Alias based firewall rules doesn't work after upgrade to 22.1.8

Started by tuxlemmi, May 25, 2022, 01:57:16 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
June 09, 2022, 03:43:20 PM #45
Quote from: db7 on May 25, 2022, 09:51:29 PM
Quote from: mannp on May 25, 2022, 09:34:07 PM
Quote from: db7 on May 25, 2022, 09:11:40 PM
Quote from: Com DAC on May 25, 2022, 03:54:18 PM
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.

Just sharing that a revert to 22.1.7_1 is the only durable fix for this I've found.  I tried the disable/enable alias trick as well.  It works, but after a reboot the aliases return to not working correctly, and of course neither will the rules that depend on them.

Did you use opnsense-revert to get to 22.1.7_1? Struggling to find the process...thx

Yes, that's correct.  You'll want to run this:

Code Select
opnsense-revert -r 22.1.7_1 opnsense

Then reboot, everything should come back up as it was.  If you can't reboot after install, you can probably do the disable/enable on aliases to bring them up for the current session, and then the reverted opnsense package will handle loading them correctly on the next reboot.

I've tried to revert to 22.1.7_1 using the code snippet above from the CLI, and it appears that there isn't a 22.1.7_1 release - at least I don't see that folder on any of the mirrors I've checked.  Can someone please confirm if that release is correct, or is it just 22.1.7 ? (that folder exists)

I'm still having trouble even with 22.1.8_1, and just need things to work - no time to troubleshoot these days.  If someone could please advise which is the best release to revert to, I'd appreciate it.

June 09, 2022, 03:49:44 PM #46
hotfix directories are merged as single release after subsequent releases to avoid people catching unpatched releases, best never to use hotfix annotation with opnsense-revert.


Cheers,
Franco
June 10, 2022, 03:47:28 AM #47
Quote from: franco on June 09, 2022, 03:49:44 PM
hotfix directories are merged as single release after subsequent releases to avoid people catching unpatched releases, best never to use hotfix annotation with opnsense-revert.


Cheers,
Franco

Awesome - thanks for confirming that.  Appreciated!
June 13, 2022, 10:50:11 AM #48
Looks like I have the same issue on the business edition 22.4.1

I have some nested groups with FQDNs inside allowing other Linux servers to update from internet. Running apt upgrade failed for some of the FQDN even if they existed in the group. The apt log showed the IP address it tried to connect to for the corresponding FQDN. Checking on OPNsense > Firewall > Diagnostics >  Aliases I could find all of the failing IP addresses inside the alias.
So it looks like the alias was provisioned with the correct IP addresses but the rules did not catch it up. After opening the alias and saving it, the rules where correctly passing the traffic...

Assuming the previously mentioned hotfix was just merged into the community realease. How will this be addressed in the business edition?

June 13, 2022, 10:53:32 AM #49
The alias code in question hasn't been issued to opnsense-business just yet so it's a separate issue or the initial report here is convoluted.


Cheers,
Franco
June 13, 2022, 07:43:43 PM #50
Not sure if I got you right @franco.

Are you asking me to open a separate threat for the business edition or is it something you are going to adapt anyway to the business edition? If so, is there any planned release dated?
January 09, 2023, 12:28:59 AM #51 Last Edit: January 09, 2023, 01:48:51 AM by warren_peace
For others that find this when having an issue it is still present in 22.7.10 as of 8Jan2023.... <---almost did the 2022 thing. too early in the year.

I created "approved_ips" alias in my firewall and all IPs are failing the check. Like one of the users suggested that there could be something broken in the system, when I go to Firewall > diagnostics > aliases and view the statistics, all of them are 0s. Even if I create a pass rule with a /8 network, it always comes back 0.   I've rebooted and enabled / disabled / enabled aliases, firewall rules, moved the order around and modified rdr rules with no affect. ITS BROKEN.   

EDIT: found a weird solution, but this still needs to be addressed. As mentioned 2-3 pages ago on this forum that if you were go navigate to Firewall > Ddiagnostics > Aliases     and adjust the alias you are working with you will see zero packets 0 bytes and just completely useless. if you add the ip address you want to use and click the "+" quick add which is supposed to add the address to the alias, it will start working. If you navigate back to Firewall > Aliases you will not see the added entries into that alias.

Core problem at hand I think is when you enter data into the actual alias page, its not really being added as it should. Next I'm going to try different browsers and facing my computer different directions.

Furthermore when you view the entry under Firewall > Aliases, my alias now says 4 entries, but when I click on it there are only 2. When I go into Firewall > Diagnostics and select the alias, it has the 4 entries I put on there in that page earlier.   FYI this is 22.7.10 despite the forum being for version 22.1.7. So this has been a problem for a while.
January 09, 2023, 04:13:10 AM #52
When in doubt about the functionality, best execute an update from the console first using:

Code Select

/usr/local/opnsense/scripts/filter/update_tables.py.

If that doesn't exit normally, there's something to look at.

Best regards,
Ad
January 31, 2023, 07:45:46 PM #53
Running OPNsense 22.7.11_1-amd64.
Trying to get aliases to work but they're not populating hosts (e.g. twitch.tv).
Ran update_tables.py and got the output:

Code Select

root@opnsense:~ # python3 /usr/local/opnsense/scripts/filter/update_tables.py
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/filter/update_tables.py", line 130, in <module>
    geoip.download_geolite()
  File "/usr/local/opnsense/scripts/filter/lib/geoip.py", line 71, in download_geolite
    with zipfile.ZipFile(tmp_stream, mode='r', compression=zipfile.ZIP_DEFLATED) as zf:
  File "/usr/local/lib/python3.9/zipfile.py", line 1266, in __init__
    self._RealGetContents()
  File "/usr/local/lib/python3.9/zipfile.py", line 1333, in _RealGetContents
    raise BadZipFile("File is not a zip file")
zipfile.BadZipFile: File is not a zip file


Any help is appreciated.
January 31, 2023, 09:58:04 PM #54
Likely the file downloaded for geoip in Firewall->Aliases->Geoip settings isn't a valid database. If you remove the Url or change it for a valid geoip target, the error should go away.

I will push a patch for future versions to send the message to the log and prevent a crash in these cases.

Best regards,

Ad
February 01, 2023, 12:27:43 AM #55
Quote from: AdSchellevis on January 31, 2023, 09:58:04 PM
Likely the file downloaded for geoip in Firewall->Aliases->Geoip settings isn't a valid database. If you remove the Url or change it for a valid geoip target, the error should go away.

I will push a patch for future versions to send the message to the log and prevent a crash in these cases.

Best regards,

Ad

Thanks for the tip. Its fixed now.
Print
Go Up Pages 1 2 3 4
User actions