Project

General

Profile

Actions

Bug #13068

closed

Firewall rules fail to load when a URL table alias file does not exist

Added by Marcos M over 2 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Aliases / Tables
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

If the firewall is unable to fetch the contents of a URL Table (IPs) alias that did not previously exist, PF will fail to load the ruleset. This behavior differs from other alias types, and can make restoring configuration backups troublesome.

Steps to reproduce:
  1. Disconnect pfSense from the internet.
  2. Restore a config with an URL Table IP (IPs) which does not exist on the firewall.
  3. Error appears after the restore reboot.

Test config with a rule that references a non-existent IP alias, along with an existent URL alias (e.g. when restoring a config which includes aliases managed by pfBlockerNG):

    <filter>
        <rule>
            <id></id>
            <tracker>1673392343</tracker>
            <type>pass</type>
            <interface>wan</interface>
            <ipprotocol>inet</ipprotocol>
            <tag></tag>
            <tagged></tagged>
            <max></max>
            <max-src-nodes></max-src-nodes>
            <max-src-conn></max-src-conn>
            <max-src-states></max-src-states>
            <statetimeout></statetimeout>
            <statetype><![CDATA[keep state]]></statetype>
            <os></os>
            <source>
                <address>testipalias</address>
            </source>
            <destination>
                <any></any>
            </destination>
            <descr><![CDATA[testiprule]]></descr>
            <created>
                <time>1673392343</time>
                <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username>
            </created>
            <updated>
                <time>1673395091</time>
                <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username>
            </updated>
        </rule>
        <rule>
            <id></id>
            <tracker>1673395080</tracker>
            <type>pass</type>
            <interface>wan</interface>
            <ipprotocol>inet</ipprotocol>
            <tag></tag>
            <tagged></tagged>
            <max></max>
            <max-src-nodes></max-src-nodes>
            <max-src-conn></max-src-conn>
            <max-src-states></max-src-states>
            <statetimeout></statetimeout>
            <statetype><![CDATA[keep state]]></statetype>
            <os></os>
            <source>
                <address>testurlalias</address>
            </source>
            <destination>
                <any></any>
            </destination>
            <descr><![CDATA[testurlrule]]></descr>
            <updated>
                <time>1673395080</time>
                <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username>
            </updated>
            <created>
                <time>1673395080</time>
                <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username>
            </created>
        </rule>
    </filter>
[...]
    <aliases>
        <alias>
            <name>testurlalias</name>
            <type>urltable</type>
            <url>https://files.netgate.com/lists/fullbogons-ipv4.txt</url>
            <updatefreq>128</updatefreq>
            <address>https://files.netgate.com/lists/fullbogons-ipv4.txt</address>
            <descr></descr>
            <detail><![CDATA[Entry added Tue, 10 Jan 2023 23:09:35 +0000]]></detail>
        </alias>
    </aliases>

Restoring this produces the following alerts:

General
    Unresolvable source alias 'testipalias' for rule 'testiprule' @ 2023-01-10 23:59:42
    Unresolvable source alias 'testipalias' for rule 'testiprule' @ 2023-01-11 00:00:14

Filter Reload
    There were error(s) loading the rules: /tmp/rules.debug:106: macro 'testurlalias' not defined - The line in question reads [106]: pass in quick on $WAN reply-to ( vmx0 10.0.5.1 ) inet from $testurlalias to any ridentifier 1673395080 keep state label "USER_RULE: testurlrule" label "id:1673395080" 
    @ 2023-01-10 23:59:43
    There were error(s) loading the rules: /tmp/rules.debug:106: macro 'testurlalias' not defined - The line in question reads [106]: pass in quick on $WAN reply-to ( vmx0 10.0.5.1 ) inet from $testurlalias to any ridentifier 1673395080 keep state label "USER_RULE: testurlrule" label "id:1673395080" 
    @ 2023-01-11 00:00:15

The testipalias rule in this example does not prevent pf from loading the ruleset which contains the following:

set hostid 0x98e1e24e
set limit table-entries 400000
set optimization normal
set limit states 95000
set limit src-nodes 95000

#System aliases

loopback = "{ lo0 }" 
WAN = "{ vmx0 }" 

#SSH Lockout Table
table <sshguard> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons" 

# User Aliases 

# Gateways
GWWAN_DHCP = " route-to ( vmx0 10.0.5.1 ) " 

set loginterface vmx0

set skip on pfsync0
set keepcounters

scrub on $WAN inet all    fragment reassemble
scrub on $WAN inet6 all    fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/*" 
nat-anchor "natrules/*" 

# Outbound NAT rules (automatic)

# Subnets to NAT 
tonatsubnets    = "{ 127.0.0.0/8 ::1/128 }" 
nat on $WAN inet from $tonatsubnets to any port 500 -> 10.0.5.219/32  static-port
nat on $WAN inet6 from $tonatsubnets to any port 500 -> (vmx0)  static-port
nat on $WAN inet from $tonatsubnets to any -> 10.0.5.219/32 port 1024:65535 
nat on $WAN inet6 from $tonatsubnets to any -> (vmx0) port 1024:65535 
# TFTP proxy
rdr-anchor "tftp-proxy/*" 
# NAT Inbound Redirects

anchor "openvpn/*" 
anchor "ipsec/*" 
# Allow IPv6 on loopback
pass in  quick on $loopback inet6 all ridentifier 1000000001 label "pass IPv6 loopback" 
pass out  quick on $loopback inet6 all ridentifier 1000000002 label "pass IPv6 loopback" 
# Block all IPv6
block in log quick inet6 all ridentifier 1000000003 label "Block all IPv6" 
block out log quick inet6 all ridentifier 1000000004 label "Block all IPv6" 
# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
# route-to can override that, causing problems such as in redmine #2073
block in log quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local" 
block in log quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local" 
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all ridentifier 1000000103 label "Default deny rule IPv4" 
block out log inet all ridentifier 1000000104 label "Default deny rule IPv4" 
block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6" 
block out log inet6 all ridentifier 1000000106 label "Default deny rule IPv6" 
# We use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000107 label "Block traffic from port 0" 
block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000108 label "Block traffic to port 0" 

# Snort package
block log quick from <snort2c> to any ridentifier 1000000109 label "Block snort2c hosts" 
block log quick from any to <snort2c> ridentifier 1000000110 label "Block snort2c hosts" 

# SSH lockout
block in log quick proto tcp from <sshguard> to (self) port 22 ridentifier 1000000301 label "sshguard" 

# webConfigurator lockout
block in log quick proto tcp from <sshguard> to (self) port 443 ridentifier 1000000351 label "GUI Lockout" 
block in log quick from <virusprot> to any ridentifier 1000000400 label "virusprot overload table" 
# allow our DHCP client out to the WAN
pass in  quick on $WAN proto udp from any port = 67 to any port = 68 ridentifier 1000000461 label "allow dhcp replies in WAN" 
pass out  quick on $WAN proto udp from any port = 68 to any port = 67 ridentifier 1000000462 label "allow dhcp client out WAN" 
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof log for $WAN ridentifier 1000001470

# loopback
pass in  on $loopback inet all ridentifier 1000001511 label "pass IPv4 loopback" 
pass out  on $loopback inet all ridentifier 1000001512 label "pass IPv4 loopback" 
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out  inet all keep state allow-opts ridentifier 1000001513 label "let out anything IPv4 from firewall host itself" 

pass out  route-to ( vmx0 10.0.5.1 ) from 10.0.5.219 to !10.0.5.0/24 ridentifier 1000001611 keep state allow-opts label "let out anything from firewall host itself" 
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in  quick on vmx0 proto tcp from any to (vmx0) port { 443 80 22 } ridentifier 10002 keep state label "anti-lockout rule" 

# User-defined rules follow

anchor "userrules/*" 
# Unresolvable source alias 'testipalias' for rule 'testiprule' label "USER_RULE: testiprule" 
pass  in  quick  on $WAN reply-to ( vmx0 10.0.5.1 ) inet from $testurlalias to any ridentifier 1673395080 keep state label "USER_RULE: testurlrule" label "id:1673395080" 
pass  in  quick  on $WAN reply-to ( vmx0 10.0.5.1 ) inet from any to any ridentifier 1672689732 keep state label "USER_RULE: allow all" label "id:1672689732" 
# array key "lan" does not exist for "Default allow LAN to any rule" in array: {WAN } label "USER_RULE: Default allow LAN to any rule" 
# array key "lan" does not exist for "Default allow LAN IPv6 to any rule" in array: {WAN } label "USER_RULE: Default allow LAN IPv6 to any rule" 

# VPN Rules

anchor "tftp-proxy/*" 


Files

image.png (37.6 KB) image.png Marcos M, 01/10/2023 06:16 PM
Actions

Also available in: Atom PDF