Actions
Bug #1697
closedInterface group doesn't apply to all interfaces in all cases
Status:
Resolved
Priority:
High
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/20/2011
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:
Description
I have an interface group "WANs" containing two WANs, em1 and em2. This is correct.
# ifconfig -g WANs em1 em2
One rule on that interface group.
pass in quick on $WANs from 204.x.x.x to any keep state label "USER_RULE: testing"
Works fine on em2, but em1 still blocks all traffic from the specified source. Something not working there.
Jul 20 00:44:29 fw1 pf: 00:00:00.972925 rule 1/0(match): block in on em1: (tos 0x0, ttl 52, id 46106, offset 0, flags [none], proto ICMP (1), length 84) Jul 20 00:44:29 fw1 pf: 204.x.x.x.x > 96.x.x.x.x: ICMP echo request, id 36356, seq 21, length 64
Updated by Chris Buechler over 12 years ago
- Priority changed from Normal to High
- Target version changed from 2.0 to 2.0.1
Updated by Chase Bolt over 12 years ago
This appears fixed. Pings flow through both interfaces in a group, matching on the correct rule.
Tested on 2.0-RELEASE Build Tue Sep 13 17:33:40 EDT 2011.
Updated by Chris Buechler over 12 years ago
- Status changed from New to Feedback
- Target version deleted (
2.0.1)
Updated by Chase Bolt over 12 years ago
Ok, so our initial tests showed this issue was resolved. But when applying live traffic on the box, about 70% of the traffic hit this bug. We aren't clear on the circumstances that made the 70% traffic use the non-group rule set yet.
Hopefully more info on this to follow.
Updated by Chris Buechler almost 10 years ago
- Status changed from Feedback to Resolved
Actions