Project

General

Profile

Actions
Copy link

Bug #12708

closed

Alias with non-resolving FQDN entry breaks underlying PF table

Added by Piet H almost 3 years ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Reid Linnemann
Category:
Aliases / Tables
Target version:
2.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

Hi,

We've seen a number of cases where a mixed alias list (containing both IP and FQDN) results in either completely empty or with only a few IPs in there. The IPs are not necessarily the IPs from the list, they can also be coming from a successful FQDN DNS lookup. However, the resulting pf table is broken.

This seems related to Bug #7209 in the forum. Given that description, this issue still exists in 2.5.2. All installs run on vmware platforms.

Given that this is a long standing issue, I'm wondering if there is a workaround and/or fix available?

The security level is not compromised based on my samples, the tables were always incomplete but present, hence the only thing that might happen is you cannot get in where you should have been allowed in :)

Thanks,
Piet

Related issues

Related to Bug #7209: Something is seriously wrong with firewall aliasesRejected02/04/2017

Actions
Related to Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entriesResolvedReid Linnemann

Actions
Actions
Copy link
 #1

Updated by Viktor Gurov almost 3 years ago

  • Affected Version set to 2.5.2
Actions
Copy link
 #2

Updated by Viktor Gurov almost 3 years ago

  • Related to Bug #7209: Something is seriously wrong with firewall aliases added
Actions
Copy link
 #3

Updated by Viktor Gurov almost 3 years ago

  • Related to Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries added
Actions
Copy link
 #4

Updated by Reid Linnemann about 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

I've found numerous thread synchronization problems in the filterdns sources, I believe they are responsible for this issue as well as #9296.

Actions
Copy link
 #5

Updated by Jim Pingle almost 2 years ago

  • Subject changed from alias with non resolving DNS entry breaks underlying pf table to Alias with non-resolving FQDN entry breaks underlying PF table
  • Assignee set to Reid Linnemann
  • Target version set to 2.7.0
  • Plus Target Version set to 23.01
Actions
Copy link
 #6

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

Hard to reproduce this but at least as stated it appears to be OK. I tried a few variations and every time the table contained the expected data.

Actions
Copy link
 #7

Updated by Enoch Lau about 2 months ago

Hello, just meet this issue again on pfsense CE 2.7.2-RELEASE (amd64)

Actions
Copy link

Also available in: Atom PDF