https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162020-06-23T11:01:54ZpfSense bugtrackerpfSense - Bug #10691: Issue with rules (firewall and NAT) being reloaded after changes madehttps://redmine.pfsense.org/issues/10691?journal_id=469172020-06-23T11:01:54ZJohn Weithman
<ul></ul><p>Running 2.4.5-RELEASE-p1 (amd64)</p> pfSense - Bug #10691: Issue with rules (firewall and NAT) being reloaded after changes madehttps://redmine.pfsense.org/issues/10691?journal_id=469182020-06-23T11:07:02ZJim Pingle
<ul><li><strong>Category</strong> set to <i>Rules / NAT</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Not a Bug</i></li><li><strong>Priority</strong> changed from <i>Very High</i> to <i>Normal</i></li></ul><p>Existing states are not cleared, and your browser is holding open a connection. You would need to close/reopen the browser or kill the states for a proper test.</p> pfSense - Bug #10691: Issue with rules (firewall and NAT) being reloaded after changes madehttps://redmine.pfsense.org/issues/10691?journal_id=469732020-06-25T11:07:07ZJohn Weithman
<ul></ul><p>A SSH connection is also held open after the NAT rule is disabled.</p>
<p>So if there is an unknown breach/connection active due to poor management or some other reason a firewall change will still keep their session open.</p> pfSense - Bug #10691: Issue with rules (firewall and NAT) being reloaded after changes madehttps://redmine.pfsense.org/issues/10691?journal_id=469742020-06-25T11:12:27ZJim Pingle
<ul></ul><p>Yes, that's all covered by my previous note.</p>
<p>Kill the firewall states after making a change like that if disconnecting things is a hard requirement. It is very disruptive to do so, and won't be done automatically. The ability of `pfctl` to kill individual states is not fine-grained enough to kill just things which would be affected by a rule change.</p>