Default Deny rule running on an interface with a "pass all" rule


  • I have a bridge connecting my WLAN and LAN segments. I'm seeing a lot of blocks in the firewall log, even though that interface has a single rule that allows all traffic through. The blocks all say the "default deny rule" caught them, but why would that get executed at all?

    Big screenshot of everything I think is relevant, with comments in purple text:


  • Evidently (based on reading the pfSense Book https://portal.pfsense.org/docs/book/firewall/viewing-the-firewall-logs.html#why-do-i-sometimes-see-blocked-log-entries-for-legitimate-connections) this is normal behavior, and it doesn't indicate actually blocked traffic.

    This is likely to happen when a TCP FIN packet, which would normally close the connection, arrives after the connection’s state has been removed…You will see this on occasion even if you have allow all rules on all your interfaces, as allow all for TCP connections only allows TCP SYN packets. All other TCP traffic will either be part of an existing state in the state table, or will be packets with spoofed TCP flags.

  • LAYER 8 Global Moderator

    no the packets were blocked.. But yes its normal for out of state.. But you picture doesn't show us flags on the packets so can not see if they are S or A, etc..


  • @johnpoz:

    no the packets were blocked.. But yes its normal for out of state..

    Right. That's what I said in my second post where I quoted the book.

    @johnpoz:

    But you picture doesn't show us flags on the packets so can not see if they are S or A, etc..

    Yes it does; it just doesn't fit in the CSS frame width on your browser/monitor. There's a scrollbar below the pic…use it to scroll right and you'll see the "Proto" column.