Tips and Resources

Endian firewall no connection to routed network BADTCP:DROP

Endian Firewall drops TCP connections to routed networks with BADTCP:DROP but ICMP (pings) OK

I've found that the Endian firewall community edition (I'm not sure if this also applies to the commercial version) will block TCP access to routed networks, despite pings and traceroute test working fine.

Network Setup

Consider this sample network configuration: 

internal host   --> Endian Appliance --> Public Internet


                                                                           -----> Router to third party network

A static route is set so that traffic for the third party network is sent to the router; the default route is set to the RED interface on the Endian Appliance eg:

source destination gateway

If you ping a host in the third party network from your internal host machine, the pings return successfully. Traceroute shows the packets are being directed through the router, but if you try to access any host in the third party network using a TCP connection, such as http etc, you'll find it wont connect. Checking the firewall log, you'll see the packets are being dropped:

BADTCP:DROP TCP (br0) -> (br0)

Note: You'll see this problem whether the outgoing firewall is enabled or not

This problem is caused by the Endian Appliance considering the TCP packets BAD as their return path is not back through the Endian appliance. To work around this problem, SSH into your endian appliance and run the following commands:

root@efw:~ # echo ENABLE_BADTCP=off > /var/efw/firewall/settings
root@efw:~ # chown nobody:nogroup /var/efw/firewall/settings
root@efw:~ # jobcontrol restart firewall --force

This change will disable the BADTCP checking within the firewall and reboot the firewall service inside the appliance. This setting is permanent and will stay after the appliance is shutdown / rebooted.