Firewall default block rule firing for Netflix - Google Fiber IP addresses



  • Seeing a lot of this

    Act Time           If Source           Destination         Proto
    x  Feb 18 21:38:05 LAN 192.168.0.207:47810  216.21.170.100:80 TCP:PA

    Rule being fired is block/1000000118

    216.21.170.10 resolves on who.is as follows:
    Google Fiber Inc. GOOGLE-FIBER (NET-216-21-160-0-1) 216.21.160.0 - 216.21.175.255
    Netflix Streaming Services Inc. NETFLIX-CACHE (NET-216-21-170-96-1) 216.21.170.96 - 216.21.170.111

    So I guess it's a list of caching servers set up between Google and Netflix. I event setup LAN outbount policy to allow all but saw no success in doing that. Anyone else see this?

    here's what I've tried so far:

    Firewall rule is already set to allow port 80 both ways.
    Set outbound policy to allow all.
    Was worried SQUID3 was causing the issue so disabled and then uninstalled it.

    Seeing similar behavior on my Xbox for which I have a UPNP allow all rule.

    Only think I haven't done is allow all Google & Netlfix IPs through firewall but that wouldn't be a productive solution.

    Any suggestions will be greatly appreciated.

    P.S. I did search through the forums and didn't find anything different than what I have already tried.



  • Ok so the rule turns out to be snort, not default block. It's
    Blcok drop log quick from any to <snort2c:0) label="" "block="" snort2c="" hosts"<br="">I think snort2c is snort to pfsense script which is enabled by follow option:
    Send Alerts to System Logs Snort will send Alerts to the firewall's system l

    Please correct me if I'm wrong.

    I will disable this option and see if that resolves the issue. Then it's matter of digging through snort rules to find out which rule caused the issue.</snort2c:0)>



  • You don't see ACK packets without a SYN packet, and a SYN means the state was created. More than likely, it's an out of state packet. But it could be snort somehow.



  • I have seen some false positives on Netflix streams with Snort.  I disabled that particular rule.  You can either disable or suppress the rule by GID:SID.  You can see which one by looking in Snort on the ALERTS tab.

    Bill