RE: [pfSense Support] Traffic that is explicitly allowed occasionally blocked

[Dimitri Rodis]

>No, those are RSTs and FINs coming after the state is closed, expected 
>behavior.
>http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

Ok, but unless I'm misunderstanding, I am not logging packets blocked by the 
default rule, so why would this be logged? And how do I know which rule was 
applied to this traffic like in the screenshot above?

[cid:image001.png@01CBD738.2C9B5970]
<>

Re: [pfSense Support] Traffic that is explicitly allowed occasionally blocked

[Chris Buechler]

On Mon, Feb 28, 2011 at 12:51 PM, Dimitri Rodis <
dimit...@integritasystems.com> wrote:

>  *2.0-BETA5 *(i386) built on Mon Feb 21 15:43:32 EST 2011
>
>
>
>
>
>
>
> I am seeing the above occur maybe once a day or once every other day, but
> the source IP address is in an alias that is a list of aliases (and that
> list contains my mail server aliases). Whenever I see this, I manually try
> to telnet to the same IP on port 25 and the traffic is passed, yet the mail
> server shows a failed connection attempt in the logs which coincides with
> the firewall log as above. I have a rule that explicitly allows port tcp/25
> as a destination from my inbound mail servers alias group, and then there is
> a rule right beneath that rule that explicitly blocks outbound SMTP from all
> IP addresses on the subnet, and I have logging turned on for that rule. So,
> the rule beneath the one that should be triggered is being triggered
> instead.
>
>
>
> Is there a Bug/Race condition in rule evaluation??
>

No, those are RSTs and FINs coming after the state is closed, expected
behavior.
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F


<>

[pfSense Support] Traffic that is explicitly allowed occasionally blocked

[Dimitri Rodis]

2.0-BETA5 (i386) built on Mon Feb 21 15:43:32 EST 2011









I am seeing the above occur maybe once a day or once every other day, but the 
source IP address is in an alias that is a list of aliases (and that list 
contains my mail server aliases). Whenever I see this, I manually try to telnet 
to the same IP on port 25 and the traffic is passed, yet the mail server shows 
a failed connection attempt in the logs which coincides with the firewall log 
as above. I have a rule that explicitly allows port tcp/25 as a destination 
from my inbound mail servers alias group, and then there is a rule right 
beneath that rule that explicitly blocks outbound SMTP from all IP addresses on 
the subnet, and I have logging turned on for that rule. So, the rule beneath 
the one that should be triggered is being triggered instead.



Is there a Bug/Race condition in rule evaluation??



Dimitri Rodis

Integrita Systems LLC

http://www.integritasystems.com





<>