Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
trouble using port alias
« previous
next »
Print
Pages: [
1
]
Author
Topic: trouble using port alias (Read 3322 times)
benoit.lorand
Newbie
Posts: 8
Karma: 0
trouble using port alias
«
on:
January 25, 2022, 11:18:08 pm »
Hi,
I'm using opnsense community edition 21.7.7
I have discovered recently that some connexion are allowed by one rule who should not be use.
After some research, i found that when i link an alias for destination ports, this rule seem to be used in diagnostics/session.
Is there anyone who already see this ?
Best regards,
B LORAND
Logged
benoit.lorand
Newbie
Posts: 8
Karma: 0
Re: trouble using port alias
«
Reply #1 on:
February 09, 2022, 10:35:07 pm »
For information, i'm using port's alias to specify multiple port for one or more firewall rules.
Rules thats are faulty applied also have source filter on only some ip. But they match also other.
I have just trying to disable rule optimisation but they are faulty apply again.
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: trouble using port alias
«
Reply #2 on:
February 10, 2022, 03:38:06 pm »
could you give a specific example please?
Logged
benoit.lorand
Newbie
Posts: 8
Karma: 0
Re: trouble using port alias
«
Reply #3 on:
February 10, 2022, 10:07:43 pm »
Hi Fright,
Thanks about your interest for my case.
First of all, here my OPNSense version. Notice that i already had this mistake in previous version.
Here the rule that match.
Here aliases that are used by that rule.
Admins_Hosts is a network group that contain other hosts aliases. So here is the result :
And here what i see in session under Diagnostics. Notice that Source IP and destination port match nothing.
If you think to another information that could help for diagnose this problem. You can ask me for.
Thanks
Benoit LORAND
Logged
benoit.lorand
Newbie
Posts: 8
Karma: 0
Re: trouble using port alias
«
Reply #4 on:
February 10, 2022, 11:55:05 pm »
Another thing, currently i just remove the destination port alias by setting protocols to "any" and it's working (not like i want because all port but it's better than having some traffic allow instead of deny).
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: trouble using port alias
«
Reply #5 on:
February 11, 2022, 06:33:36 am »
Hi
in the "sessions" screenshot i see that the sessions are quite old. in such a case, it is likely that these sessions (states) were established before the rules reordering or rules change. and PF does not update the rule numbers in the state tables in response to changes in the order of the rules or their parameters (so rule number in "pf -vvss" output will point to the "wrong" rule - the rule number that created this state at the time the connection was created)
in order to accurately see changes in the behavior of the PF in response to rule changes, it is necessary to observe
new
connections in the live log (Firewall: Log Files: Live View) and (or)
delete old states
, wait for new connections (if any) and then they can be seen on the sessions page with actual rules references.
issue persist if you follow this procedure?
Logged
benoit.lorand
Newbie
Posts: 8
Karma: 0
Re: trouble using port alias
«
Reply #6 on:
February 20, 2022, 11:02:30 am »
Hi,
I think you are right.
Is it possible that scheduled rules change the rules reordering also ?
Best regards,
B LORAND
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: trouble using port alias
«
Reply #7 on:
February 20, 2022, 04:22:22 pm »
Hi
Quote
Is it possible that scheduled rules change the rules reordering also ?
not sure I understood the question correctly. scheduled rules are regular rules that switched to "disabled" when out of schedule (with or without corresponding states kill. based on Firewall: Settings: Advanced#Schedule States setting). so some rule numbers will change after enabling or disabling scheduled rules.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
trouble using port alias