Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall default block rule firing for Netflix - Google Fiber IP addresses

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qasimchadhar
      last edited by

      Seeing a lot of this

      Act Time           If Source           Destination         Proto
      x  Feb 18 21:38:05 LAN 192.168.0.207:47810  216.21.170.100:80 TCP:PA

      Rule being fired is block/1000000118

      216.21.170.10 resolves on who.is as follows:
      Google Fiber Inc. GOOGLE-FIBER (NET-216-21-160-0-1) 216.21.160.0 - 216.21.175.255
      Netflix Streaming Services Inc. NETFLIX-CACHE (NET-216-21-170-96-1) 216.21.170.96 - 216.21.170.111

      So I guess it's a list of caching servers set up between Google and Netflix. I event setup LAN outbount policy to allow all but saw no success in doing that. Anyone else see this?

      here's what I've tried so far:

      Firewall rule is already set to allow port 80 both ways.
      Set outbound policy to allow all.
      Was worried SQUID3 was causing the issue so disabled and then uninstalled it.

      Seeing similar behavior on my Xbox for which I have a UPNP allow all rule.

      Only think I haven't done is allow all Google & Netlfix IPs through firewall but that wouldn't be a productive solution.

      Any suggestions will be greatly appreciated.

      P.S. I did search through the forums and didn't find anything different than what I have already tried.

      1 Reply Last reply Reply Quote 0
      • Q
        qasimchadhar
        last edited by

        Ok so the rule turns out to be snort, not default block. It's
        Blcok drop log quick from any to <snort2c:0) label="" "block="" snort2c="" hosts"<br="">I think snort2c is snort to pfsense script which is enabled by follow option:
        Send Alerts to System Logs Snort will send Alerts to the firewall's system l

        Please correct me if I'm wrong.

        I will disable this option and see if that resolves the issue. Then it's matter of digging through snort rules to find out which rule caused the issue.</snort2c:0)>

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66
          last edited by

          You don't see ACK packets without a SYN packet, and a SYN means the state was created. More than likely, it's an out of state packet. But it could be snort somehow.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            I have seen some false positives on Netflix streams with Snort.  I disabled that particular rule.  You can either disable or suppress the rule by GID:SID.  You can see which one by looking in Snort on the ALERTS tab.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.