Bug #2009
closed
Reject rules for egress traffic in floating fail to log
0%
Description
Hi All,
A colleague and I spent a few hours tonight with a NSA 3110 and later with my home firewall trying to diagnose issues with egress rules configured in the floating group. It seems when using the following rule log entries are returned in the log viewer as "blocks" rather than "rejects". In further testing it seems all rejects such as the one below appear in the logs as "blocks"
@64 block return in log quick on bce0_vlan123 inet from 172.16.23.0/24 to 10.130.130.107 label "USER_RULE: Reject myth"
2.0-RELEASE (i386)
built on Tue Sep 13 17:00:00 EDT 2011
We also tested the x64 build on the NSA 3110.
Am I correct to expect that the log viewer should not be showing the red cross icon and displaying "block" when in fact the rule was a "reject"?
Cheers,
Kahn
PS: Be gentle this is my first bug :)
Updated by Jim Pingle over 12 years ago
The "reject" action only works for TCP and UDP. Other traffic is just blocked/dropped since it has no concept of rejection. If you change the rule to apply only to TCP or TCP/UDP, does it appear to work then?
Updated by Sam Wilson over 12 years ago
Hi Jim,
With the NSA 3110 we were testing with ICMP. In my testing here with my personal box I have changed the rule as below and still do not see the log messages returning as rejects. They are still listed at "blocks". I also tested TCP/UDP with the same result.
@64 block return in log quick on bce0_vlan123 inet proto tcp from 172.16.23.0/24 to 10.130.130.107 flags S/SA label "USER_RULE: test rule"
Cheers,
Kahn
Updated by Chris Buechler over 12 years ago
- Status changed from New to Rejected
reject is logged by pf as block, there is no reject in the logs.