Kudos0

Connection blocking occasionally blocks allowed traffic after wake from sleep

Posted: 22-Nov-2009 | 12:27AM · Edited: 05-Mar-2020 | 10:04AM · 6 Replies ·

iMac running 10.6.2, with latest NIS software.

Occasionally, after waking up from sleep, Firewall reports/logs blocked connections (i.e., Windows File Sharing) that have already been allowed.

Even though the connection is already permitted, I have to "fix" the problem by adding a rule (e.g., trust zone, allow 192.168.1.1).  I get the impression that the firewall software rereads all the rules after a change, as I can then delete that redundant rule, and everything works again with just the normal "allow any local network" rule.

Again, this is an occasional problem.  Mostly, after waking from sleep, there aren't any connection blocking problems.  Perhaps a timing issue with NIS and the interface (not) being up, leading to the firewall occasionally thinking that 192.168.1 isn't a local network?

My normal connection blocking settings: 

 

When there is a problem with connection blocking after waking from sleep, I see this in the log, even though the rules are already there to permit the traffic:

 

Replies

Kudos0

Re: Connection blocking occasionally blocks allowed traffic after wake from sleep

Posted: 01-Dec-2009 | 7:19PM · Permalink

Is this problem scheduled to be fixed in the next software patch?

Although it didn't happen too often, I finally got tired of having to "fix" it and permanently left an allow rule in for 192.168.1.1.   So, now I've got two Allow any local network rules, in my trust zone.  I don't know why it rewrote allowing a single IP as a rule for the whole local network, but I haven't had any intermittent problems for the last week.

Still, it seems to be a bug, if it occasionally blocks local network traffic that a solitary default local network trust zone rule should have permitted.

Kudos0

Re: Connection blocking occasionally blocks allowed traffic after wake from sleep

Posted: 01-Dec-2009 | 7:33PM · Permalink

This is a bug/feature of the firewall that's somewhat difficult to explain. The firewall in Norton Firewall is "stateful". Bear with me as I attempt to explain.

When the firewall sees incoming and outgoing traffic that should be allowed it creates an invisible rule, called a stateful rule. This stateful rule allows connections that have already been approved by the firewall. When the connection closes, or if the other computer doesn't talk to your Mac for a while, the firewall stops allowing traffic on that connection by deleting the invisible rule it created. This is called stateful packet filtering.

The "problem" here is that when your computer gets woken up from sleep, the invisible rule gets deleted. Your Mac was probably asleep for more than 2 minutes, and that means the invisible rules all timed out and were removed. But as soon as your Mac woke up from sleep, the other computer tried to re-establish communications with your Mac. The firewall blocked that communications, because the connection timed out while your Mac was asleep. This is a common problem with stateful firewalls.

Basically, these connection attempts are harmless. As soon as the ohter computer realizes it can't connect it will create a new connection, which will be allowed by the firewall.  

Hope that explains it.

Ryan 

Ryan McGann Technical Director Norton Business Unit, Symantec
Kudos0

Re: Connection blocking occasionally blocks allowed traffic after wake from sleep

Posted: 01-Dec-2009 | 9:35PM · Permalink

I follow what you're saying to a point.

I can understand it within the context where a local application connects to a remote service, and the firewall permits that incoming traffic for the existing connection.  I can also understand how, once the connection closes, or is inactive, that the firewall stops permitting incoming traffic.  SPI is good.

I can understand why the firewall would block a packet after a period of inactivity, instead of letting it reach the port and discovering that the connection is closed, and understand that if the remote system wants to start a new connection, that new traffic would make it past SPI.

But here's where I get a bit confused.  We're not talking about TCP packets, and connections being established or closed, since this is Windows File Service (UDP).  How does state apply to datagrams?

Furthermore, the router is always actively trying to map the network, so I'm not sure why connection blocking only occasionally complains.  Wouldn't this problem consistently happen, every time my Mac wakes up after being asleep for more than two minutes and the invisible rules have all timed out? (It only seemed to happen 10-15% of the time, after being woken up.)

I guess in this particular case, it seems like a bug instead of a feature, because a) it's occasionally inconsistent, and b) the firewall continues to block the allowed traffic, and doesn't appear to setup an "invisible rule" to allow that approved traffic again.  It constantly would send notices to the screen until I went into settings and entered a duplicate rule to allow what was already allowed. 

I shouldn't ever have to go back into settings to have to reallow that, correct?  That's the real problem.  SPI should be transparent, but I think there's some timing where the firewall is losing track of what's allowed, or not reestablishing a rule or something.

Kudos0

Re: Connection blocking occasionally blocks allowed traffic after wake from sleep

Posted: 24-Jan-2010 | 5:51PM · Permalink

I'm still having annoying problems with this.

Today, for example, I couldn't access my local web server via my iPod touch, for over 15 minutes, because the firewall was blocking what the rules should have allowed.  My Mac (the web server) is 192.168.1.44, and my iPod touch is 192.168.1.43, so they're both on the same network.

My Connection Blocking settings are as follows:

Zones:

Block Zone: (nothing)

Trust Zone:  Allow any local network

Services:

Web Sharing: Allow any local network

Applications:

httpd: Allow any local network.

I assume "any local network" means 192.168.1.x, and these rules do initially work, but after some point, the software seems to get confused about what its local network is, and consistently blocks traffic from other local hosts.  It never lets it through again, and I then see lots of entries like this in the Firewall view history screen:

Blocked incoming connection to Web Sharing, remote address 192.168.1.43 remote port 64281 local address 192.168.1.44 local port 80.

The only way I can get traffic to flow again, without rebooting, is to go in and add a specific "allow 192.168.1.43" rule to the Trust Zone and/or Services.

It seems like a bug to me, if the firewall no longer lets the traffic through until I eventually edit the settings.

Kudos0

Re: Connection blocking occasionally blocks allowed traffic after wake from sleep

Posted: 25-Jan-2010 | 10:59AM · Permalink

Actually Web sharing being blocked is a bug that we have reproduced in house, but it is completely seperate from the issue you describe here. It's an unrelated bug; we are working on a fix for it but I can't say if/when it will be released since we don't comment on unreleased products. But thanks for the update, now we know people are seeing this issue in the field too.

Ryan

Ryan McGann Technical Director Norton Business Unit, Symantec
Kudos0

Re: Connection blocking occasionally blocks allowed traffic after wake from sleep

Posted: 25-Jan-2010 | 12:39PM · Permalink

Glad to hear that it's a known problem that will be fixed.

Can you tell me if the "allow local networks" problem is related to that issue?

You see, it's not just Web Sharing that gets blocked, but Windows File Sharing also.  My router -- 192.168.1.1 -- often consistently gets blocked, even though all the rules should allow it (as covered in my original post/screenshots).  Yesterday, when I explicitly allowed 192.168.1.43, my router was also able to connect again to the Windows File Sharing service on my Mac, even though I didn't add any specific rule for that address.

So, I'm guessing that adding a rule for my iPod touch caused the Firewall software to reread all the rules, and other local network traffic resumed matching the general "allow local networks" rule again, as it always should have.

To me, that's the recurring bug, that at some point, the Firewall software loses track that 192.168.1 is local, and starts blocking local network hosts, not merely from Web Sharing, but from Windows File Service too.

This thread is closed from further comment. Please visit the forum to start a new thread.