Firewall rules are sticky

[eck]

Firewall rules are sticky. version 26.1.1 (tested with ping)
When i create a rule, it don't matter if it is a rule or a rule [new]
  ip4 any to any
After starting this the rule is applied as expected.
When I turn off the rule
 my ping request still running fine (also in a new session)
I have to reboot the firewall and than the rule is not valid any more.

[meyergru]

See the first note in the docs? A reboot is not neccessary.

[eck]

Thank you for the answer.

Still it is a strange behavior.
Better was a question to leave the states active or reset them right away.

[franco]

Stateful firewalls are one of the best inventions in firewalls so why doubt it?

I always find these "my test reveals that my assumptions are wrong but can you please change the behaviour to match my assumptions" are not as effective as bug reports as one might hope.


Cheers,
Franco

[eck]

Stateful is great, but when I change a rule I expect that the State also changed and not that i first have to reset all states.

Otherwise I think that everything works fine when I changed some rules, and after some time the states are reset and the system doesn't work any more.

This is my way of thinking I respect yours.

Greetings 

[franco]

You can reset your states. You can set your rules to not track state. It's up to your really.  :)


Cheers,
Franco

[meyergru]

This is not so much about your thinking or expectations - it is a tradeoff:

Firewall states are hard to reset w/r to the changed rules only (e.g., because the Apply button can change multiple rules at once).

When you actually do a full state reset, on the other hand, this means that all current states are lost. This is why there is a warning that pops up when you actually do that:

Resetting the state tables will remove all entries from the corresponding tables. This means that all open connections will be broken and will have to be re-established. This may be necessary after making substantial changes to the firewall and/or NAT rules, especially if there are IP protocol mappings (e.g. for PPTP or IPv6) with open connections.

The firewall will normally leave the state tables intact when changing rules.

Note: If you reset the firewall state table, the browser session may appear to be hung after clicking "Reset". Simply refresh the page to continue.

I.e.: you would not want to automatically break existing connections for any rule change. Or at least: most people would not want that.

The way it looks, Franco is right: You had different expectations than how OpnSense actually works (for good reasons). Now you know and can reset firewall states after rule changes manually if you need to (and you know at what expense that comes).