Bug #16756
open
Editing a Firewall Rule before Forcing pfBlockerNG Update Empties All Aliases
0%
Description
When editing a firewall rule and then forcing a pfBlockerNG Update command, all aliases will become empty until you run a force reload in pfBlockerNG.
Steps to reproduce:
1. Edit any firewall rule (doesn't need to be a pfBlockerNG rule)
2. Go to Firewall --> pfBlockerNG --> Update, select "Update" and run
3. Go to Firewall --> Rules and hover over any firewall rule with a pfBlockerNG alias. The alias will be empty.
To resolve, you must go to Firewall --> pfBlockerNG --> Update and run a "Reload" to fix the issue.
Files
Updated by Kris Phillips 3 days ago
- File FixedRulesAfterForceReload.png FixedRulesAfterForceReload.png added
- File EmptyRulesAfterUpdate.png EmptyRulesAfterUpdate.png added
Tested on pfBlockerNG 3.2.15_2. Going to Status --> Filter Reload and manually reloading there does not fix it.
Output of pfSsh.php playback pfanchordrill:
###################- translation rules
###################
nat-anchor "natearly/*" all {
}
nat-anchor "natrules/*" all {
}
rdr-anchor "tftp-proxy/*" all {
} ############## - filter rules
##############
anchor "openvpn/*" all {
}
anchor "ipsec/*" all {
}
anchor "userrules/*" all {
}
anchor "tftp-proxy/*" all {
}
Updated by Kris Phillips 3 days ago
Something of note: I have Alias Deny set for my GeoIP rules. Not Deny, Match, or Permit.
Updated by Steve Y about 22 hours ago
Forum thread: https://forum.netgate.com/topic/200372/pfblockerng_devel-on-25.11.1-instability/
Per your note, the routers on which I replicated it use Alias Native or Deny for GeoIP.
Disabling a rule is sufficient to trigger this.