Why is port 80 being blocked?

Murus
Post Reply
mcgurme
Posts: 6
Joined: Sun Aug 28, 2016 2:59 am

Why is port 80 being blocked?

Post by mcgurme » Sun Aug 28, 2016 3:08 am

Hi,

I'm trying to figure out why port 80 is being blocked intermittently.

I have an active rule where the allowed groups is "Everyone" for the Web services (80 and 443).

Now, here's an example from the logs:
Aug 27 22:02:42 serve1 pf[462]: 00:00:05.331582 rule 9/0(match): block in on en0: 167.114.208.110.31221 > 199.38.81.58.80: Flags [S], seq 2672471144, win 32120, options [mss 1460,sackOK,TS val 14327694 ecr 956301312,nop,wscale 0], length 0

I understand that this is being blocked by "rule 9" but where can I figure out what "rule 9" is? There's nothing I've found anywhere in Murus that is labeled with a "9". I tried counting from the top of the rules list (under "configuration") but that didn't make sense at all - it was the rule for "no dummy net quick on lo0".

I figured that maybe this is being blocked by the emerging threats, but then I saw that the address 172.68.35.26 blocked repeatedly, and that's Cloudflare.

Earlier today I tried re-ordering the rules. When I put the web allow all rule at the beginning of the list, it blocked me out from connecting. When I put it at the end of the list, it seems more intermittent - but it's still blocking.

How can I figure this out? I have an active website and I can't be having regular traffic blocked.

Thanks in advance,
Morgan

mcgurme
Posts: 6
Joined: Sun Aug 28, 2016 2:59 am

Re: Why is port 80 being blocked?

Post by mcgurme » Tue Sep 13, 2016 9:04 pm

No response to this? Even from hany?

I'm a Murus pro user.

Anyway, in the meantime I read the entire manual. I figured out some things, such as how to find the specific rule causing the block.

It is always rule 37, the "brute force" rule.

Here is an example, where my own machine tries to connect and is blocked:
Sep 13 15:55:28 serve1 pf[371]: 00:00:05.203103 rule 37.murus.inbound.1/0(match): block in on en0: xxx.xxx.63.59.42098 > xxx.xxx.81.138.80: Flags [R.], seq 1033, ack 1, win 4096, length 0

Now, I have clearly put "WEB" as the very last rule and allowed all (see screenshot).

I really need your help sorting this out, hany. I can't have my website being blocked.

Thank you
You do not have the required permissions to view the files attached to this post.

mcgurme
Posts: 6
Joined: Sun Aug 28, 2016 2:59 am

Re: Why is port 80 being blocked?

Post by mcgurme » Tue Sep 13, 2016 9:18 pm

Ok, now I discovered something. I'm managing this mac remotely. So I always use the "enable PF and wait" option, then reconnect via VNC.

I noticed that an error message would pop up for ~1 second then disappear, never to be seen again.

So finally, I directly enabled without the "wait" option...

Lo and behold, here's the error message I got. Something is wrong (i'm not sure what??)

In any case, I believe this is a bug. A user who is managing a mac remotely needs to be notified of such errors straight away, but it appears that they are not notified if using the "delay" feature.

I will now try to rebuild my rules from scratch. (fun).
Screen Shot 2016-09-13 at 4.14.26 PM.png
You do not have the required permissions to view the files attached to this post.

mcgurme
Posts: 6
Joined: Sun Aug 28, 2016 2:59 am

Re: Why is port 80 being blocked?

Post by mcgurme » Tue Sep 13, 2016 11:49 pm

Now it gets even stranger.

I re-did my entire ruleset starting from scratch. There is no longer an error.

However, traffic to port 80 is still being blocked:

Code: Select all

Sep 13 18:44:35 serve1 pf[371]: 00:00:08.330388 rule 37.murus.inbound.81/0(match): block in on en0: xx.xx.246.151.32164 > xx.xx.81.138.80: Flags [.], seq 0:266, ack 1, win 31, length 266: HTTP: POST /wp-admin/admin-ajax.php HTTP/1.1
This is the brute force protection.

Worse, this is blocking traffic from CloudFlare, which is a web firewall. Why is it blocking traffic from there!?

How can I stop it from doing so? Otherwise I will have to abandon Murus and try something else.

hany
Posts: 485
Joined: Wed Dec 10, 2014 5:20 pm

Re: Why is port 80 being blocked?

Post by hany » Wed Sep 14, 2016 3:15 pm

Sorry for the late answer.
The only way to found the reason for a block is to identify the blocking rule.
Look at PF log, identify a string like

Code: Select all

rule 37.murus.inbound.81/0(match)
this string means "rule number 81 inside anchor <murus.inbound> which is at place number 37 in pf root."

To identify the actual rule you need to open Murus Pf rules browser, not Murus configuration.
The browser displays rules number.

Next, you have to deal with expired pf states. You can ignore these blocks, as no important connection has been blocked.
These blocks occur when a client tries to connect via an expired state. When it happens, pf blocks the unsolicited ack, then the client retries a connection and it usually works. You should not worry about these logs as long as your client/services run correctly.

hany
Posts: 485
Joined: Wed Dec 10, 2014 5:20 pm

Re: Why is port 80 being blocked?

Post by hany » Wed Sep 14, 2016 3:20 pm

Lo and behold, here's the error message I got. Something is wrong (i'm not sure what??)

In any case, I believe this is a bug. A user who is managing a mac remotely needs to be notified of such errors straight away, but it appears that they are not notified if using the "delay" feature.
this is an error with a custom pf rule.
ABout the bug: I'll look into it right now :)

hany
Posts: 485
Joined: Wed Dec 10, 2014 5:20 pm

Re: Why is port 80 being blocked?

Post by hany » Fri Sep 16, 2016 2:39 pm

Bug has been fixed in Murus 1.4.3 beta 2.
Please let me know.

Post Reply