Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules issue?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 924 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chaos777b
      last edited by

      While trying to get Back to my Mac to work I setup a Rule (for testing) to allow all traffic from 17.0.0.0/8.
      What I'm seeing in the firewall log files that traffic will still be blocked incoming from 17.0.0.0/8 when the Back to My Mac session is trying to connect
      My Allow rule is setup as IPv4 * 17.0.0.0/8 * 24.10.24.104 * * none
      See the attached screenshots.

      Any ideas ?
      WanRules.png
      WanRules.png_thumb
      FirewallLogs.png
      FirewallLogs.png_thumb

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Those are TCP:R (RST) reset packets. Normally packets should either match an existing state, or be a TCP:S (SYN) packet that is starting a connection. For SYN packets the firewall checks the rules and passes them if allowed, setting up a state record that will be used to match reply packets…
        If a state has already timed out or been ended by the other side, then a stray/late packet is received from the outside world it is going to be blocked by the firewall - the pass rule would only apply to an incoming SYN packet.
        As long as the application is running happily, these sort of firewall blocks are no problem - just bits of leftover traffic at the end of sessions.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Curious why would apple be generating unsolicited traffic to you?  Not really understand what your wanting accomplish with that rule?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Yes, as Johnpoz says, there should not be any incoming TCP:SYN from Apple trying to start a connection back to you. All the connections should be initiated from Apple devices at your end to their servers.
            But the OP does say "(for testing)" and sometimes anything is fun to try while thinking of what to do next to get communication happening.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.