Bug #12657
closed
"Skip rules when gateway is down" doesn't function on gateway down events until state is reset
Added by Kris Phillips over 3 years ago.
Updated over 3 years ago.
Affected Architecture:
All
Description
Testing environment:
Inside subnet: 192.168.5.0/24
Host: 192.168.5.20
System --> Advanced --> Misc --> "Skip rules when gateway is down" is enabled
Default Gateway: ExampleGateway1 - Tier 1, ExampleGateway2 - Tier 2
Rule 1: Allow - Source 192.168.5.20 --> Any Destination/Port/Protocol --> Use [ExampleGateway2]
Rule 2: Deny - Source 192.168.5.20 --> Any Destination/Port/Protocol --> Use Default Gateway
Rule 3: Allow - Source Any --> Any Destination/Port/Protocol --> Use Default Gateway
What's expected:
When ExampleGateway2 goes offline host 192.168.5.20 should immediately lose all connectivity
What happens:
When ExampleGateway2 goes offline host 192.168.5.20 reverts to behavior expected if "Skip rules when gateway is down" is not enabled. Once the states are reset the firewall rules block the traffic as expected. This allows leakage of traffic until states are reset, which is a security concern since it's ignoring firewall rules until states are forcefully reset. In my example it's just internet traffic, but if it was an internal gateway for transit traffic or something it would be a different story.
Files
The plot thickens:
When I kill the gateway and look at my firewall rules for matches, it's not actually matching on Rule 1. It's matching on Rule 3 for some reason at the bottom of the list. This may be deeper than just the "Skip rules when gateway is down".
- Status changed from New to Feedback
This is almost certainly expected behavior. States are not touched when events happen unless the user has enabled the option to kill states on gateway failure. There are already other issues open to fine-tune that behavior when we are able to do so. With the old states in place, the existing connection would still pass through the firewall.
Try it again with the state killing option on and see what happens.
Jim Pingle wrote in #note-2:
This is almost certainly expected behavior. States are not touched when events happen unless the user has enabled the option to kill states on gateway failure. There are already other issues open to fine-tune that behavior when we are able to do so. With the old states in place, the existing connection would still pass through the firewall.
Try it again with the state killing option on and see what happens.
Hello Jim,
Resetting the states on gateway down events does, indeed, resolve the issue, but that isn't the root of the issue. Attached is an image that explains what happens if you don't have state reset on gateway down enabled.
- Status changed from Feedback to Closed
Yes, that's still as expected. Once a state is established the state passes the traffic. Rules are not consulted again until the traffic no longer matches a state and a new state is created.
States inbound on a LAN interface would remain active. In certain cases (e.g. ping, UDP, other similar non-TCP traffic) it might make a new state if the packets attempt to exit another WAN as well.
Ultimately this is a duplicate of other existing issues. It's not a bug but part of a new feature, such as #12092, #8555, and #855 -- when the states for only this rule can be killed when a gateway goes down, this situation will no longer be a problem.
Until then, you need to kill all states on gateway failure to get the full effect.
Also available in: Atom
PDF
Updated by 
Updated by 