Anti-Lockout Rule (Destination NAT) -> open ports external?

Started by RamSense, February 01, 2026, 02:06:54 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
February 01, 2026, 10:00:51 PM #30 Last Edit: February 01, 2026, 10:04:47 PM by RamSense
Found it! Some little bug. Thanks Patrick.
Your simple "there must be some rule allowing this" made me wonder if the deleting of the old rules has done its job or not.

And there I went through the old interface rules and there was one rule left on WAN! So the delete all (old)rules with [Remove all legacy rules] in the wizard, did not do it all. Maybe a bug there? The wizard forgot to remove one by rather just adding an important one you do not want to have!

IPv4+6 *    *    *    *    *    *    *           

Deciso DEC850v2
February 01, 2026, 10:05:31 PM #31
Actually, that was not a "little" bug. But did that rule come out of the blue or was it present before?

Because you obviously have used the migration assistant, you should be able to look at the rules before the migration.

This would be helpful to tell if there is a potential "HUGE" bug or just a misconfiguration on your part.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
February 01, 2026, 10:08:45 PM #32
I had a rule exactly like this for interface "enc0" in my export which I needed to delete manually before migrating. No idea what the cause of this might be atm.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 01, 2026, 10:11:52 PM #33 Last Edit: February 01, 2026, 10:23:24 PM by RamSense
I have my imported CSV list still here and looked through them. There is no allow all rule there.
Since I have all the rules with a description it was easy to see that there was none without one like the screen capture above.
When searching for WAN I did not find an allow all rule.

Maybe you can replicate this also for this out of the blue rule.
Deciso DEC850v2
February 01, 2026, 10:22:42 PM #34
Quote from: Patrick M. Hausen on February 01, 2026, 10:08:45 PMI had a rule exactly like this for interface "enc0" in my export which I needed to delete manually before migrating. No idea what the cause of this might be atm.

Related? https://forum.opnsense.org/index.php?topic=50591.0
Today at 06:34:26 AM #35
Deciso DEC850v2
Today at 08:27:16 AM #36
Makes no sense to me. What does this dump?

# pluginctl -g filter.rule


Cheers,
Franco
Today at 09:15:23 AM #37
Quote from: Patrick M. Hausen on February 01, 2026, 10:08:45 PMI had a rule exactly like this for interface "enc0" in my export which I needed to delete manually before migrating. No idea what the cause of this might be atm.

Same here. That specific rule was "hidden" before - I was unable to find it in the old rules under 26.1., but apparently, it was exported.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 09:19:16 AM #38
Quote from: meyergru on Today at 09:15:23 AM
Quote from: Patrick M. Hausen on February 01, 2026, 10:08:45 PMI had a rule exactly like this for interface "enc0" in my export which I needed to delete manually before migrating. No idea what the cause of this might be atm.

Same here. That specific rule was "hidden" before - I was unable to find it in the old rules under 26.1., but apparently, it was exported.

Since I did use IPsec and I did have an "allow all" rule on that tunnel years ago, I suspect I just removed the VPN configuration and the rule was left orphaned in the configuration.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 12:24:32 PM #39 Last Edit: Today at 12:40:11 PM by RamSense
Quote from: franco on Today at 08:27:16 AMMakes no sense to me. What does this dump?

# pluginctl -g filter.rule


Cheers,
Franco

when I run this now I get:

pluginctl -g filter.rule
[]

this was in the export file I made of the old rules with the added magic appeared rule, before deleting it:

Code Select
@uuid,enabled,statetype,state-policy,sequence,action,quick,interfacenot,interface,direction,ipprotocol,protocol,icmptype,icmp6type,gateway,replyto,disablereplyto,log,allowopts,nosync,nopfsync,statetimeout,max-src-nodes,max-src-states,max-src-conn,max,max-src-conn-rate,max-src-conn-rates,overload,adaptivestart,adaptiveend,prio,set-prio,set-prio-low,tag,tagged,tcpflags1,tcpflags2,categories,sched,tos,shaper1,shaper2,description,source_not,source_net,source_port,destination_not,destination_net,destination_port
3af43003-284b-4680-ab3f-faffe9391068,1,keep,,1,pass,1,0,opt3,in,inet46,any,,,,,0,0,0,0,0,,,,,,,,,,,,,,,,,,,,,,,,0,any,,0,any,
I think the export / import tool seems to do something when there is an error mentioned. If I interpreted the various notifications around this on the forum correctly.

Deciso DEC850v2
Today at 01:05:26 PM #40
So the legacy rules are fully purged. That's good.

The export only exports what is physically there.  I think that's still good.

The import of that rule did something unexpected?  It should be reproducible on your end then.


Cheers,
Franco
Today at 02:54:21 PM #41
I still have the CSV file that was exported and imported. In this file this rule isn't there. (And nobody would like to have such a rule ;-))
Deciso DEC850v2
Print
Go Up Pages 1 2 3
User actions