2 Replies Latest reply on May 27, 2011 6:01 AM by PhilM

    Traffic denied by "no rule"

    PhilM

      He's an odd one.

       

      A recently installed 7.0.1.02 appliance with a not terribly complex ACL database is presenting certain users with "Access Denied" messages when they try and browse the web, but not everyone.

       

      There's the default "Internet Services" rule which has no source or destination restrictions and contains all of the necessary protocols.

       

      We can see audit entries which would confirm that the connection is being blocked, but there something very odd with the rule name being used:-

       

      May 26 11:36:55 2011 BST  f_http_proxy a_proxy t_attack p_major

      pid: 1874 ruid: 0 euid: 0 pgid: 1874 logid: 0 cmd: 'httpp'

      domain: htpp edomain: htpp hostname: xxxxxx

      category: policy_violation event: ACL deny attackip: xxxxx

      attackburb: internal srcip: xxxxxx srcport: 10962 srcburb: internal

      dstip: xxxxx dstport: 80 dstburb: external protocol: 6

      service_name: http user_name: (null) auth_method: (null)

      rule_name: <deny no rule> cache_hit: 0 reason: Traffic denied by policy.

       

      I've never seen a rule name called <deny no rule> before and neither has my colleague. It has left us both scratching our heads, especially as the audit viewer is showing other HTTP connections being allowed through from the same client IP address quite happily...

       

      Interestingly, searching the KB for this string returns two entries, each being the release notes for 8.0.0 and 8.0.1 respectively indicating that the release includes a fix for this problem. It's therefore strange that with both of us having worked with Sidewinder since 5.x that neither of us have seen this before.

        • 1. Re: Traffic denied by "no rule"
          sliedl

          This may happen when one side of the session closes the connection before a rule can be found in your access control list.  It happens very fast, maybe like this:

          client -> server

          SYN ->

               <- SYN/ACK

               <- RST

           

          Before it can even go through all your rules and match one OR hit the Deny All rule the session has already ended, so it says <deny no rule>.

           

          It may also happen if you try to browse transparently through a non-transparent HTTP rule.

          • 2. Re: Traffic denied by "no rule"
            PhilM

            Thanks, Sam.

             

            My colleague took a look at this in my absence earlier this morning and seemed to pinpoint that the destination addresses in these audit records all seemed to belong to domains owned by Google. We're wondering if the users in question are either using Google Chrome or a Google Toolbar of sorts.

             

            Anyway, the customer has been informed and has gone away to check.

             

            Thanks again.

            Phil.