Project

General

Profile

Bug #6028

no firewall rules loaded after reboot with invalid ruleset

Added by Pi Ba about 1 year ago. Updated 3 months ago.

Status:
Confirmed
Priority:
High
Category:
Rules/NAT
Target version:
Start date:
03/25/2016
Due date:
% Done:

0%

Affected version:
All
Affected Architecture:

Description

not a single firewall rule loaded after reboot..

There should be some failsafe default ruleset that prohibits access from at least all 'wan interfaces' until a proper ruleset can be loaded.

Granted this is caused by another issue https://redmine.pfsense.org/issues/6024 where a invalid rule gets written to the debug.rules..
There have been other cases that made rules.debug fail to load like having shapers with wrong bandwith or url-aliases that point to a somehow invalid formatted file.. So i think it would be better to provide a minimal 'bootup ruleset' that blocks all wan access instead of being 'wide open' until at least some proper rules could be applied.

History

#1 Updated by NOYB NOYB about 1 year ago

Pet peeve of mine that the system seems to be wide open by default until firewall rules get applied. Think I brought it up or mentioned it once long ago in the forums.

So even if the firewall rules load properly the system still seems to be open between the time the interface is brought up and when the firewall rules get applied.

And as you have noticed if the rules fail to get applied the system remains open.

#2 Updated by Chris Buechler about 1 year ago

  • Subject changed from not a single firewall rule loaded after reboot.. (du to a invalid ruleset.) to no firewall rules loaded after reboot with invalid ruleset
  • Status changed from New to Confirmed
  • Assignee set to Chris Buechler
  • Target version set to 2.3.1
  • Affected version changed from 2.3 to All

Ought to keep a "last known good" rules.debug and apply that if it fails, and if that fails/is unavailable, maybe just the anti-lockout rule on LAN. I'll look at it post-2.3.

#3 Updated by Chris Buechler about 1 year ago

  • Target version changed from 2.3.1 to 2.3.2

#4 Updated by Chris Buechler 11 months ago

  • Assignee deleted (Chris Buechler)
  • Target version changed from 2.3.2 to 2.4.0

#5 Updated by Jim Thompson 3 months ago

  • Assignee set to Renato Botelho

Also available in: Atom PDF