NAT, port aliases, redirect not working after upgrade

[franco]

Maybe we should separate "not working" into two categories:

(a) Firewall: Diagnostics: pfTables -- alias empty
(b) generally not working in NAT or firewall rule

Then also check (b) under Firewall: Diagnostics: pfInfo (Rules) whether these non-working rules actually see traffic


Thanks,
Franco

[Evil_Sense]

Maybe we should separate "not working" into two categories:

(a) Firewall: Diagnostics: pfTables -- alias empty
(b) generally not working in NAT or firewall rule

Then also check (b) under Firewall: Diagnostics: pfInfo (Rules) whether these non-working rules actually see traffic


Thanks,
Franco

Got it, my GeoIP alias falls under (a), the pfTable is empty and therefore there's nothing to compare to, since I'm using it as source nothing passes

[franco]

Okay, that's good and bad... Good in the sense it's not a fundamental firewall issue, bad because whatever prevents your system from fetching the aliases may prevent it from reaching out in the first place...  Is that table populated when you run this from the console?

# configctl filter refresh_aliases

[Evil_Sense]

Okay, that's good and bad... Good in the sense it's not a fundamental firewall issue, bad because whatever prevents your system from fetching the aliases may prevent it from reaching out in the first place...  Is that table populated when you run this from the console?

# configctl filter refresh_aliases

The command only returns 'OK'.

[franco]

Sure, now check the table...

[Evil_Sense]

Sure, now check the table...

Seems it's still empty

[franco]

What does this return then?

# ls -lah /var/db/aliastables/

[Evil_Sense]

What does this return then?

# ls -lah /var/db/aliastables/

CH is my GeoIP alias, and it's empty, NAS contains the address I configured.

[franco]

Are you using the CH alias in a floating rule?

[Evil_Sense]

Are you using the CH alias in a floating rule?

No, only in WAN rules, but currently it's removed from them because I tried to recreate the alias at the time displayed by the ls command.

[franco]

So you can't fetch the GeoIP alias even though it's not used?

We can try to increase the pressure:

# rm /var/db/aliastables/CH*
# configctl filter refresh_aliases

Still empty?

[Phobus]

Maybe we should separate "not working" into two categories:

(a) Firewall: Diagnostics: pfTables -- alias empty
(b) generally not working in NAT or firewall rule

Then also check (b) under Firewall: Diagnostics: pfInfo (Rules) whether these non-working rules actually see traffic


Thanks,
Franco

For me (Alias problem):
(a) Firewall: Diagnostics: pfTables -- alias empty

# configctl filter refresh_aliases
Still empty

# rm /var/db/aliastables/EBL*
# configctl filter refresh_aliases
Still empty
Output: Error (1)

Strange Output now files and Aliases are missing:

root@*****:~ # ls -lah /var/db/aliastables/
total 12
drwxr-x---   2 root  wheel   512B Feb  2 10:29 .
drwxr-xr-x  18 root  wheel   1.0K Feb  2 08:36 ..
-rw-r-----   1 root  wheel   257B Feb  2 10:29 EBL.self.txt

[Evil_Sense]

So you can't fetch the GeoIP alias even though it's not used?

We can try to increase the pressure:

# rm /var/db/aliastables/CH*
# configctl filter refresh_aliases

Still empty?

Sadly yes, the three files are created but the txt file is still empty.

[franco]

Under Firewall: Settings: Advanced, is " Verify HTTPS certificates when downloading alias URLs" checked or unchecked? Are you using a proxy server in your network doing HTTPS MITM?


Cheers,
Franco

[Evil_Sense]

Under Firewall: Settings: Advanced, is " Verify HTTPS certificates when downloading alias URLs" checked or unchecked? Are you using a proxy server in your network doing HTTPS MITM?


Cheers,
Franco

Setting is unchecked and I'm not using a proxy server who intercepts https..