PFsense is open to all traffic with no blocking rules… but is blocking traffic
-
Hello everyone,
Ok so last monday I installed my first PFSense which is completely open. This appliance is sitting in between a couple of routers my networn and the main firewall. I just have two rules in the FW ruleset, which are accept from every network to every network and port. So if any client wants to connect to my mail server, has to go though my PFSense.
Suddenly, another network that i see from one of this routers (which btw I dont control), cant send mail through my mail server.
Now, from what it seems that they get cant send emails at random times. This is the log,
Jul 30 15:13:02 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,15342,0,DF,6,tcp,52,172.23.21.184,10.5.2.5,51370,25,0,S,3819507109,,8192,,mss;nop;wscale;nop;nop;sackOK
Jul 30 15:13:03 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57202,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:03 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57203,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:03 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57204,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:04 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57205,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:04 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,35926,0,DF,6,tcp,48,172.23.21.165,10.5.2.5,4077,110,0,S,3375867904,,65535,,mss;nop;nop;sackOK
Jul 30 15:13:05 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,24421,0,DF,6,tcp,52,172.23.21.149,10.5.2.5,49576,110,0,S,2898739590,,8192,,mss;nop;wscale;nop;nop;sackOK
Jul 30 15:13:05 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57206,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:06 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57209,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:13:07 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,25151,0,DF,6,tcp,52,172.23.21.86,10.5.2.5,50594,25,0,S,2841749723,,8192,,mss;nop;wscale;nop;nop;sackOK
Jul 30 15:13:10 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,57211,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3220,25,0,R,2209770064,,0,,
Jul 30 15:07:04 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,125,56087,0,none,6,tcp,40,172.23.21.159,10.5.2.5,3142,25,0,R,3844173167,,0,,
Jul 30 15:07:08 pfSense filterlog: 82,16777216,,1438284251,igb2_vlan2,match,pass,in,4,0x0,,125,13875,0,DF,6,tcp,52,172.23.21.191,10.5.2.5,50378,110,0,S,3530525758,,8192,,mss;nop;wscale;nop;nop;sackOK
Jul 30 15:07:10 pfSense filterlog: 5,16777216,,1000000103,igb2_vlan2,match,block,in,4,0x0,,64,0,0,DF,6,tcp,48,10.4.0.4,172.23.21.174,8080,3195,0,SA,1883831569,1073661824,5840,,mss;nop;nop;sackOKOk, so I just read the log format, my question if why Im blocking this traffic?
thanks
-
Post your rules and interface configs. Pay particular attention to the block private and block bogon checkboxes on the interfaces.
If you click on the red X in the firewall log it will tell you what rule blocked it. If it's hitting default deny that means it wasn't passed by the rules on the interface it came in on.
On my system rule 1000000103 is default deny IPv4 so we need to look at your rules.
-
Post your rules and interface configs. Pay particular attention to the block private and block bogon checkboxes on the interfaces.
If you click on the red X in the firewall log it will tell you what rule blocked it. If it's hitting default deny that means it wasn't passed by the rules on the interface it came in on.
On my system rule 1000000103 is default deny IPv4 so we need to look at your rules.
Thanks for the reply Derelict, is this the information you need?
set optimization normal
set limit states 812000
set limit src-nodes 812000#System aliases
loopback = "{ lo0 }"
WAN = "{ igb0 }"
LAN = "{ igb1 }"
VLANS = "{ igb2 }"
MINIZONA9 = "{ igb2_vlan2 }"
SERVERSINTERNOS = "{ igb2_vlan3 }"
MUNI = "{ igb2_vlan4 }"#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons"
table <negate_networks># User AliasesGateways
GWGW_WAN = " route-to ( igb0 10.5.3.1 ) "
set loginterface igb1
set skip on pfsync0
scrub on $WAN all fragment reassemble
scrub on $LAN all fragment reassemble
scrub on $VLANS all fragment reassemble
scrub on $MINIZONA9 all fragment reassemble
scrub on $SERVERSINTERNOS all fragment reassemble
scrub on $MUNI all fragment reassembleno nat proto carp
no rdr proto carp
nat-anchor "natearly/"
nat-anchor "natrules/"Outbound NAT rules are disabled
Load balancing anchor
rdr-anchor "relayd/*"
TFTP proxy
rdr-anchor "tftp-proxy/*"
UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "relayd/"
anchor "openvpn/"
anchor "ipsec/*"block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
route-to can override that, causing problems such as in redmine #2073
block in log quick from 169.254.0.0/16 to any tracker 1000000101 label "Block IPv4 link-local"
block in log quick from any to 169.254.0.0/16 tracker 1000000102 label "Block IPv4 link-local"
#–-------------------------------------------------------------------------default deny rules
#---------------------------------------------------------------------------
block in log inet all tracker 1000000103 label "Default deny rule IPv4"
block out log inet all tracker 1000000104 label "Default deny rule IPv4"
block in log inet6 all tracker 1000000105 label "Default deny rule IPv6"
block out log inet6 all tracker 1000000106 label "Default deny rule IPv6"IPv6 ICMP is not auxilary, it is required for operation
See man icmp6(4)
1 unreach Destination unreachable
2 toobig Packet too big
128 echoreq Echo service request
129 echorep Echo service reply
133 routersol Router solicitation
134 routeradv Router advertisement
135 neighbrsol Neighbor solicitation
136 neighbradv Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000000107 keep state
Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000000108 keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000000109 keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000110 keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000111 keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000112 keep stateWe use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113
block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114
block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115
block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116Snort package
block log quick from <snort2c>to any tracker 1000000117 label "Block snort2c hosts"
block log quick from any to <snort2c>tracker 1000000118 label "Block snort2c hosts"SSH lockout
block in log quick proto tcp from <sshlockout>to (self) port 22 tracker 1000000301 label "sshlockout"
webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout>to (self) port 443 tracker 1000000351 label "webConfiguratorlockout"
block in log quick from <virusprot>to any tracker 1000000400 label "virusprot overload table"
antispoof log for $WAN tracker 1000001570
antispoof log for $LAN tracker 1000002620allow access to DHCPv6 server on LAN
We need inet6 icmp for stateless autoconfig and dhcpv6
pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker 1000002651 label "allow access to DHCPv6 server"
pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker 1000002652 label "allow access to DHCPv6 server"
pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker 1000002653 label "allow access to DHCPv6 server"
pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker 1000002654 label "allow access to DHCPv6 server"
antispoof log for $MINIZONA9 tracker 1000004720
antispoof log for $SERVERSINTERNOS tracker 1000005770loopback
pass in on $loopback inet all tracker 1000006861 label "pass IPv4 loopback"
pass out on $loopback inet all tracker 1000006862 label "pass IPv4 loopback"
pass in on $loopback inet6 all tracker 1000006863 label "pass IPv6 loopback"
pass out on $loopback inet6 all tracker 1000006864 label "pass IPv6 loopback"let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts tracker 1000006865 label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts tracker 1000006866 label "let out anything IPv6 from firewall host itself"
pass out route-to ( igb0 10.5.3.1 ) from 10.5.3.2 to !10.5.3.0/24 tracker 1000006961 keep state allow-opts label "let out anything from firewall host itself"make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on igb1 proto tcp from any to (igb1) port { 443 80 22 } tracker 1000007271 keep state label "anti-lockout rule"
User-defined rules follow
anchor "userrules/*"
pass in quick on $WAN reply-to ( igb0 10.5.3.1 ) inet proto icmp from any to any tracker 1437688727 keep state label "USER_RULE"
pass in quick on $WAN reply-to ( igb0 10.5.3.1 ) inet proto { tcp udp } from any to any tracker 1438037171 keep state label "USER_RULE"
pass in quick on $LAN inet from 10.0.4.0/24 to any tracker 0100000101 keep state label "USER_RULE: Default allow LAN to any rule"at the break! label "USER_RULE: Default allow LAN IPv6 to any rule"
pass in log quick on $MINIZONA9 inet proto tcp from 172.23.21.0/24 to any tracker 1438284251 flags S/SA keep state label "USER_RULE: Log de correos desde muni"
pass in quick on $MINIZONA9 inet proto { tcp udp } from any to any tracker 1437687876 keep state label "USER_RULE"
pass in quick on $MINIZONA9 inet proto icmp from any to any tracker 1437688848 keep state label "USER_RULE"VPN Rules
anchor "tftp-proxy/*"</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout>
-
Dude, can't you just produce a damned screenshot, instead of this unreadable mess?
P.S. If you do not want packet filtering, move to System - Advanced - Firewall/NAT and tick "Disable Firewall". Not really sure what's a point of a box sitting "in between of couple of routers" on a network passing everything.
-
Also I took a look at the interafaces bogon and private lock, and they are unchecked.
thanks, sorry for the trouble.
-
Dude, can't you just produce a damned screenshot, instead of this unreadable mess?
P.S. If you do not want packet filtering, move to System - Advanced - Firewall/NAT and tick "Disable Firewall". Not really sure what's a point of a box sitting "in between of couple of routers" on a network passing everything.
Sorry man, im more used to text than pretty BUIs.
-
pass in log quick on $MINIZONA9 inet proto tcp from 172.23.21.0/24 to any tracker 1438284251 flags S/SA keep state label "USER_RULE: Log de correos desde muni"
pass in quick on $MINIZONA9 inet proto { tcp udp } from any to any tracker 1437687876 keep state label "USER_RULE"
pass in quick on $MINIZONA9 inet proto icmp from any to any tracker 1437688848 keep state label "USER_RULE"Look at your rules on MINIZONA9.
If you want to pass any traffic, then make a rule that passes any traffic.
IPv4, protocol any source any dest any
And delete everything else. Why mess around with tcp, S/SA, udp, etc?
-
doktornotor
Ok so here are the screenshots.
Derelict
As you can see the rule to pass all traffic on MINIZONA9 exists. Actually the problem is that sometimes email clients can connect and send/recieve emails, but next minute they cant.
-
I meant the screenshot of the firewall log in human readable view.
-
If it were me I would get rid of all the rules on MINIZONA9
The make one rule:
IPv4, protocol any source any dest any
Again, if you want to pass everything, then pass everything.
I don't like that logging rule at the top either. I don't know why that log rule is limited to S/SA but I rarely look at the raw pf config. It might be perfectly normal.
ETA: I guess it's normal to have flags S/SA on a tcp-only rule.
-
Allow all isn't "allow all" on stateful firewalls, it's allow all new connections. Looks like you have asymmetric routing there somewhere, what's being blocked is traffic that isn't going through the firewall in both directions. If you really just want to allow everything, disable the packet filter as doktornotor suggested.