Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Rule behaviour / need Explanation
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: Rule behaviour / need Explanation (Read 9459 times)
drgonzo
Newbie
Posts: 9
Karma: 0
Rule behaviour / need Explanation
«
on:
May 08, 2017, 02:26:32 pm »
I ve the following floating rule to allow OPNsense itself to get updates from the internet:
("internal networks" is an alias containing all internal networks)
Allow Source: This Firewall - Destination !(internal networks) Prot:TCP,443 log
When i click "check for updates" everything works fine BUT if i look into the log files i see entries for this rule matching https AND http on port 80.
I checked the rule in pfinfo and for me it looks like the rule allows any traffic.
pass log quick inet proto tcp from (self:4) to ! flags S/SA keep state label "USER_RULE"
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Rule behaviour / need Explanation
«
Reply #1 on:
May 08, 2017, 02:59:21 pm »
I never tried it, but I would think the opnsense needs no firewall rules to get to its update server at all... It will simply turn to the WAN interface and go wherever it wants to.
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
drgonzo
Newbie
Posts: 9
Karma: 0
Re: Rule behaviour / need Explanation
«
Reply #2 on:
May 08, 2017, 03:09:53 pm »
Without that rule, the final drop rule catches the request and drops everything and no updates are possible.
There is no real WAN interface...all interfaces are LAN.
The point is, that i ve a rule which does not do what it is supposed to do...
«
Last Edit: May 08, 2017, 03:14:28 pm by drgonzo
»
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Rule behaviour / need Explanation
«
Reply #3 on:
May 08, 2017, 03:29:09 pm »
From my experience: The forum will only be able to help you if you post the full list of rules (including floating)... ;-)
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
drgonzo
Newbie
Posts: 9
Karma: 0
Re: Rule behaviour / need Explanation
«
Reply #4 on:
May 08, 2017, 03:48:33 pm »
It's rule 60
@0 scrub on hn0 all fragment reassemble
[ Evaluations: 20511 Packets: 16086 Bytes: 2137028 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@1 scrub on hn2 all fragment reassemble
[ Evaluations: 4425 Packets: 2855 Bytes: 15169 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@2 scrub on hn1 all fragment reassemble
[ Evaluations: 1570 Packets: 1570 Bytes: 67265 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@0 block drop in on ! hn0 inet from 192.168.178.0/24 to any
[ Evaluations: 7182 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@1 block drop in inet from 192.168.178.5 to any
[ Evaluations: 5860 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@2 block drop in on ! hn2 inet from 192.168.130.0/24 to any
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@3 block drop in inet from 192.168.130.1 to any
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@4 block drop in on ! hn1 inet from 192.168.120.0/24 to any
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@5 block drop in inet from 192.168.120.1 to any
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@6 block drop in on hn0 inet6 from fe80::215:5dff:fef4:1120 to any
[ Evaluations: 5845 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@7 block drop in on hn2 inet6 from fe80::215:5dff:fef4:1124 to any
[ Evaluations: 1667 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@8 block drop in on hn1 inet6 from fe80::215:5dff:fef4:1123 to any
[ Evaluations: 1081 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@9 pass in log quick on lo0 inet6 all flags S/SA keep state label "Pass all loopback IPv6"
[ Evaluations: 488 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@10 block drop in quick inet6 all label "Block all IPv6"
[ Evaluations: 488 Packets: 488 Bytes: 53367 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@11 block drop in inet all label "Default deny rule"
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@12 block drop in inet6 all label "Default deny rule"
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@13 pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@14 pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@15 pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@16 pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@17 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 1337 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@18 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@19 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@20 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@21 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@22 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@23 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@24 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@25 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@26 pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@27 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@28 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@29 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@30 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@31 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@32 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@33 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@34 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@35 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@36 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@37 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@38 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@39 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@40 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@41 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "IPv6 requirements (ICMP)"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@42 block drop in quick inet proto tcp from any port = 0 to any
[ Evaluations: 6694 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@43 block drop in quick inet proto tcp from any to any port = 0
[ Evaluations: 31 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@44 block drop in quick inet proto udp from any port = 0 to any
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@45 block drop in quick inet proto udp from any to any port = 0
[ Evaluations: 5154 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@46 block drop in quick inet6 proto tcp from any port = 0 to any
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@47 block drop in quick inet6 proto tcp from any to any port = 0
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@48 block drop in quick inet6 proto udp from any port = 0 to any
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@49 block drop in quick inet6 proto udp from any to any port = 0
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@50 pass in log quick proto carp all keep state
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@51 block drop in quick proto tcp from to (self:9) port = ssh label "sshlockout"
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@52 block drop in quick proto tcp from to (self:9) port = https label "webConfiguratorlockout"
[ Evaluations: 31 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@53 block drop in quick from to any label "virusprot overload table"
[ Evaluations: 5357 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@54 block drop in quick on hn0 from to any label "block bogon IPv4 networks from Intranet"
[ Evaluations: 5357 Packets: 62 Bytes: 12157 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@55 block drop in quick on hn2 from to any label "block bogon IPv4 networks from SRVnet"
[ Evaluations: 1179 Packets: 83 Bytes: 20714 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@56 block drop in quick on hn1 from to any label "block bogon IPv4 networks from VMnet"
[ Evaluations: 593 Packets: 554 Bytes: 115695 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@57 pass in log quick on lo0 all flags S/SA keep state label "pass loopback"
[ Evaluations: 4658 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@58 pass out log all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
[ Evaluations: 5995 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@59 pass quick inet from (self:4) to 192.168.178.0/24 flags S/SA keep state label "USER_RULE: Allow OPNsense to query default gateway"
[ Evaluations: 5995 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@60 pass log quick inet proto tcp from (self:4) to ! flags S/SA keep state label "USER_RULE"
[ Evaluations: 157 Packets: 460 Bytes: 253139 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 13 ]
@61 pass quick inet proto tcp from 192.168.178.0/24 to (self:4) port = https flags S/SA keep state label "USER_RULE: Managementstation access to OPNsense"
[ Evaluations: 5838 Packets: 1776 Bytes: 1697671 States: 2 ]
[ Inserted: uid 0 pid 95144 State Creations: 6 ]
@62 pass quick inet proto tcp from 192.168.178.150 to any port = rdp flags S/SA keep state label "USER_RULE: Managementstation Remote Desktop everywhere"
[ Evaluations: 36 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@63 pass quick inet proto tcp from any to 192.168.130.2 port = domain flags S/SA keep state label "USER_RULE: Generic DNS access"
[ Evaluations: 36 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@64 pass quick inet proto udp from any to 192.168.130.2 port = domain keep state label "USER_RULE: Generic DNS access"
[ Evaluations: 5940 Packets: 2934 Bytes: 276996 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 1452 ]
@65 pass quick inet proto tcp from 192.168.130.0/24 to any port = domain flags S/SA keep state label "USER_RULE: DNS Zaphod"
[ Evaluations: 4426 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@66 pass quick inet proto udp from 192.168.130.0/24 to any port = domain keep state label "USER_RULE: DNS Zaphod"
[ Evaluations: 4399 Packets: 1864 Bytes: 211882 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 922 ]
@67 pass quick inet proto udp from 192.168.130.0/24 to any port = ntp keep state label "USER_RULE: NTP Timequery"
[ Evaluations: 140 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@68 pass quick inet proto tcp from 192.168.130.0/24 to ! port = http flags S/SA keep state label "USER_RULE: Zaphod MS Update"
[ Evaluations: 281 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@69 pass quick inet proto tcp from 192.168.130.0/24 to ! port = https flags S/SA keep state label "USER_RULE: Zaphod MS Update"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@70 pass quick inet proto tcp from (hn1:network:1) to 192.168.130.0/24 flags S/SA keep state label "USER_RULE: SMB-CIFS"
[ Evaluations: 3330 Packets: 206 Bytes: 30338 States: 2 ]
[ Inserted: uid 0 pid 95144 State Creations: 2 ]
@71 pass quick inet from (hn1:network:1) to ! flags S/SA keep state label "USER_RULE: VMs Internet Access"
[ Evaluations: 3600 Packets: 274 Bytes: 99344 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 24 ]
@72 block drop quick inet proto udp all label "USER_RULE: Keep Logfiles clean - no WS-Discovery"
[ Evaluations: 3576 Packets: 3421 Bytes: 920848 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@73 block drop quick inet6 all label "USER_RULE: No IPv6"
[ Evaluations: 155 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@74 block drop quick inet from 169.254.0.0/16 to any label "USER_RULE: Keep Lofiles clean - drop traffic from bogus adapter"
[ Evaluations: 155 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@75 block drop quick inet proto igmp all label "USER_RULE: Keep Logfiles clean"
[ Evaluations: 155 Packets: 141 Bytes: 5480 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@76 block drop quick inet from any to 192.168.178.255 label "USER_RULE: Keep Logfiles clean"
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@77 block drop quick inet proto udp all label "USER_RULE: Keep Logfiles clean - no upnp"
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@78 block drop quick inet proto udp all label "USER_RULE: Keep Logfiles clean - no upnp"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
@79 block drop log quick inet all label "USER_RULE"
[ Evaluations: 14 Packets: 14 Bytes: 2762 States: 0 ]
[ Inserted: uid 0 pid 95144 State Creations: 0 ]
«
Last Edit: May 08, 2017, 03:50:56 pm by drgonzo
»
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Rule behaviour / need Explanation
«
Reply #5 on:
May 08, 2017, 06:00:09 pm »
sorry, maybe I'm blind, but rule #60 has no limiter to a certain port (443), or?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
drgonzo
Newbie
Posts: 9
Karma: 0
Re: Rule behaviour / need Explanation
«
Reply #6 on:
May 08, 2017, 08:41:07 pm »
Exactly - but the rule i created under Firewall->Rules says
Allow Source: This Firewall - Destination !(internal networks) Prot:TCP,443 log
is this a bug ?
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Rule behaviour / need Explanation
«
Reply #7 on:
May 08, 2017, 09:35:05 pm »
Screenshot, maybe? ;-)
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
drgonzo
Newbie
Posts: 9
Karma: 0
Re: Rule behaviour / need Explanation
«
Reply #8 on:
May 09, 2017, 11:37:17 am »
I think this is even better...the xml definition of the rule:
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<statetype>keep state</statetype>
<direction>any</direction>
<quick>yes</quick>
<floating>yes</floating>
<log>1</log>
<protocol>tcp</protocol>
-<source>
<network>(self)</network>
</source>
-<destination>
<address>Internal</address>
<not>1</not>
<port>443-</port>
</destination>
-<updated>
and here two examples for that filter firing and as you can see it fires for port 443 AND 80
filterlog: 60,,,0,hn0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.178.5,37.48.77.141,6508,
80
,0,S,2048331898,,65228,,mss;nop;wscale;sackOK;TS
filterlog: 60,,,0,hn0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.178.5,37.48.77.141,56491,
443
,0,S,2192867649,,65228,,mss;nop;wscale;sackOK;TS
«
Last Edit: May 09, 2017, 11:40:02 am by drgonzo
»
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Rule behaviour / need Explanation
«
Reply #9 on:
May 09, 2017, 01:04:33 pm »
I would erase the rule and recreate it to see what happenz... Or start totally from the scratch importing your config and see what's reproducible. :-)
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
drgonzo
Newbie
Posts: 9
Karma: 0
Re: Rule behaviour / need Explanation
«
Reply #10 on:
May 09, 2017, 01:14:07 pm »
I'll reset the gateway to factory defaults today and will see what happens....
Logged
drgonzo
Newbie
Posts: 9
Karma: 0
Re: Rule behaviour / need Explanation
«
Reply #11 on:
May 09, 2017, 04:05:57 pm »
I did a factory reset and restored the ruleset without any change in behaviour. I than changed the rule to
allow ThisFirewall/any port to
any
/port 443
and the rule only fires for https and http requests are blocked by the final rule - so this works correct but the rule is failing as soon as i use the inverted alias for my internal networks...
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Rule behaviour / need Explanation
«
Reply #12 on:
May 09, 2017, 09:54:25 pm »
I tried this, looks ok from here, but:
<port>443-</port>
Mine looks like this:
<port>443</port>
If I manually edit config.xml and add the extraneous "-" it doesn't work as you describe, for both inverted and non-inverted destination.
How do you trigger this? Exact GUI steps please as weird as it may seem
Thanks,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Rule behaviour / need Explanation
«
Reply #13 on:
May 09, 2017, 10:07:58 pm »
PS: In any case this can be worked around by adding 443 to the range end explicitly on save. I could force the faulty config value with this too, but it seems to unfix itself afterwards.
Maybe also this...
https://github.com/opnsense/core/issues/1611
? Fix queued up for 17.1.7.
Cheers,
Franco
Logged
drgonzo
Newbie
Posts: 9
Karma: 0
Re: Rule behaviour / need Explanation
«
Reply #14 on:
May 10, 2017, 11:03:33 am »
It seems to be a bug somehow. With the GUI i changed the rule back to the original version with the inverted "internal"-networks alias (contains 3 networks) and checked the xml file and the "-" in the port range field isn't there anymore and the rule now works as intended. Unfortunately it's right now unclear for me how to replicate the error to fill in a bug report, but i'll try.
Actually i had another problem a few days ago, where the rules also had an inverted alias as destination. The problem vanished after edting the rules a few times without me knowing what went wrong, because the rules looked exactly the same at the end as they looked in the beginning - so i guess(!) there is something odd with the generation of the xml file.
Thanks so far to everybody
«
Last Edit: May 10, 2017, 11:06:43 am by drgonzo
»
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Rule behaviour / need Explanation