iMac running 10.6.2, with latest NIS software.
Occasionally, after waking up from sleep, Firewall reports/logs blocked connections (i.e., Windows File Sharing) that have already been allowed.
Even though the connection is already permitted, I have to "fix" the problem by adding a rule (e.g., trust zone, allow 192.168.1.1). I get the impression that the firewall software rereads all the rules after a change, as I can then delete that redundant rule, and everything works again with just the normal "allow any local network" rule.
Again, this is an occasional problem. Mostly, after waking from sleep, there aren't any connection blocking problems. Perhaps a timing issue with NIS and the interface (not) being up, leading to the firewall occasionally thinking that 192.168.1 isn't a local network?
My normal connection blocking settings:
When there is a problem with connection blocking after waking from sleep, I see this in the log, even though the rules are already there to permit the traffic:
Is this problem scheduled to be fixed in the next software patch?
Although it didn't happen too often, I finally got tired of having to "fix" it and permanently left an allow rule in for 192.168.1.1. So, now I've got two Allow any local network rules, in my trust zone. I don't know why it rewrote allowing a single IP as a rule for the whole local network, but I haven't had any intermittent problems for the last week.
Still, it seems to be a bug, if it occasionally blocks local network traffic that a solitary default local network trust zone rule should have permitted.
This is a bug/feature of the firewall that's somewhat difficult to explain. The firewall in Norton Firewall is "stateful". Bear with me as I attempt to explain.
When the firewall sees incoming and outgoing traffic that should be allowed it creates an invisible rule, called a stateful rule. This stateful rule allows connections that have already been approved by the firewall. When the connection closes, or if the other computer doesn't talk to your Mac for a while, the firewall stops allowing traffic on that connection by deleting the invisible rule it created. This is called stateful packet filtering.
The "problem" here is that when your computer gets woken up from sleep, the invisible rule gets deleted. Your Mac was probably asleep for more than 2 minutes, and that means the invisible rules all timed out and were removed. But as soon as your Mac woke up from sleep, the other computer tried to re-establish communications with your Mac. The firewall blocked that communications, because the connection timed out while your Mac was asleep. This is a common problem with stateful firewalls.
Basically, these connection attempts are harmless. As soon as the ohter computer realizes it can't connect it will create a new connection, which will be allowed by the firewall.
Hope that explains it.
Ryan
I'm still having annoying problems with this.
Today, for example, I couldn't access my local web server via my iPod touch, for over 15 minutes, because the firewall was blocking what the rules should have allowed. My Mac (the web server) is 192.168.1.44, and my iPod touch is 192.168.1.43, so they're both on the same network.
My Connection Blocking settings are as follows:
Zones:
Block Zone: (nothing)
Trust Zone: Allow any local network
Services:
Web Sharing: Allow any local network
Applications:
httpd: Allow any local network.
I assume "any local network" means 192.168.1.x, and these rules do initially work, but after some point, the software seems to get confused about what its local network is, and consistently blocks traffic from other local hosts. It never lets it through again, and I then see lots of entries like this in the Firewall view history screen:
Blocked incoming connection to Web Sharing, remote address 192.168.1.43 remote port 64281 local address 192.168.1.44 local port 80.
The only way I can get traffic to flow again, without rebooting, is to go in and add a specific "allow 192.168.1.43" rule to the Trust Zone and/or Services.
It seems like a bug to me, if the firewall no longer lets the traffic through until I eventually edit the settings.
Actually Web sharing being blocked is a bug that we have reproduced in house, but it is completely seperate from the issue you describe here. It's an unrelated bug; we are working on a fix for it but I can't say if/when it will be released since we don't comment on unreleased products. But thanks for the update, now we know people are seeing this issue in the field too.
Ryan
Glad to hear that it's a known problem that will be fixed.
Can you tell me if the "allow local networks" problem is related to that issue?
You see, it's not just Web Sharing that gets blocked, but Windows File Sharing also. My router -- 192.168.1.1 -- often consistently gets blocked, even though all the rules should allow it (as covered in my original post/screenshots). Yesterday, when I explicitly allowed 192.168.1.43, my router was also able to connect again to the Windows File Sharing service on my Mac, even though I didn't add any specific rule for that address.
So, I'm guessing that adding a rule for my iPod touch caused the Firewall software to reread all the rules, and other local network traffic resumed matching the general "allow local networks" rule again, as it always should have.
To me, that's the recurring bug, that at some point, the Firewall software loses track that 192.168.1 is local, and starts blocking local network hosts, not merely from Web Sharing, but from Windows File Service too.