[SOLVED] I need to restart OPNSense to apply the rules !

Started by narfight, August 25, 2017, 07:54:41 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 25, 2017, 07:54:41 AM Last Edit: August 28, 2017, 02:34:46 PM by narfight
Hello,

I use OPNSense (OPNsense 17.7-amd64/FreeBSD 11.0-RELEASE-p11/OpenSSL 1.0.2l 25 May 2017) on Watchguard XTM505.

When I create a news or update a rules and click to "reaload changes", no error but the changement don't be apply !

filter reload log :
Code Select
1503639532.2634: Initializing
1503639532.2636: Creating aliases
1503639532.2637: Generating NAT rules
1503639532.2638: Creating 1:1 rules...
1503639532.2639: Creating outbound NAT rules
1503639532.264: Creating automatic outbound rules
1503639532.3072: Creating NAT rule Rediriger le trafic vers le proxy
1503639532.355: Loading filter rules
1503639532.3721: Setting up logging information
1503639532.3722: Setting up SCRUB information
1503639532.3722: Generating rules
1503639532.3867: Creating IPsec rules...
1503639532.3868: Executing packet filter reload
1503639532.4187: Cleanup schedule states
1503639532.4244: Reloading filterdns daemon
1503639532.4245: Flushing schedule state
1503639532.4246: Processing down interface states
1503639532.4247: Done

I need to restart OPNSense to apply correctly .... it's very no frendly use.

My test is very simple. I create à rule to allow ping or not on the interface
Code Select
IPv4 ICMP * * * * * Easy Rule: Passed from Firewall Log

Can you help me ?

Thk in advance
August 25, 2017, 08:25:31 AM #1
How do you test this? I suspect you are testing agains a known state of an already established connection. That doesn't work unless you clear the states, but this will disrupt *all* connections during a reload, so firewalls do not normally do this.
August 25, 2017, 12:12:06 PM #2
Hello,

Thank for your help.

I just tested this:

  • start an old computer
  • Takes his IP
  • create a rules to block ICMP from this IP and put this rules on the top
  • reload rules config
  • start PING on the old computer: firewall reply
  • reboot OPNSense
  • Rules loaded: firewall do not reply anymore

On SSH, the file /tmp/rules.debug is only updated on the reboot !
August 25, 2017, 02:55:23 PM #3
Hi there,

Are you sure you create the rule and apply before you start the ping?

If yes, please try to stop the ping that should be blocked and restart it. It should block unless the rules have really not been updated.

If the rules haven't been updated, we need to find out why your installation does that. It is not normal.


Cheers,
Franco
August 28, 2017, 01:12:02 PM #4
Hello,

I formatted the disk and changed to nano OS on CompacFlash.

When I reinupped my backup, everything came back to normal

Thank for your help.
August 28, 2017, 01:27:05 PM #5
Ok, glad to hear. Thanks for checking back. :)
Print
Go Up Pages1
User actions