Cannot get response from DMZ due to DROP_NEWNOTSYN

i setup a explicit rule for the motioneye application to be allowed to send from DMZ 192.168.200.7 port 8765 to green 192.168.100.2.

But when i call the web interface 192.168.200.7:8765 from green i see only part of the gui, the login dialog is missing and the application complains about an error that occured.

In the ipfire-log i see several

DROP_NEWNOTSYN orange0 TCP 192.168.200.7 8765
____________________________________ 192.168.100.2 36308

How can i configure the firewall not to drop these connection attempts ?

To see more info on what caused the web gui error you should look in
/var/log/httpd/error_log

The dietpi motioneye has nothing alike - but it used to work some time ago… i wonder what pkg upgrade or conf change leads to this strange behaviour…

Thx anyway, i will try to install the regular motioneye on Dietpi Raspi4.

Ah, sorry, my misunderstanding. I thought you were talking about the problem being seen on the IPFire web gui.

Regarding this log entry, a NEW NOT SYN message means that it was a new communication from orange to green but did not have the syn bit set and therefore was not part of an ongoing communication from green to orange.
When you still get these messages when you have set up a rule to allow that orange ip on that port to connect to the specified green ip, then it suggests that there is a problem with the rule you have setup.

Can you show the rule that you have setup in the firewall?

sure.

source ip 192.168.200.7 (DMZ)
target ip 192.168.100.2 (GREEN)
protocol TCP source Port 8765
accept

rule active
protocol active

That looks like it should be okay. I have other ports and services working from Orange to Green in a similar way on my system and I am not seeing the NEWNOTSYN messages.

I am afraid I don’t have any further ideas on what could be causing the problem.

That is already very valuable information. If i can achieve any improvement i will report about that.
Thank you.