internal server. I took the following steps to try to resolve the isuue:

• I turned off logging of traffic blocked by the default rule after reading that some traffic listed as blocked by that rule are redundant packets
  I created a new rule to reject all traffic and placed it last in the rules list
  I deleted the rules which used the alias and explicitly forwarded each port

I'm still seeing traffic logged with my custom rule

@114 block return in log quick on em0 reply-to (em0 x.x.x.x) inet all label "USER_RULE: Default Reject Rule"

however, not all traffic is being blocked, as my server still seems to be accepting connections.

Any ideas?

johnpoz

Post the rules and then maybe we might..

dillbilly

Port forward:
If  Proto  Src. addr  Src. ports Dest. addr    Dest. ports    NAT IP    NAT Ports  Description
WAN  TCP    *          *          WAN address  8321          x.x.x.x  8321

Rules
WAN
Proto    Source  Port  Destination  Port      Gateway  Queue  Schedule    Description
IPv4 TCP *        *      x.x.x.x      8321      *        none                NAT 
IPv4 *  *        *      *            *        *        none                Default Reject Rule

Server's VLAN
Proto  Source      Port  Destination        Port      Gateway  Queue  Schedule
IPv4*  VLAN248 net *      ! Private_Networks  *        *        none

No other block rules are in place, the server and my server has connections established on 8321. I'm just confused as to why some packets are getting blocked and are apparently not being forwarded. It also seems like several in a row from the same source IP will be blocked, as opposed to a random selection of packets, but I have nothing in place to block any specific addresses.

edited for formatting

johnpoz

I thought there were more rules than this – so its possible other rule are doing something, without your full rule list its hard to say.  That looks normal for a forward yes.

And what traffic is being blocked - are they SYN packets for new connections to that port?  Its quite normal to see blocked packets in a stateful firewall even to ports your forwarding.. Depending on the STATE of the session.