Hi Franco,
Here's an example taken from one of the FWs I moved on to 3.0.12 which hasn't been otherwise modified in a long time other than regular patching.
I already had he alias created or a while, just moved it now at the top and added the explicit deny right after.
Verified in conf.xml the alias_uuid matches in both rule and alias sections, aliases are enabled and no other "garbage" appears to be present in the configuration.
As you can see in the screenshot, the rules are simple and the two running pings fail - so the alias is somehow ignored
1. Allow ICMP to Alias (1.1.1.1, 8.8.8.8 and 9.9.9.9)
2. Deny ICMP
The firewalls are now on OPNsense 23.7.8_14.
I'll be back shortly after I deploy a fresh VM and try o reproduce it there on stock 23.7 fully updated.
3.0.12 of what?
OpenSSL 3.0.12
Hmm, I don't think OpenSSL is relevant in any way for aliases, unless you are trying to fetch them from https url perhaps.
Nope, as you can see in the screenshot they're IPs.
I'm mentioning OpenSSL for clarity so Franco doesn't have to guess if we're talking about a stock OPNsense or what's now in snapshots.
Could you share a /tmp/rules.debug
See https://github.com/opnsense/core/issues/7017 why I'm asking. I got a good hint from @AdSchellevis
I haven't quite figured it out yet either. I have this issue with Aliases type Port(s)
might be related with:
https://forum.opnsense.org/index.php?topic=36967.msg180814#msg180814
This issue is exclusive to the snapshot branch that is currently testing OpenSSL 3.0, production 23.7 is not affected.
This is the error that is affecting the alias tables and the native backend in DynDNS. For DynDNS a workaround is to solution is change the backend to ddclient.
from lib.alias import AliasParser
File "/usr/local/opnsense/scripts/filter/lib/__init__.py", line 27, in <module>
import dns.resolver
File "/usr/local/lib/python3.9/site-packages/dns/resolver.py", line 30, in <module>
import dns._ddr
File "/usr/local/lib/python3.9/site-packages/dns/_ddr.py", line 12, in <module>
import dns.nameserver
File "/usr/local/lib/python3.9/site-packages/dns/nameserver.py", line 5, in <module>
import dns.asyncquery
File "/usr/local/lib/python3.9/site-packages/dns/asyncquery.py", line 32, in <module>
import dns.quic
File "/usr/local/lib/python3.9/site-packages/dns/quic/__init__.py", line 4, in <module>
import aioquic.quic.configuration # type: ignore
File "/usr/local/lib/python3.9/site-packages/aioquic/quic/configuration.py", line 6, in <module>
from ..tls import (
File "/usr/local/lib/python3.9/site-packages/aioquic/tls.py", line 24, in <module>
import service_identity
File "/usr/local/lib/python3.9/site-packages/service_identity/__init__.py", line 6, in <module>
from . import cryptography, hazmat, pyopenssl
File "/usr/local/lib/python3.9/site-packages/service_identity/pyopenssl.py", line 32, in <module>
from OpenSSL.crypto import X509
File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
from OpenSSL import SSL, crypto
File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
from OpenSSL._util import (
File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
from cryptography.hazmat.bindings.openssl.binding import Binding
File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in <module>
Binding.init_static_locks()
File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks
cls._ensure_ffi_initialized()
File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized
_legacy_provider_error(cls._legacy_provider_loaded)
File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error
raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY.