Actions
Bug #13068
closedFirewall rules fail to load when a URL table alias file does not exist
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
If the firewall is unable to fetch the contents of a URL Table (IPs)
alias that did not previously exist, PF will fail to load the ruleset. This behavior differs from other alias types, and can make restoring configuration backups troublesome.
- Disconnect pfSense from the internet.
- Restore a config with an URL Table IP (IPs) which does not exist on the firewall.
- Error appears after the restore reboot.
Test config with a rule that references a non-existent IP alias, along with an existent URL alias (e.g. when restoring a config which includes aliases managed by pfBlockerNG):
<filter> <rule> <id></id> <tracker>1673392343</tracker> <type>pass</type> <interface>wan</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <source> <address>testipalias</address> </source> <destination> <any></any> </destination> <descr><![CDATA[testiprule]]></descr> <created> <time>1673392343</time> <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> </created> <updated> <time>1673395091</time> <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> </updated> </rule> <rule> <id></id> <tracker>1673395080</tracker> <type>pass</type> <interface>wan</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <source> <address>testurlalias</address> </source> <destination> <any></any> </destination> <descr><![CDATA[testurlrule]]></descr> <updated> <time>1673395080</time> <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> </updated> <created> <time>1673395080</time> <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> </created> </rule> </filter> [...] <aliases> <alias> <name>testurlalias</name> <type>urltable</type> <url>https://files.netgate.com/lists/fullbogons-ipv4.txt</url> <updatefreq>128</updatefreq> <address>https://files.netgate.com/lists/fullbogons-ipv4.txt</address> <descr></descr> <detail><![CDATA[Entry added Tue, 10 Jan 2023 23:09:35 +0000]]></detail> </alias> </aliases>
Restoring this produces the following alerts:
General Unresolvable source alias 'testipalias' for rule 'testiprule' @ 2023-01-10 23:59:42 Unresolvable source alias 'testipalias' for rule 'testiprule' @ 2023-01-11 00:00:14 Filter Reload There were error(s) loading the rules: /tmp/rules.debug:106: macro 'testurlalias' not defined - The line in question reads [106]: pass in quick on $WAN reply-to ( vmx0 10.0.5.1 ) inet from $testurlalias to any ridentifier 1673395080 keep state label "USER_RULE: testurlrule" label "id:1673395080" @ 2023-01-10 23:59:43 There were error(s) loading the rules: /tmp/rules.debug:106: macro 'testurlalias' not defined - The line in question reads [106]: pass in quick on $WAN reply-to ( vmx0 10.0.5.1 ) inet from $testurlalias to any ridentifier 1673395080 keep state label "USER_RULE: testurlrule" label "id:1673395080" @ 2023-01-11 00:00:15
The testipalias
rule in this example does not prevent pf from loading the ruleset which contains the following:
set hostid 0x98e1e24e set limit table-entries 400000 set optimization normal set limit states 95000 set limit src-nodes 95000 #System aliases loopback = "{ lo0 }" WAN = "{ vmx0 }" #SSH Lockout Table table <sshguard> persist #Snort tables table <snort2c> table <virusprot> table <bogons> persist file "/etc/bogons" # User Aliases # Gateways GWWAN_DHCP = " route-to ( vmx0 10.0.5.1 ) " set loginterface vmx0 set skip on pfsync0 set keepcounters scrub on $WAN inet all fragment reassemble scrub on $WAN inet6 all fragment reassemble no nat proto carp no rdr proto carp nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules (automatic) # Subnets to NAT tonatsubnets = "{ 127.0.0.0/8 ::1/128 }" nat on $WAN inet from $tonatsubnets to any port 500 -> 10.0.5.219/32 static-port nat on $WAN inet6 from $tonatsubnets to any port 500 -> (vmx0) static-port nat on $WAN inet from $tonatsubnets to any -> 10.0.5.219/32 port 1024:65535 nat on $WAN inet6 from $tonatsubnets to any -> (vmx0) port 1024:65535 # TFTP proxy rdr-anchor "tftp-proxy/*" # NAT Inbound Redirects anchor "openvpn/*" anchor "ipsec/*" # Allow IPv6 on loopback pass in quick on $loopback inet6 all ridentifier 1000000001 label "pass IPv6 loopback" pass out quick on $loopback inet6 all ridentifier 1000000002 label "pass IPv6 loopback" # Block all IPv6 block in log quick inet6 all ridentifier 1000000003 label "Block all IPv6" block out log quick inet6 all ridentifier 1000000004 label "Block all IPv6" # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but # route-to can override that, causing problems such as in redmine #2073 block in log quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local" block in log quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log inet all ridentifier 1000000103 label "Default deny rule IPv4" block out log inet all ridentifier 1000000104 label "Default deny rule IPv4" block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6" block out log inet6 all ridentifier 1000000106 label "Default deny rule IPv6" # We use the mighty pf, we cannot be fooled. block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000107 label "Block traffic from port 0" block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000108 label "Block traffic to port 0" # Snort package block log quick from <snort2c> to any ridentifier 1000000109 label "Block snort2c hosts" block log quick from any to <snort2c> ridentifier 1000000110 label "Block snort2c hosts" # SSH lockout block in log quick proto tcp from <sshguard> to (self) port 22 ridentifier 1000000301 label "sshguard" # webConfigurator lockout block in log quick proto tcp from <sshguard> to (self) port 443 ridentifier 1000000351 label "GUI Lockout" block in log quick from <virusprot> to any ridentifier 1000000400 label "virusprot overload table" # allow our DHCP client out to the WAN pass in quick on $WAN proto udp from any port = 67 to any port = 68 ridentifier 1000000461 label "allow dhcp replies in WAN" pass out quick on $WAN proto udp from any port = 68 to any port = 67 ridentifier 1000000462 label "allow dhcp client out WAN" # Not installing DHCP server firewall rules for WAN which is configured for DHCP. antispoof log for $WAN ridentifier 1000001470 # loopback pass in on $loopback inet all ridentifier 1000001511 label "pass IPv4 loopback" pass out on $loopback inet all ridentifier 1000001512 label "pass IPv4 loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out inet all keep state allow-opts ridentifier 1000001513 label "let out anything IPv4 from firewall host itself" pass out route-to ( vmx0 10.0.5.1 ) from 10.0.5.219 to !10.0.5.0/24 ridentifier 1000001611 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on vmx0 proto tcp from any to (vmx0) port { 443 80 22 } ridentifier 10002 keep state label "anti-lockout rule" # User-defined rules follow anchor "userrules/*" # Unresolvable source alias 'testipalias' for rule 'testiprule' label "USER_RULE: testiprule" pass in quick on $WAN reply-to ( vmx0 10.0.5.1 ) inet from $testurlalias to any ridentifier 1673395080 keep state label "USER_RULE: testurlrule" label "id:1673395080" pass in quick on $WAN reply-to ( vmx0 10.0.5.1 ) inet from any to any ridentifier 1672689732 keep state label "USER_RULE: allow all" label "id:1672689732" # array key "lan" does not exist for "Default allow LAN to any rule" in array: {WAN } label "USER_RULE: Default allow LAN to any rule" # array key "lan" does not exist for "Default allow LAN IPv6 to any rule" in array: {WAN } label "USER_RULE: Default allow LAN IPv6 to any rule" # VPN Rules anchor "tftp-proxy/*"
Files
Actions