Tweet
I have a device on my local LAN that is able to pass (according to Application Control reports) traffic to the Internet that should not be based on a block rule. The Application control actually logs the "block:false" against the block rule ID. I have created a few rules and I see this behaviour: some traffic is permitted through. Doesn't matter if I create rules using mac address, source IPs or other combinations or lack of source interface destination interface.
I have no application control "application tab" settings apps configured (any longer) no tarpit, block or tag (I did have some tag actions).
Ultimately to ensure this traffic is not going to be successful I had to create a custom NAT rule to change the source IP to something unroutable if matching the application rule traffic that should be blocked but does not appear to be reliably. I have not determined if this is an problem with the firewall engine or the reporting. Installing and using the firewall engine to achieve the same result fails as well, exhibits the same behaviour. I have no bypass rules, everything is logged including bypass rules.
Additionally this behaviour seems identical on 16.3.2 and 16.4 versions.
This is very concerning as a firewall must always block undesired traffic when configured, not just most of the time. I would expect a block rule to override anything specific as allowed elsewhere. But I have scoured my system for anything that would be permitting this and have come up empty. I have rebuilt the firewall multiple time on different versions to ensure it wasn't some wierd issue with an older system or version, or any of the upgrades.
I have no application control "application tab" settings apps configured (any longer) no tarpit, block or tag (I did have some tag actions).
Ultimately to ensure this traffic is not going to be successful I had to create a custom NAT rule to change the source IP to something unroutable if matching the application rule traffic that should be blocked but does not appear to be reliably. I have not determined if this is an problem with the firewall engine or the reporting. Installing and using the firewall engine to achieve the same result fails as well, exhibits the same behaviour. I have no bypass rules, everything is logged including bypass rules.
Additionally this behaviour seems identical on 16.3.2 and 16.4 versions.
This is very concerning as a firewall must always block undesired traffic when configured, not just most of the time. I would expect a block rule to override anything specific as allowed elsewhere. But I have scoured my system for anything that would be permitting this and have come up empty. I have rebuilt the firewall multiple time on different versions to ensure it wasn't some wierd issue with an older system or version, or any of the upgrades.
Attached Files
Comment