Firebox blocking all ports
Hi
I have a T35-w which has been working fine. I have a few ports open to allow certain applications to function correctly (e.g. CCTV, Alarm system etc). This has been working well without issue until yesterday when all ports became blocked. When I use a part scanner they are shown as closed and I have no idea why. When I look at traffic monitor it is not clear. Below is some text from the log when trying to access port 443.
2023-07-26 21:14:25 Deny 192.168.1.29 52.13.231.217 https/tcp 55617 443 RaftyLan Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 2724606775 win 0"
2023-07-26 21:14:25 Deny 192.168.1.29 52.13.231.217 https/tcp 55617 443 RaftyLan Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 2724606775 win 0"
2023-07-26 21:14:25 Deny 0.0.0.0 224.0.0.1 igmp RaftyLan Firebox Denied 32 1 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2023-07-26 21:14:25 Deny 0.0.0.0 224.0.0.1 igmp RaftyLan Firebox Denied 32 1 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2023-07-26 21:14:26 Deny 192.168.1.200 255.255.255.255 12107/udp 42048 12107 RaftyLan Firebox Denied 32 64 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2023-07-26 21:14:26 Deny 192.168.1.200 255.255.255.255 12107/udp 48876 12107 RaftyLan Firebox Denied 32 64 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2023-07-26 21:14:26 Deny 192.168.1.73 255.255.255.255 afs3-volser/udp 7005 7005 RaftyLan Firebox Denied 47 100 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
When I disable "Enable TCP SYN packet and connection state verification " in global settings, the ports remain closed with below in the log:
2023-07-26 21:20:13 Deny 192.168.1.29 184.30.39.43 https/tcp 55948 443 RaftyLan Firebox tcp invalid connection state 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 2910563526 win 0"
This has wasted hours and I just can't figure it out. Thanks for any assistance.
Comments
You should expect igmp packets to be denied as they a protocol which is not allowed in default configs. This is for multicast.
HTTPS port (TCP 443) is not being blocked - the deny is because of "tcp invalid connection state", which is probably related to the earlier deny: "expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead".
Consider a firewall reboot - perhaps that will resolve the issue.
For the record, what Fireware version is on your T35-w?
Thanks so much for the reply. I have done a reboot twice without resolution. Version is 12.5.11.B666392.
When you say igmp packets being denied do you mean it does not allow a port scan? If so this is not correct because before this started I could do a port scan and the port was showing as open and I also have a M290 with similar configuration which on the same port scan website the port is showing as open.
IGMP is IP protocol number 2
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
IP protocol number 2 is not allowed in the default firewall config.
TCP, UDP & ICPM protocols are.
So, no access from behind your firewall to the Internet works?
All web access gets a "tcp invalid connection state" error?
What tool are you using to to a port scan?
"port scan website" suggests that you are using an external site to see what incoming ports are open from the Internet to an internal device.
IF you are doing a scan from the Internet of your firewall, the default settings of the firewall are to block all incoming sessions unless a specific policy is set up to allow a desired incoming access.
Reply packets are always allowed without any policy needed.
No. Everything working from behind the firewall to internet but can't access local resources from outside the firewall. So I use port 443 to access a password manager on my NAS. When I try to connect to this resource from outside it is blocked. I am using an external website to scan the port. It shows as closed but as mentioned if I scan my M290 with same settings the port is open.
Okay figured it out. I have been unable to run my modem in bridge mode so I have assigned an IP to the firebox. I then set the DMZ to that IP address however I noticed now that the IP had changed. So all I did was update the DMZ to the new IP and set a reserve so this won't happen again. Man hours of my life!
Have you added a policy to allow external access to your NAS on your T35?
Have you added a policy to allow external access to an internal web server on your M290?
Many use a VPN client to allow access to things behind their firewall when on the Internet.