Bug #6876
closedFirewall alias issue after adding a wrong alias
0%
Description
- ALREADY POSTED ON FORUM : https://forum.pfsense.org/index.php?topic=119811.msg662795#msg662795 ******
Hi,
I post this bug here because I didn't get any info on FORUM. If this is the wrong place, please let me know where to put. Hope that will help you.
I figure out a bug when using an alias group into firewall rules. Here are the steps that we use to reproduce it :
• Add a non-existing alias into the alias group “GR_TEST_alias”
• Apply config
• ALL IS OK and server source can reach their destination provided by the firewall rule and the alias that are used
• Remove non-existing alias
• Apply configuration change
• ISSUE REACHED (group is like “bugged”) and communications allowed by the rule are not working
• Edit alias group
• Save (without doing any change)
• Apply configuration change
• ISSUE FIXED and communications are restablished
Note : alias group contains VM alias. And VM alias contains IP.
Issue has been tested and confirmed on our firewal on versions 2.3.2 (amd64) and 2.2.6 (amd64).
Files
Updated by Anonymous over 7 years ago
- Status changed from New to Feedback
- Assignee changed from Anonymous to m de crevoisier
Affected version has been set to 2.3.2, yet your screenshots are from a 2.2.x version. Would you please confirm that the issue exists on 2.3.2 and update the screenshot?
Updated by m de crevoisier over 7 years ago
I do confirm that affected version are 2.3.2 and 2.2, even if screenshot is 2.2.x. Purpose of screenshot was just to explain "group of alias".
Updated by Anonymous over 7 years ago
- Assignee changed from m de crevoisier to Anonymous
Updated by Danilo Zrenjanin over 5 years ago
Tested on:
2.4.4-RELEASE-p2 (arm)
built on Wed Dec 12 14:40:29 EST 2018
FreeBSD 11.2-RELEASE-p6
Followed instructions above and got exactly the same result. After removing non-existing alias from the alias group, the rule which have been using that alias group stopped working.
Updated by Anonymous about 5 years ago
Tried to reproduce on latest 2.4.5 snapshot:
Made a couple of aliases, one for the machine I am using to connect to the test device's WebGUI and another referencing an alias that doesn't exist called `testing`. Then threw them both into an alias called `test_alias`, as a nested alias.
Went to Firewall > Rules > WAN interface, Made an allow rule for source `test_alias` to any .. above the allow rule made by `playback enableallowallwan`.
Reset states, the top rule started catching the traffic. Deleted `testing` alias (the non-existent alias) from `test_alias` and applied changes, traffic seemed to still pass. Reset states, traffic still was caught by the allow rule using the `test_alias`.