OPNsense Forum
English Forums => 23.7 Legacy Series => Topic started by: lar.hed on December 27, 2023, 11:20:04 am
-
So for the last week or soooooo I have been chasing my own tail or something. The original plan was to try to create a white list rule set in firewall rules, by simply collecting "counters" (as I call them, rules that passes what ever is needed like https/http and so on) and one day simply remove the allow all get out of here rule. It is part of how I try to learn (again I might add) the needed firewall rules for current installation....
Anyway, I been playing aroud a bit with different "pass" rules. And then I have two "block" rules. One of them just "popped up" in Firewall - Live View and shows "PASS" even though it is clearly marked as "BLOCKED" in the rules definition....
So this should not be possible - can anyone explain what I am seeing or is this a feature? or bug?
-
Attached the rule that Live View says it evaluated - but clearly this is not correct.....
-
What version are you on? It looks a little like https://github.com/opnsense/src/commit/f155405f50 but that was introduced in 23.7.7 kernel already.
If you notice the reason says "ip-option" which is a default drop reason. But under the old condition it would falsely report as "passed" due to using the default rule construct and not that particular rule... but it also appears to match the rule in question which is a bit weird, because it's not a pass rule.
Cheers,
Franco
-
I am on latest, just made upgrade this morning...
OPNsense 23.7.10_1-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
Well, I have not only this odd behavior in Live View, I posted this one a couple of days ago: https://forum.opnsense.org/index.php?topic=37738.0
And this is what is giving me a good run for the money currently. It is like the devil, I change a rule, and everything gets messed up in live view. For sure something works - but how would I be able to tell? I had some looks into plain view - but that seems to show the same rules per package - this is just weird.
From my current perspective I say: Filtering on IGMP and/or ICMP either is not working at all (they always seems to end up somewhere else in list of rules...) or Live View just shows odd filters. I can not make any sence at all about this - I just now that what Live View presents is not correct - but I can not say if it shows correct (wrong rule is evaluated) or shows wrong (correct rule is evaluated) . I am confused....
-
Well, if the kernel end has another of these visibility glitches there really is no way of telling what it does is correct. You'd need to consult the rule hit counters instead (I don't yet doubt the firewall does what it should, but there is reasonable doubt in pflog given more issues in the past).
Cheers,
Franco
-
So basically I can not use Live View? Or Plain View?
What is the best way to observe what happens then?
Firewall Log over SSH (selection 10 after one has logged on thru SSH)?
-
Filtering on IGMP and/or ICMP either is not working at all (they always seems to end up somewhere else in list of rules...) or Live View just shows odd filters.
I am seeing the same behaviour here on:
OPNsense 23.10.1_2-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
-
i was playing a lot with blocklists just now, fitering works for tpc, udp, icmp etc for me. recently i noticed some missing items in live view and plain view. what i can prove the unfriendly plain view (which is sadly the only render of the filtering information) doesn't list the blocked connections:
plain view:
No results found!
(alternatively a timeout and python script running forever, or multiple of them)
grep /var/log/filter/latest.log
...,blocked,....,Ip,......
so unless the logs are sourced to a remote analysis system (Dashboard, pfelk), i'm reduced to CLI. no other plugin can display this info, although there could be some intersection with ntopng, zenarmor if the blocklists are similar (at the cost of processing the same IPs twice).