Access Rule to block MAC-adress
Simon_Weel
Enthusiast ✭✭
When I check the System Log on our TZ470, I notice a LOT of TCP packets dropped. When I expand such an event and click tab ALL, it appears all those dropped packets come from a variety of IP-addresses but they all list the same MAC-address. So I created an Address Object for this MAC address and created an Access Rule to block this MAC address. But. The System Log still lists those TCP packets dropped, coming from the same MAC-address. So I wonder if I'm doing something wrong? Access Rule:
Category: Mid Range Firewalls
0
Answers
The MAC is probably your default gateway, so if that rule had actually blocked everything, then you would have lost internet access :D
You need to look at the log events to see why the packets are dropped, and proceed from there.
Doesn't seem the default gateway? Why would it change it's IP-address and destination port all the time? Another screenshot of the System Log:
Destination address 213.124.92.22 is our WAN IP address. Notice the different source IP-addresses - they all have the same MAC address and vendor (Nokia). There are hundreds of these lines logged over the last couple of days. Haven't seen them before. Maybe it's not related, but I received a mail from Sonicwall about a flaw in accessing the management. Maybe someone is trying to gain access to the TZ470?
I also noted a mistake in my blocking rule - it's blocking traffic from WAN to LAN, but as you can see in the screenshot, the traffic is from X1 (WAN) to X1. So I modified the blocking rule, changing the destination zone/interface to 'Any'. But it won't do the trick - the System Log still lists these events. So I wonder if there's a rule that drops these packets before it reaches the Access Rules?
That's simply how this stuff works. You have a network with two devices in - your firewall X1 and the default gateway [Nokia make carrier infrastructure]. They only have one MAC each. MACs are "locally significant". When your default gateway forwards you a packet from something somewhere on the internet, it sends you the packet with the correct source L3 address but uses it's own L2 address as the source.
Ok, but it still doesn't answer my question - is there a rule that drops these packets before it reaches the Access Rules or did I make a mistake in my blocking rule?
You created WAN>LAN rule and on that block message, the destination was WAN, so your rule would not have applied.
That's why I changed it:
Stil the log is flooded with these events. So again - is there a rule that drops these packets before it reaches the Access Rules or did I make a mistake in my blocking rule?
The only "hidden" access rules are the implicit deny rules that blocks anything that doesn't otherwise match anything else.
Given that SonicOS also does stateful packet inspection applies, there is another implicit "rule" that matches any traffic related to an established connection.