https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-02-26T13:05:44ZpfSense bugtrackerpfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=516662021-02-26T13:05:44ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Kill all states associated with an host IP NET address</i> to <i>Kill all states associated with a NAT address</i></li><li><strong>Category</strong> changed from <i>NAT Reflection</i> to <i>Rules / NAT</i></li></ul><p>Correcting the category and subject</p>
<p>The ask here is for a way to kill based on the NAT address in the state instead of the source or destination.</p> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=525682021-03-19T10:29:20ZMarcos M
<ul></ul><p>I can confirm this is currently an issue.</p> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=590672022-02-17T01:17:11ZViktor Gurov
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-11 priority-4 priority-default closed" href="/issues/12807">Feature #12807</a>: Clear Active Secondary WAN Connections</i> added</li></ul> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=645452022-12-12T20:27:02ZMarcos M
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-4 priority-default closed" href="/issues/13226">Bug #13226</a>: Disconnecting a user from Captive Portal may allow previously established connections to continue</i> added</li></ul> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=645592022-12-13T11:27:01ZReid Linnemann
<ul><li><strong>Assignee</strong> set to <i>Reid Linnemann</i></li></ul> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=703452023-10-20T08:47:24ZKristof Provost
<ul></ul><p>Proposed implementation in <a class="external" href="https://reviews.freebsd.org/D42312">https://reviews.freebsd.org/D42312</a> (test in <a class="external" href="https://reviews.freebsd.org/D42313">https://reviews.freebsd.org/D42313</a>)<br />This will still need some PHP glue too.</p> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=712452023-12-05T16:43:26ZMarcos M
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Subject</strong> changed from <i>Kill all states associated with a NAT address</i> to <i>Kill states using the pre-NAT address</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>Assignee</strong> changed from <i>Reid Linnemann</i> to <i>Marcos M</i></li><li><strong>Target version</strong> set to <i>2.8.0</i></li><li><strong>Plus Target Version</strong> set to <i>24.03</i></li></ul> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=712462023-12-05T16:44:32ZMarcos M
<ul><li><strong>Assignee</strong> changed from <i>Marcos M</i> to <i>Kristof Provost</i></li></ul><p><a class="external" href="https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/381">https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/381</a></p>
<p>The php pfSense module has been updated to implement the new functionality.</p>
Killing states is done in the following scenarios - the fix applies to all of them:
<ul>
<li>killing states for the previous IP when the WAN IP changes</li>
<li>killing states for locked out clients (sshguard or captive portal)</li>
<li>killing states to the gateway when resetting dpinger / gateway monitoring</li>
<li>killing filtered and specific states in Diagnostics > States</li>
</ul>
<p>Merged in <a href="https://github.com/pfsense/FreeBSD-ports/commit/77282e83a0fb1f41a395ddd0ad1b6619301666be" class="external">77282e83a0fb1f41a395ddd0ad1b6619301666be</a>.</p> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=717262024-01-14T16:00:57ZChris Linstruth
<ul><li><strong>File</strong> <a href="/attachments/5833">clipboard-202401141100-0s9eu.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/5833/clipboard-202401141100-0s9eu.png">clipboard-202401141100-0s9eu.png</a> added</li></ul><p>Please also see scenario:</p>
<p>killing states when a pass rule with a schedule expires:</p>
<p><img src="https://redmine.pfsense.org/attachments/download/5833/clipboard-202401141100-0s9eu.png" alt="" /></p> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=717272024-01-14T16:01:31ZChris Linstruth
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>In Progress</i></li></ul> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=717912024-01-19T14:08:56ZKristof Provost
<ul></ul><p>Hi Chris,</p>
<p>It's not clear to me what the problem is in comment 9. Is that state not getting killed when you'd expect it to be? <br />If so, what version are you testing? Can you describe the entire scenario (i.e. how the state was established, and why it was expected to be killed)?</p> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=717922024-01-19T14:46:03ZChris Linstruth
<ul></ul><p>It is killing the LAN side but not the WAN side.</p>
<p>It was an ssh session on a rule with a schedule.</p>
<p>When the schedule expires, the LAN session is killed but not the WAN. This is an additional scenario to those listed here:</p>
<pre><code>killing states for the previous IP when the WAN IP changes<br /> killing states for locked out clients (sshguard or captive portal)<br /> killing states to the gateway when resetting dpinger / gateway monitoring<br /> killing filtered and specific states in Diagnostics > States</code></pre>
<p>I don't think there needs to be anything more done to the pf. I think it might just be that -k nat needs to be added to the php in that case. But that's just a guess on my part.</p> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=717982024-01-19T22:42:44ZMarcos M
<ul><li><strong>Assignee</strong> changed from <i>Kristof Provost</i> to <i>Marcos M</i></li></ul> pfSense - Feature #11556: Kill states using the pre-NAT addresshttps://redmine.pfsense.org/issues/11556?journal_id=721822024-02-10T22:15:50ZMarcos M
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li></ul><p>I separated that issue into its own report: <a class="external" href="https://redmine.pfsense.org/issues/15252">https://redmine.pfsense.org/issues/15252</a></p>