Messages

1

22.7 Legacy Series / Re: Firewall rules not applied without resetting state table

« on: November 08, 2022, 05:52:12 pm »

If you are asking for all states to be reset on a firewall rule reload imagine restarting your firewall in a company setting during working hours. That's exactly why you want connection states to be remembered...


Cheers,
Franco

No doubt about this, but I ask you. If i have to flush the states table to make the applied rule really effective, what's the difference?

More over. If I'm adding a rule that blocks specific traffic why not to flush only states that should be affected by that rule?
I see that in the states table I can search and delete states line by line, why not doing this automatically? I think filter out states affected by the new rule shoud not be so difficult.

Or let the admin be abe to choose, something like "You added a block rule, shoud the states table be flushed?" when the rule is applied.

I don't want to be annoying, just thinking.

What do you do when you REALLY need to add such a rule in your environment? how do you plan the change?

thanks in advance

2

22.7 Legacy Series / Re: Firewall rules not applied without resetting state table

« on: November 08, 2022, 04:16:05 pm »

You can see it like this:

Opening a door causes everyone to go in immediately, even if the door was closed before.
Closing a door causes that no one can go in, but it will not kick out anyone already inside, but flushing states will kick out everyone.

Clear but, not the exact example maybe.

If i'm pinging the "open door" and the door is closed meanwhile i expect that the next ping finds the "door" closed and so fails.

Maybe not closing or kicking off established connections (TCP or others) but new connection i expect will be blocked or denied.

Only my opinion...

3

22.7 Legacy Series / Re: Firewall rules not applied without resetting state table

« on: November 08, 2022, 04:11:18 pm »

Sorry for the (maybe) stupid question but why not flushing automatically states (if needed) if something changes in the rule set?

Maybe only my opinion but in a firewall, if I want to block someting (adding and applying a rule) why do I need to do something else to REALLY apply a rule?

 

4

22.7 Legacy Series / Firewall rules not applied without resetting state table

« on: November 08, 2022, 03:49:52 pm »

Hi,
  i was struggling with the configuration of a site 2 site openvpn PSK VPN on a testing environment.

The test configuration is this:

client1         -|                                                                |-client3
(192.168.101.20) |                                                                | (192.168.102.20)
                 |    opnsense1 (Server)                    opnsense2 (Client)    |
                 |--- LAN: 192.168.101.1 <----------------> LAN: 192.168.102.1 ---|
                 |    WAN: 192.168.17.45                    WAN: 192.168.17.46    |
client2         -|                                                                |-client4
(192.168.101.21) |             |------- TUNNEL NETWORK  -------|                  | (192.168.102.21)
                                       (10.10.10.0/24)


The firewall rule on WAN interface on opnsense1 was set to allow incoming connection on openvpn server port (1194).
The firewall rules on OpenVPN interface correctly set as shown in the attached image.
The openvpn tunnel goes up ad expected.

Now, the problem.

From client 4 there are 2 terminals pinging 192.168.101.20 and 192.168.101.21.

With the rules configured (see the attachment) I can ping both client1 and client2.

If I disable the second rule (allow packets to 192.168.101.21) I expect to see the first terminal continue pinging client1 and the second terminal stopping pinging client2, but both pings still work.

I go to Firewall->Diagnostics->States->Actions->reset state table

The ping to client2 stops and the ping to client1 still works (the expected behaviour).

If I re-enable the rule the ping to client2 starts responding instantly (as expected).

If I disable (again) the rule the ping to client2 continue responding (sigh) until i go to flush states table.

Is this the expected behaviour?

If needed i can attach both firewalls configuration files.

Thanks in advance for any reply to my question.

5

Web Proxy Filtering and Caching / Re: [SOLVED] get rid of host forgery detected

« on: April 26, 2019, 12:15:31 pm »

That's a good question I cannot answer without further help from you.

While the original requesters never confirmed this works as intended they also never complained it did not.

That means:

a) It works and you are having another local issue you need to help us debug.

b) It doesn't work and you need to help us debug.


Cheers,
Franco

I think that the fix never worked, i see that i'm not the only one that have the problem.

I'll be happy to help debugging the problem, what should i do? Is there something you need?

6

Web Proxy Filtering and Caching / Re: [SOLVED] get rid of host forgery detected

« on: April 24, 2019, 05:13:06 pm »

Sorry, I don't understand, if 19.1.2 has the fix why my "OPNsense 19.1.5_1-amd64" (i think it's a later version) still has the problem?

 

7

Web Proxy Filtering and Caching / Re: get rid of host forgery detected

« on: April 09, 2019, 06:46:17 pm »

Hi all,
  any news about this issue? I updated my firewall to 19.1.5 but the issue still remains.

Best regards