17.6. Troubleshooting Firewall Rules

First remember rules are processed top down, and the first match is the only rule that applies.

Secondly, remember to check your logs on the Diagnostics -> Logs, Firewall tab. This will show you what is getting dropped due to the default deny all rule. When troubleshooting rules, it can be helpful to enable logging on the rules in question at least temporarily. Remember SmallWall has limited local logging space, so don't enable too much on a long term basis.

Remember if you need to permit services from the Internet into any private IP space, you need to configure NAT as well as firewall rules, and we recommend using the "auto add firewall rule" when adding NAT entries.

17.6.1. Reading raw IPFilter logs

If all else fails and you need to determine exactly which rule is dropping the traffic, go to status.php on your SmallWall to the "last 50 filter log entries" section. Find the log line applying to the traffic in question, and make note of the rule number. The rule number is denoted by an @ followed by a number, then a colon, then another number, for example @0:18. The 0 indicates the first group, and the 18 indicates rule number 18 in group 0.

Then go up to the output of "ipfstat -nio" and find the rule in question. Anything without a group number at the end of the rule is the 0 group. @1:1 would indicate the first rule with "group 100" at the end of the rule. @2:1 would be the first rule with "group 200" at the end of the rule, and so on. Finding the exact rule, since some rules are added by the back end of SmallWall and not visible on the rules page, may make troubleshooting easier.