Bug #6876
closed
Firewall alias issue after adding a wrong alias
Added by m de crevoisier over 7 years ago.
Updated about 5 years ago.
Description
Hi,
I post this bug here because I didn't get any info on FORUM. If this is the wrong place, please let me know where to put. Hope that will help you.
I figure out a bug when using an alias group into firewall rules. Here are the steps that we use to reproduce it :
• Add a non-existing alias into the alias group “GR_TEST_alias”
• Apply config
• ALL IS OK and server source can reach their destination provided by the firewall rule and the alias that are used
• Remove non-existing alias
• Apply configuration change
• ISSUE REACHED (group is like “bugged”) and communications allowed by the rule are not working
• Edit alias group
• Save (without doing any change)
• Apply configuration change
• ISSUE FIXED and communications are restablished
Note : alias group contains VM alias. And VM alias contains IP.
Issue has been tested and confirmed on our firewal on versions 2.3.2 (amd64) and 2.2.6 (amd64).
Files
- Assignee set to Anonymous
- Status changed from New to Feedback
- Assignee changed from Anonymous to m de crevoisier
Affected version has been set to 2.3.2, yet your screenshots are from a 2.2.x version. Would you please confirm that the issue exists on 2.3.2 and update the screenshot?
I do confirm that affected version are 2.3.2 and 2.2, even if screenshot is 2.2.x. Purpose of screenshot was just to explain "group of alias".
- Assignee changed from m de crevoisier to Anonymous
Tested on:
2.4.4-RELEASE-p2 (arm)
built on Wed Dec 12 14:40:29 EST 2018
FreeBSD 11.2-RELEASE-p6
Followed instructions above and got exactly the same result. After removing non-existing alias from the alias group, the rule which have been using that alias group stopped working.
Tried to reproduce on latest 2.4.5 snapshot:
Made a couple of aliases, one for the machine I am using to connect to the test device's WebGUI and another referencing an alias that doesn't exist called `testing`. Then threw them both into an alias called `test_alias`, as a nested alias.
Went to Firewall > Rules > WAN interface, Made an allow rule for source `test_alias` to any .. above the allow rule made by `playback enableallowallwan`.
Reset states, the top rule started catching the traffic. Deleted `testing` alias (the non-existent alias) from `test_alias` and applied changes, traffic seemed to still pass. Reset states, traffic still was caught by the allow rule using the `test_alias`.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by Anonymous 
Updated by 
Updated by 