pfSense

During boot any urltable_ports type aliases will be loaded from the specified URLs into files in /var/db/aliastables/_aliasname_.txt
If the server hosting the URL is not reachable then the code makes an empty file.
That can happen if, for example:
- WAN link does not come up and the server is somewhere out on the public internet
- VPN link has not established in time to a remote office that has the server (I just did this to myself)
- Server is down, no longer exists, file on the server has been deleted...

alias_expand_urltable() tries to re-fetch the data from the URL if the local file is empty, but if that re-fetch does not succeed then it still returns the name of the empty file.

filter.inc does:
case "urltable_ports":
// TODO: Change it when pf supports tables with ports
$urlfn = alias_expand_urltable($aliased['name']);
if ($urlfn)
$aliases .= "{$aliased['name']} = \"{ " . preg_replace("/\n/", " ", file_get_contents($urlfn)) . " }\"\n";
break;

which writes an empty alias to the rule set.

Any rules that use that alias for a port(s) will give an "error loading the rules" message.

What to do?

If we leave the empty alias out of the rule set completely, then rules that use that alias are going to give errors anyway.

I guess in this case we have to not write out any rules that use a currently-empty port alias. That sounds a bit tricky to code - having to remember what aliases are in "working condition" (or not) and then check those when processing each rule.

It would be even nicer if pf coped with an empty alias being used by a rule. It would mean the rule would never match anything (or match everything if it had a "not"), but that seems a reasonable result for an alias that contains no entries.