Messages

Tonight I decided to update from my 20.1 VM to 20.7 ... after quite a while (system isn't the fastest I/O-wise) the system booted just fine ... until about 20 seconds later an dozens of errors on the console later, it crashed ... rebooted, came up, next crash ...
I wasn't able to actually get any logs or debugs from the system as it wouldn't stay up long enough ... as I had already had my servers down too long for the update, I decided to just do a rollback to the snapshot ... Before I did, I downloaded the 20.7 config file, and will try to do a clean install of the 20.7 image and load the config, see if that works better ...
Does anybody have an idea if there is some known issue when doing the 20.1->20.7 issue?

(P.S. - running 20.1.9_1 at the moment)

I manually recreated everything on the OPNSense VM ...

Also, I'm pretty sure that the firewall was still working at some point ... just can't tell what happened some (not too long time ago) that it's not creating any rules anymore from the actual config ... I'm hoping to pin it down somehow if I can follow how the config is turned into the actual pf rules ...

Just restarted the old pfsense installation in order to get back to some (albeit slightly outdated) protection .. ;) That way I can mess around with the OPN installation without making it any worse ...

I believe there is some basic problem when creating the pf rules ... I compared to another pfsense system, using pfctl -sr, I get a nice dump of all the rules ... as mentioned earlier, there's not a single rule output when I do the same on the opnsense machine ...

Is there some script that I can trace that takes the gui output/config file and creates all the pf rules?

I switched from pfsense some time back, and after some initial problems when migrating my rulesets, most everything seems to be working fine. Or so I thought.
A couple days ago one of my VMs behind OPNsense started to get hit by lots of brute-force SSH connection attempts ... which seemed weird as I had a pretty decent set of rules that should only allow for certain ports to be open, SSH not being one of them, and have an explicit deny all rule in the WAN rules.
Now, even adding a deny all-all to port 22 right at the beginning of my WAN rules, I can still get through to my servers ...
Now, I've not had any problems with pfsense with blocking or allowing access, nor anything else I've used in the last 20+ years as a firewall (multiple Linux firewalls, Cisco ASA, Fortigate, ...)
So either some rule got totally out of hand in the backend that isn't visible in the list on the frontend, or I have some misconception of OPNsense ...

Now, I'm not a *BSD guy, so please excuse my ignorance here ... I thought I could just rely on the frontend converting what I configured to something that worked in the backend, but somehow something obviously isn't ... so, e.g., I read up on pf, and supposedly "pfctl -sr" should output the current ruleset. Problem is, I get nothing when I run that command ...

What am I missing here???