PFsense is open to all traffic with no blocking rules… but is blocking traffic

fher98

Hello everyone,

Ok so last monday I installed my first PFSense which is completely open. This appliance is sitting in between a couple of routers my networn and the main firewall. I just have two rules in the FW ruleset, which are accept from every network to every network and port.  So if any client wants to connect to my mail server, has to go though my PFSense.

Suddenly, another network that  i see from one of this routers (which btw I dont control), cant send mail through my mail server.

Now, from what  it seems that they get cant send emails at random times. This is the log,

Jul 30 15:13:02 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,15342,0,DF,6,tcp,52,172.23.21.184,10.5.2.5,51370,25,0,S,3819507109,,8192,,mss;nop;wscale;nop;nop;sackOK
Jul 30 15:13:03 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57202,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:03 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57203,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:03 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57204,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:04 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57205,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:04 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,35926,0,DF,6,tcp,48,172.23.21.165,10.5.2.5,4077,110,0,S,3375867904,,65535,,mss;nop;nop;sackOK
Jul 30 15:13:05 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,24421,0,DF,6,tcp,52,172.23.21.149,10.5.2.5,49576,110,0,S,2898739590,,8192,,mss;nop;wscale;nop;nop;sackOK
Jul 30 15:13:05 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57206,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:06 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57209,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:07 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,25151,0,DF,6,tcp,52,172.23.21.86,10.5.2.5,50594,25,0,S,2841749723,,8192,,mss;nop;wscale;nop;nop;sackOK
Jul 30 15:13:10 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57211,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:07:04 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,56087,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3142,25,0,R,3844173167,,0,,
Jul 30 15:07:08 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,13875,0,DF,6,tcp,52,172.23.21.191,10.5.2.5,50378,110,0,S,3530525758,,8192,,mss;nop;wscale;nop;nop;sackOK
Jul 30 15:07:10 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,64,0,0,DF,6,tcp,48,10.4.0.4,172.23.21.174,8080,3195,0,SA,1883831569,1073661824,5840,,mss;nop;nop;sackOK

Ok, so I just read the log format, my question if why Im blocking this traffic?

thanks

Derelict

Post your rules and interface configs.  Pay particular attention to the block private and block bogon checkboxes on the interfaces.

If you click on the red X in the firewall log it will tell you what rule blocked it. If it's hitting default deny that means it wasn't passed by the rules on the interface it came in on.

On my system rule 1000000103 is default deny IPv4 so we need to look at your rules.

fher98

@Derelict:

Post your rules and interface configs.  Pay particular attention to the block private and block bogon checkboxes on the interfaces.

If you click on the red X in the firewall log it will tell you what rule blocked it. If it's hitting default deny that means it wasn't passed by the rules on the interface it came in on.

On my system rule 1000000103 is default deny IPv4 so we need to look at your rules.

Thanks for the reply Derelict, is this the information you need?

set optimization normal
set limit states 812000
set limit src-nodes 812000

#System aliases

loopback = "{ lo0 }"
WAN = "{ igb0 }"
LAN = "{ igb1 }"
VLANS = "{ igb2 }"
MINIZONA9 = "{ igb2_vlan2 }"
SERVERSINTERNOS = "{ igb2_vlan3 }"
MUNI = "{ igb2_vlan4 }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons"
table <negate_networks># User Aliases

Gateways

GWGW_WAN = " route-to ( igb0 10.5.3.1 ) "

set loginterface igb1

set skip on pfsync0

scrub on $WAN all    fragment reassemble
scrub on $LAN all    fragment reassemble
scrub on $VLANS all    fragment reassemble
scrub on $MINIZONA9 all    fragment reassemble
scrub on $SERVERSINTERNOS all    fragment reassemble
scrub on $MUNI all    fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules are disabled

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/"
anchor "openvpn/"
anchor "ipsec/*"

block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,

and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but

route-to can override that, causing problems such as in redmine #2073

block in log quick from 169.254.0.0/16 to any tracker 1000000101 label "Block IPv4 link-local"
block in log quick from any to 169.254.0.0/16 tracker 1000000102 label "Block IPv4 link-local"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log inet all tracker 1000000103 label "Default deny rule IPv4"
block out log inet all tracker 1000000104 label "Default deny rule IPv4"
block in log inet6 all tracker 1000000105 label "Default deny rule IPv6"
block out log inet6 all tracker 1000000106 label "Default deny rule IPv6"

IPv6 ICMP is not auxilary, it is required for operation

See man icmp6(4)

1    unreach        Destination unreachable

2    toobig          Packet too big

128  echoreq        Echo service request

129  echorep        Echo service reply

133  routersol      Router solicitation

134  routeradv      Router advertisement

135  neighbrsol      Neighbor solicitation

136  neighbradv      Neighbor advertisement

pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000000107 keep state

Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)

pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000000108 keep state
pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000000109 keep state
pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000110 keep state
pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000111 keep state
pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000112 keep state

We use the mighty pf, we cannot be fooled.

block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113
block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114
block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115
block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116

Snort package

block log quick from <snort2c>to any tracker 1000000117 label "Block snort2c hosts"
block log quick from any to <snort2c>tracker 1000000118 label "Block snort2c hosts"

SSH lockout

block in log quick proto tcp from <sshlockout>to (self) port 22 tracker 1000000301 label "sshlockout"

webConfigurator lockout

block in log quick proto tcp from <webconfiguratorlockout>to (self) port 443 tracker 1000000351 label "webConfiguratorlockout"
block in log quick from <virusprot>to any tracker 1000000400 label "virusprot overload table"
antispoof log for $WAN tracker 1000001570
antispoof log for $LAN tracker 1000002620

allow access to DHCPv6 server on LAN

We need inet6 icmp for stateless autoconfig and dhcpv6

pass  quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker 1000002651 label "allow access to DHCPv6 server"
pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker 1000002652 label "allow access to DHCPv6 server"
pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker 1000002653 label "allow access to DHCPv6 server"
pass  quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker 1000002654 label "allow access to DHCPv6 server"
antispoof log for $MINIZONA9 tracker 1000004720
antispoof log for $SERVERSINTERNOS tracker 1000005770

loopback

pass in  on $loopback inet all tracker 1000006861 label "pass IPv4 loopback"
pass out  on $loopback inet all tracker 1000006862 label "pass IPv4 loopback"
pass in  on $loopback inet6 all tracker 1000006863 label "pass IPv6 loopback"
pass out  on $loopback inet6 all tracker 1000006864 label "pass IPv6 loopback"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out  inet all keep state allow-opts tracker 1000006865 label "let out anything IPv4 from firewall host itself"
pass out  inet6 all keep state allow-opts tracker 1000006866 label "let out anything IPv6 from firewall host itself"
pass out  route-to ( igb0 10.5.3.1 ) from 10.5.3.2 to !10.5.3.0/24 tracker 1000006961 keep state allow-opts label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

pass in  quick on igb1 proto tcp from any to (igb1) port { 443 80 22 } tracker 1000007271 keep state label "anti-lockout rule"

User-defined rules follow

anchor "userrules/*"
pass  in  quick  on $WAN reply-to ( igb0 10.5.3.1 ) inet proto icmp  from any to any tracker 1437688727 keep state  label "USER_RULE"
pass  in  quick  on $WAN reply-to ( igb0 10.5.3.1 ) inet proto { tcp udp }  from any to any tracker 1438037171 keep state  label "USER_RULE"
pass  in  quick  on $LAN inet from 10.0.4.0/24 to any tracker 0100000101 keep state  label "USER_RULE: Default allow LAN to any rule"

at the break! label "USER_RULE: Default allow LAN IPv6 to any rule"

pass  in log  quick  on $MINIZONA9 inet proto tcp  from 172.23.21.0/24 to any tracker 1438284251 flags S/SA keep state  label "USER_RULE: Log de correos desde muni"
pass  in  quick  on $MINIZONA9 inet proto { tcp udp }  from any to any tracker 1437687876 keep state  label "USER_RULE"
pass  in  quick  on $MINIZONA9 inet proto icmp  from any to any tracker 1437688848 keep state  label "USER_RULE"

VPN Rules

anchor "tftp-proxy/*"</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout>

doktornotor

Dude, can't you just produce a damned screenshot, instead of this unreadable mess?

P.S. If you do not want packet filtering, move to System - Advanced - Firewall/NAT and tick "Disable Firewall". Not really sure what's a point of a box sitting "in between of couple of routers" on a network passing everything.

fher98

Also I took a look at the interafaces bogon and private lock, and they are unchecked.

thanks, sorry for the trouble.

fher98

@doktornotor:

Dude, can't you just produce a damned screenshot, instead of this unreadable mess?

P.S. If you do not want packet filtering, move to System - Advanced - Firewall/NAT and tick "Disable Firewall". Not really sure what's a point of a box sitting "in between of couple of routers" on a network passing everything.

Sorry man, im more used to text than pretty BUIs.

Derelict

pass  in log  quick  on $MINIZONA9 inet proto tcp  from 172.23.21.0/24 to any tracker 1438284251 flags S/SA keep state  label "USER_RULE: Log de correos desde muni"
pass  in  quick  on $MINIZONA9 inet proto { tcp udp }  from any to any tracker 1437687876 keep state  label "USER_RULE"
pass  in  quick  on $MINIZONA9 inet proto icmp  from any to any tracker 1437688848 keep state  label "USER_RULE"

Look at your rules on MINIZONA9.

If you want to pass any traffic, then make a rule that passes any traffic.

IPv4, protocol any source any dest any

And delete everything else.  Why mess around with tcp, S/SA, udp, etc?

fher98

doktornotor

Ok so here are the screenshots.

Derelict

As you can see the rule to pass all traffic on MINIZONA9 exists. Actually the problem is that sometimes email clients can connect and send/recieve emails, but next minute they cant.

doktornotor

I meant the screenshot of the firewall log in human readable view.

Derelict

If it were me I would get rid of all the rules on MINIZONA9

The make one rule:

IPv4, protocol any source any dest any

Again, if you want to pass everything, then pass everything.

I don't like that logging rule at the top either.  I don't know why that log rule is limited to S/SA but I rarely look at the raw pf config. It might be perfectly normal.

ETA: I guess it's normal to have flags S/SA on a tcp-only rule.

cmb

Allow all isn't "allow all" on stateful firewalls, it's allow all new connections. Looks like you have asymmetric routing there somewhere, what's being blocked is traffic that isn't going through the firewall in both directions. If you really just want to allow everything, disable the packet filter as doktornotor suggested.