Project

General

Profile

Actions

Bug #14054

open

pfBlockerNG can incorrectly modify firewall rules

Added by Marcos M over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

Some minutes after configuring a firewall rule, the pfBlockerNG cron job ran and incorrectly modified one of the floating rules which resulted in the filter failing to reload.

Firewall alert:

Unresolvable source alias 'pfB_Bogons_v6_v4' for rule 'Bogons (outside) IPv6' @ 2023-03-09 13:00:24

Affected rule:
block in quick on {  vmx0.99  gif0  } inet from $pfB_Bogons_v6 to any  !  tagged "passlist" ridentifier 1677447028 label "USER_RULE: Bogons (outside) IPv6" label "id:1677447028" 

Config history difference and pfBlockerNG update log- see attached.

Setup:
  • Using pfBlockerNG 3.2.0_3 on pfSense+ 23.01.
  • The general IP settings page has the following options checked: De-Duplication, CIDR Aggregation, Floating Rules.
  • There are 5 IP lists configured as Alias Deny which result in the following aliases created by pfBlockerNG: pfB_Bogons_v4, pfB_Bogons_v6, pfB_PRI1_v4, pfB_Top_v4, pfB_Top_v6.

Files

config.diff (3.1 KB) config.diff Marcos M, 03/09/2023 05:33 PM
pfblockerng.log (16.8 KB) pfblockerng.log Marcos M, 03/09/2023 05:33 PM
Actions #1

Updated by Marcos M over 1 year ago

Actions #2

Updated by Marcos M over 1 year ago

  • Subject changed from pfBlockerNG can unintentionally modify firewall rules to pfBlockerNG can incorrectly modify firewall rules
Actions #3

Updated by Marcos M over 1 year ago

It appears this related to the IPv4 IP list being updated, and happens during this step:

**Saving configuration [ 03/21/23 18:07:28 ]**

Actions

Also available in: Atom PDF