Frequently Asked Questions
Posts: 648
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik


Post by Peter » 22 Aug 2008, 13:27

This FAQ applies to:
  • Clavister CorePlus™ & cOS Core all versions

I have alot of "Default_Access_Rule" events in my logs, what is the cause of this?

Basically "Default_Access_Rule" is a routing problem. The Receive interface has received a packet from a source IP that is NOT routed on this interface. The action for this is dropped by Default_Access_Rule.


We have 2 Interfaces named Lan and Dmz with the following routes:

Route Lan
Route Dmz

Now as an example i move a PC behind the Dmz interface and place it behind the Lan interface without changing the IP to the correct one, the logs will be filled with events that look something like this:
  • RULE: id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=Default_Access_Rule recvif=Lan srcip= destip= iphdrlen=24 ipproto=IGMP ipdatalen=16 type=34 maxresp=0 groupaddr=

    ARP: id=00300049 rev=1 event=invalid_arp_sender_ip_address action=drop rule=Default_Access_Rule recvif=Lan hwsender=00-0c-23-2c-30-4a hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-0c-29-2c-30-4a srcip= destenet=00-00-00-00-00-00 destip=
And the reason is that since is not routed on the Lan interface it will be dropped by the Default_Access_Rule.

Troubleshooting Default_Access_Rule is usually pretty simple as it is ALWAYS a kind of routing problem. Either from the client(s)/server(s), switches, routing tables etc etc. The main problem is that we have received a packet on this interface that is NOT routed there. Your best friend here is the logs, they will immediately tell you which interface the packet was received on and from which IP. If we look at the example above we clearly see that we have received a packet from an IP address that is not routed on that interface. For a clear view of the routing table simply type "routes" in the remote console.

Another good "tool" to troubleshoot problems with Default_Access_Rule is the ping simulation described in the following article: viewtopic.php?f=8&t=3401