Aliases ignored in rules since 23.7.8_1/3.0.12

Started by newsense, November 16, 2023, 05:09:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 16, 2023, 05:09:33 AM
Hi Franco,

Here's an example taken from one of the FWs I moved on to 3.0.12 which hasn't been otherwise modified in a long time other than regular patching.

I already had he alias created or a while, just moved it now at the top and added the explicit deny right after.

Verified in conf.xml the alias_uuid matches in both rule and alias sections, aliases are enabled and no other "garbage" appears to be present in the configuration.



As you can see in the screenshot, the rules are simple and the two running pings fail - so the alias is somehow ignored

1. Allow ICMP to Alias (1.1.1.1, 8.8.8.8 and 9.9.9.9)
2. Deny ICMP


The firewalls are now on OPNsense 23.7.8_14. 

I'll be back shortly after I deploy a fresh VM and try o reproduce it there on stock 23.7 fully updated.

November 16, 2023, 08:42:51 AM #1
3.0.12 of what?
November 16, 2023, 08:45:11 AM #2
OpenSSL 3.0.12
November 16, 2023, 08:47:39 AM #3
Hmm, I don't think OpenSSL is relevant in any way for aliases, unless you are trying to fetch them from https url perhaps.
November 16, 2023, 08:56:41 AM #4
Nope, as you can see in the screenshot they're IPs.

I'm mentioning OpenSSL for clarity so Franco doesn't have to guess if we're talking about a stock OPNsense or what's now in snapshots.
November 16, 2023, 10:06:04 PM #5
Could you share a
Code Select
/tmp/rules.debug

See https://github.com/opnsense/core/issues/7017 why I'm asking. I got a good hint from @AdSchellevis

I haven't quite figured it out yet either. I have this issue with Aliases type Port(s)
November 17, 2023, 05:41:39 PM #6
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use
November 17, 2023, 10:36:37 PM #7
This issue is exclusive to the snapshot branch that is currently testing OpenSSL 3.0, production 23.7 is not affected.


This is the error that is affecting the alias tables and the native backend in DynDNS. For DynDNS a workaround is to solution is change the backend to ddclient.

Code Select
    from lib.alias import AliasParser
  File "/usr/local/opnsense/scripts/filter/lib/__init__.py", line 27, in <module>
    import dns.resolver
  File "/usr/local/lib/python3.9/site-packages/dns/resolver.py", line 30, in <module>
    import dns._ddr
  File "/usr/local/lib/python3.9/site-packages/dns/_ddr.py", line 12, in <module>
    import dns.nameserver
  File "/usr/local/lib/python3.9/site-packages/dns/nameserver.py", line 5, in <module>
    import dns.asyncquery
  File "/usr/local/lib/python3.9/site-packages/dns/asyncquery.py", line 32, in <module>
    import dns.quic
  File "/usr/local/lib/python3.9/site-packages/dns/quic/__init__.py", line 4, in <module>
    import aioquic.quic.configuration  # type: ignore
  File "/usr/local/lib/python3.9/site-packages/aioquic/quic/configuration.py", line 6, in <module>
    from ..tls import (
  File "/usr/local/lib/python3.9/site-packages/aioquic/tls.py", line 24, in <module>
    import service_identity
  File "/usr/local/lib/python3.9/site-packages/service_identity/__init__.py", line 6, in <module>
    from . import cryptography, hazmat, pyopenssl
  File "/usr/local/lib/python3.9/site-packages/service_identity/pyopenssl.py", line 32, in <module>
    from OpenSSL.crypto import X509
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in <module>
    Binding.init_static_locks()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks
    cls._ensure_ffi_initialized()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized
    _legacy_provider_error(cls._legacy_provider_loaded)
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error
    raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY.
Print
Go Up Pages1
User actions