pfSense

Had an interface event on my edge firewall yesterday where one WAN lost its interface address and resulted in an invalid ruleset:

23:46:41 There were error(s) loading the rules: /tmp/rules.debug:397: syntax error - The line in question reads [397]: pass  out  quick  on {  igb2  }  $GWCABLE inet from ! to any tracker 1617722899 keep state  dnqueue( 2,1)  label "USER_RULE: CoDel Limiters" 

This particular floating rule is quirky as it passes outbound with a gateway set to setup limiters. The source address is "NOT <other WAN address>" and that other WAN is PPPoE. This is necessary to ensure it doesn't try to send non-default-WAN traffic out through that limiter unintentionally.

It doesn't happen every time, but in this case, the PPPoE connection was down temporarily and rather than skipping that rule as it usually does, the address ended up empty.

Seems like there should be another safety belt which checks the src/dst addresses before forming the rule. I have a feeling it's only checking for empty and the negation ("!") throws it off.

I can't reproduce this at will, unfortunately, so it will be tricky to confirm and test.