Bug #6876

Firewall alias issue after adding a wrong alias

Added by m de crevoisier over 3 years ago. Updated about 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:



I post this bug here because I didn't get any info on FORUM. If this is the wrong place, please let me know where to put. Hope that will help you.

I figure out a bug when using an alias group into firewall rules. Here are the steps that we use to reproduce it :
• Add a non-existing alias into the alias group “GR_TEST_alias”
• Apply config
• ALL IS OK and server source can reach their destination provided by the firewall rule and the alias that are used
• Remove non-existing alias
• Apply configuration change
• ISSUE REACHED (group is like “bugged”) and communications allowed by the rule are not working
• Edit alias group
• Save (without doing any change)
• Apply configuration change
• ISSUE FIXED and communications are restablished

Note : alias group contains VM alias. And VM alias contains IP.
Issue has been tested and confirmed on our firewal on versions 2.3.2 (amd64) and 2.2.6 (amd64).

Capture.PNG (30.3 KB) Capture.PNG m de crevoisier, 10/25/2016 08:11 AM


#1 Updated by Jim Thompson over 3 years ago

  • Assignee set to Steve Beaver

#2 Updated by Steve Beaver over 3 years ago

  • Status changed from New to Feedback
  • Assignee changed from Steve Beaver to m de crevoisier

Affected version has been set to 2.3.2, yet your screenshots are from a 2.2.x version. Would you please confirm that the issue exists on 2.3.2 and update the screenshot?

#3 Updated by m de crevoisier over 3 years ago

I do confirm that affected version are 2.3.2 and 2.2, even if screenshot is 2.2.x. Purpose of screenshot was just to explain "group of alias".

#4 Updated by Steve Beaver over 3 years ago

  • Assignee changed from m de crevoisier to Steve Beaver

#5 Updated by Danilo Zrenjanin about 1 year ago

Tested on:
2.4.4-RELEASE-p2 (arm)
built on Wed Dec 12 14:40:29 EST 2018
FreeBSD 11.2-RELEASE-p6

Followed instructions above and got exactly the same result. After removing non-existing alias from the alias group, the rule which have been using that alias group stopped working.

#6 Updated by James Dekker about 1 year ago

Tried to reproduce on latest 2.4.5 snapshot:

Made a couple of aliases, one for the machine I am using to connect to the test device's WebGUI and another referencing an alias that doesn't exist called `testing`. Then threw them both into an alias called `test_alias`, as a nested alias.

Went to Firewall > Rules > WAN interface, Made an allow rule for source `test_alias` to any .. above the allow rule made by `playback enableallowallwan`.

Reset states, the top rule started catching the traffic. Deleted `testing` alias (the non-existent alias) from `test_alias` and applied changes, traffic seemed to still pass. Reset states, traffic still was caught by the allow rule using the `test_alias`.

#7 Updated by James Dekker about 1 year ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF