Bug #5958
closed
Stale Aliases - upstream DNS changes do not update firewall rules that are based on aliases
0%
Description
I'm seeing a problem where pfSense starts blocking connections that it had previously been allowing through. When this happens, simply rebooting pfSense fixes the problem. This seems to occur periodically when there are firewall rules that refer to aliases.
Here is my situation:
I have a alias by the name of "MailOut" that maps to the value "smtp.comcast.net, smtp.googlemail.com"
I have firewall rules that refer to this MailOut alias, in this case passing outgoing traffic from the LAN net to the MailOut alias for smtp ports.
Everything will work just fine for weeks to months, but sooner or later my mail starts getting blocked. When that happens, simply rebooting pfSense fixes the problem.
I haven't been able to reliably confirm all the details, but what I suspect is happening is that when a firewall rule is created that refers to an alias, and that alias in turn is based on DNS hostname(s) rather than pure ip address(es), then a dns lookup is done and the resulting ip address(es) are used to create the firewall rule. However, I suspect this dns lookup is only happening once when the rule is first created, and then again at bootup. It does not appear to be periodically refreshed during normal operation of the system.
The result of this is that if the upstream DNS owner updates their DNS mappings, pfSense doesn't notice the change, and therefore does not update the firewall rules. What probably should happen is pfSense should note the TTL when the DNS lookup for the alias is done, and then when that TTL expries, it should requery DNS and update any firewall rules that were created based on that alias.
I'm not sure if it's relevant, but I happen to still be using the dnsmasq based forwarder instead of the newer one. I'm reporting this on version 2.2.6, but as I write this 2.2.5 is the newest option I can pick on the redmine Affected Version dropdown.
Updated by Mike Depot over 9 years ago
If the whole TTL tracking bit is too complicated, how about just a periodic refresh every so many hours.
Also, it might be good to add a button somewhere in the interface to manually refresh.
Thanks
Updated by NOYB NOYB over 9 years ago
A potential workaround for manual update may be to edit and save the alias. Haven't tried it but maybe that would cause a query for the IP address.
Updated by Chris Buechler over 9 years ago
- Status changed from New to Feedback
what do your resolver logs show for filterdns?
Maybe it's something to do with the fact those are both CNAMEs, maybe that delays its update. Though it could be that the clients obtain a different response when they query than filterdns obtained when it queried.
Updated by Mike Depot over 9 years ago
I waited until it happened again, and grabbed a log excerpt:
Mar 19 13:14:32 gateway filterdns: adding entry 173.194.204.16 to table Mail_In on host imap.googlemail.com
Mar 19 13:14:32 gateway filterdns: clearing entry 173.194.68.16 from table Mail_In on host imap.googlemail.com
Mar 19 13:19:32 gateway filterdns: adding entry 2001:558:fe16:1b::16 to table Mail_Out on host smtp.comcast.net
Mar 19 13:19:32 gateway filterdns: clearing entry 2001:558:fe21:2a::5 from table Mail_Out on host smtp.comcast.net
Mar 19 13:19:32 gateway filterdns: adding entry 173.194.68.16 to table Mail_In on host imap.googlemail.com
Mar 19 13:19:32 gateway filterdns: adding entry 2607:f8b0:400d:c07::10 to table Mail_In on host imap.googlemail.com
Mar 19 13:19:32 gateway filterdns: clearing entry 173.194.204.16 from table Mail_In on host imap.googlemail.com
Mar 19 13:19:32 gateway filterdns: clearing entry 2607:f8b0:400d:c0c::10 from table Mail_In on host imap.googlemail.com
Mar 19 13:24:32 gateway filterdns: adding entry 173.194.206.16 to table Mail_In on host imap.googlemail.com
Mar 19 13:24:32 gateway filterdns: clearing entry 173.194.68.16 from table Mail_In on host imap.googlemail.com
Mar 19 13:29:32 gateway filterdns: adding entry 2001:558:fe21:2a::5 to table Mail_Out on host smtp.comcast.net
Mar 19 13:29:32 gateway filterdns: clearing entry 2001:558:fe16:1b::16 from table Mail_Out on host smtp.comcast.net
Mar 19 13:29:32 gateway filterdns: adding entry 209.85.232.16 to table Mail_In on host imap.googlemail.com
Mar 19 13:29:32 gateway filterdns: adding entry 2607:f8b0:400d:c06::10 to table Mail_In on host imap.googlemail.com
Mar 19 13:29:32 gateway filterdns: clearing entry 173.194.206.16 from table Mail_In on host imap.googlemail.com
Mar 19 13:29:32 gateway filterdns: clearing entry 2607:f8b0:400d:c07::10 from table Mail_In on host imap.googlemail.com
Mar 19 13:34:32 gateway filterdns: adding entry 96.114.157.81 to table Mail_Out on host smtp.comcast.net
Mar 19 13:34:32 gateway filterdns: clearing entry 68.87.20.6 from table Mail_Out on host smtp.comcast.net
Mar 19 13:34:32 gateway filterdns: adding entry 173.194.205.16 to table Mail_In on host imap.googlemail.com
Mar 19 13:34:32 gateway filterdns: adding entry 2607:f8b0:400d:c02::10 to table Mail_In on host imap.googlemail.com
Mar 19 13:34:32 gateway filterdns: clearing entry 2607:f8b0:400d:c06::10 from table Mail_In on host imap.googlemail.com
Mar 19 13:34:32 gateway filterdns: clearing entry 209.85.232.16 from table Mail_In on host imap.googlemail.com
Mar 19 13:39:32 gateway filterdns: adding entry 68.87.20.6 to table Mail_Out on host smtp.comcast.net
Mar 19 13:39:32 gateway filterdns: clearing entry 96.114.157.81 from table Mail_Out on host smtp.comcast.net
Mar 19 13:39:32 gateway filterdns: adding entry 209.85.232.16 to table Mail_In on host imap.googlemail.com
Mar 19 13:39:32 gateway filterdns: adding entry 2607:f8b0:400d:c07::10 to table Mail_In on host imap.googlemail.com
Mar 19 13:39:32 gateway filterdns: clearing entry 2607:f8b0:400d:c02::10 from table Mail_In on host imap.googlemail.com
Mar 19 13:39:32 gateway filterdns: clearing entry 173.194.205.16 from table Mail_In on host imap.googlemail.com
Mar 19 13:44:32 gateway filterdns: adding entry 2001:558:fe16:1b::16 to table Mail_Out on host smtp.comcast.net
Mar 19 13:44:32 gateway filterdns: clearing entry 2001:558:fe21:2a::5 from table Mail_Out on host smtp.comcast.net
Mar 19 13:44:32 gateway filterdns: adding entry 173.194.68.16 to table Mail_In on host imap.googlemail.com
Mar 19 13:44:32 gateway filterdns: adding entry 2607:f8b0:400d:c09::10 to table Mail_In on host imap.googlemail.com
Mar 19 13:44:32 gateway filterdns: clearing entry 2607:f8b0:400d:c07::10 from table Mail_In on host imap.googlemail.com
Updated by Chris Buechler over 9 years ago
Mike Depot wrote:
I waited until it happened again, and grabbed a log excerpt:
Which all looks correct. Did that table's contents not match what it logged afterwards?
Updated by Jim Pingle almost 8 years ago
- Status changed from Feedback to Not a Bug
This is working fine on current versions and no additional feedback from the user. Closing.