pfSense

Bug #13068

Updated by Marcos M almost 2 years ago

If the firewall is unable to fetch the contents of During boot, if a @URL Table (IPs)@ alias that did not previously exist, PF will fail to load the ruleset. This behavior differs from other alias types, and can make restoring configuration backups troublesome. 

 Steps to reproduce: 
 # Disconnect pfSense from the internet. 
 # Restore a config with an URL Table IP (IPs) which does not exist on the firewall. 
 # Error appears after the restore reboot. 

 Test config with a rule that references a non-existent IP alias, along with contains an existent URL alias: 
 <pre> 
	 <filter> 
		 <rule> 
			 <id></id> 
			 <tracker>1673392343</tracker> 
			 <type>pass</type> 
			 <interface>wan</interface> 
			 <ipprotocol>inet</ipprotocol> 
			 <tag></tag> 
			 <tagged></tagged> 
			 <max></max> 
			 <max-src-nodes></max-src-nodes> 
			 <max-src-conn></max-src-conn> 
			 <max-src-states></max-src-states> 
			 <statetimeout></statetimeout> 
			 <statetype><![CDATA[keep state]]></statetype> 
			 <os></os> 
			 <source> 
				 <address>testipalias</address> 
			 </source> 
			 <destination> 
				 <any></any> 
			 </destination> 
			 <descr><![CDATA[testiprule]]></descr> 
			 <created> 
				 <time>1673392343</time> 
				 <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> 
			 </created> 
			 <updated> 
				 <time>1673395091</time> 
				 <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> 
			 </updated> 
		 </rule> 
		 <rule> 
			 <id></id> 
			 <tracker>1673395080</tracker> 
			 <type>pass</type> 
			 <interface>wan</interface> 
			 <ipprotocol>inet</ipprotocol> 
			 <tag></tag> 
			 <tagged></tagged> 
			 <max></max> 
			 <max-src-nodes></max-src-nodes> 
			 <max-src-conn></max-src-conn> 
			 <max-src-states></max-src-states> 
			 <statetimeout></statetimeout> 
			 <statetype><![CDATA[keep state]]></statetype> 
			 <os></os> 
			 <source> 
				 <address>testurlalias</address> 
			 </source> 
			 <destination> 
				 <any></any> 
			 </destination> 
			 <descr><![CDATA[testurlrule]]></descr> 
			 <updated> 
				 <time>1673395080</time> 
				 <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> 
			 </updated> 
			 <created> 
				 <time>1673395080</time> 
				 <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> 
			 </created> 
		 </rule> 
	 </filter> 
 [...] 
	 <aliases> 
		 <alias> 
			 <name>testurlalias</name> 
			 <type>urltable</type> 
			 <url>https://files.netgate.com/lists/fullbogons-ipv4.txt</url> 
			 <updatefreq>128</updatefreq> 
			 <address>https://files.netgate.com/lists/fullbogons-ipv4.txt</address> 
			 <descr></descr> 
			 <detail><![CDATA[Entry added Tue, 10 Jan 2023 23:09:35 +0000]]></detail> 
		 </alias> 
	 </aliases> 
 </pre> 

 Restoring this produces the following alerts: 
 <pre> 
 General 
     Unresolvable source alias 'testipalias' for rule 'testiprule' @ 2023-01-10 23:59:42 
     Unresolvable source alias 'testipalias' for rule 'testiprule' @ 2023-01-11 00:00:14 

 Filter Reload 
     There were error(s) loading the rules: /tmp/rules.debug:106: macro 'testurlalias' not defined - The line in question reads [106]: pass in quick on $WAN reply-to ( vmx0 10.0.5.1 ) inet from $testurlalias to any ridentifier 1673395080 keep state label "USER_RULE: testurlrule" label "id:1673395080" 
     @ 2023-01-10 23:59:43 
     There were error(s) loading the rules: /tmp/rules.debug:106: macro 'testurlalias' not defined - The line in question reads [106]: pass in quick on $WAN reply-to ( vmx0 10.0.5.1 ) inet from $testurlalias to any ridentifier 1673395080 keep state label "USER_RULE: testurlrule" label "id:1673395080" 
     @ 2023-01-11 00:00:15 
 </pre> 

 The @testipalias@ rule in this example does not prevent pf from loading the ruleset which contains the following: 
 <pre> 
 set hostid 0x98e1e24e 
 set limit table-entries 400000 
 set optimization normal 
 set limit states 95000 
 set limit src-nodes 95000 

 #System aliases 
  
 loopback = "{ lo0 }" 
 WAN = "{ vmx0 }" 

 #SSH Lockout of type @URL Table 
 table <sshguard> persist 
 #Snort tables 
 table <snort2c> 
 table <virusprot> 
 table <bogons> persist file "/etc/bogons" 

 # User Aliases  
 
 # Gateways 
 GWWAN_DHCP = " route-to ( vmx0 10.0.5.1 ) " 

 
 set loginterface vmx0 

 set skip on pfsync0 
 set keepcounters 

 scrub on $WAN inet all      fragment reassemble 
 scrub on $WAN inet6 all      fragment reassemble 


 no nat proto carp 
 no rdr proto carp 
 nat-anchor "natearly/*" 
 nat-anchor "natrules/*" 


 # Outbound NAT rules (automatic) 

 # Subnets to NAT  
 tonatsubnets 	 = "{ 127.0.0.0/8 ::1/128 }" 
 nat on $WAN inet from $tonatsubnets to any port 500 -> 10.0.5.219/32    static-port 
 nat on $WAN inet6 from $tonatsubnets to any port 500 -> (vmx0)    static-port 
 nat on $WAN inet from $tonatsubnets to any -> 10.0.5.219/32 port 1024:65535  
 nat on $WAN inet6 from $tonatsubnets to any -> (vmx0) port 1024:65535  
 # TFTP proxy 
 rdr-anchor "tftp-proxy/*" 
 # NAT Inbound Redirects 

 anchor "openvpn/*" 
 anchor "ipsec/*" 
 # Allow IPv6 on loopback 
 pass in    quick on $loopback inet6 all ridentifier 1000000001 label "pass IPv6 loopback" 
 pass out    quick on $loopback inet6 all ridentifier 1000000002 label "pass IPv6 loopback" 
 # Block all IPv6 
 block in log quick inet6 all ridentifier 1000000003 label "Block all IPv6" 
 block out log quick inet6 all ridentifier 1000000004 label "Block all IPv6" 
 # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, 
 # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but 
 # route-to can override that, causing problems such as in redmine #2073 
 block in log quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local" 
 block in log quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local" 
 #--------------------------------------------------------------------------- 
 # default deny rules 
 #--------------------------------------------------------------------------- 
 block in log inet all ridentifier 1000000103 label "Default deny rule IPv4" 
 block out log inet all ridentifier 1000000104 label "Default deny rule IPv4" 
 block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6" 
 block out log inet6 all ridentifier 1000000106 label "Default deny rule IPv6" 
 # We use the mighty pf, we cannot be fooled. 
 block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000107 label "Block traffic from port 0" 
 block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000108 label "Block traffic to port 0" 

 # Snort package 
 block log quick from <snort2c> to any ridentifier 1000000109 label "Block snort2c hosts" 
 block log quick from any to <snort2c> ridentifier 1000000110 label "Block snort2c hosts" 

 # SSH lockout 
 block in log quick proto tcp from <sshguard> to (self) port 22 ridentifier 1000000301 label "sshguard" 

 # webConfigurator lockout 
 block in log quick proto tcp from <sshguard> to (self) port 443 ridentifier 1000000351 label "GUI Lockout" 
 block in log quick from <virusprot> to any ridentifier 1000000400 label "virusprot overload table" 
 # allow our DHCP client out to the WAN 
 pass in    quick on $WAN proto udp from any port = 67 to any port = 68 ridentifier 1000000461 label "allow dhcp replies in WAN" 
 pass out    quick on $WAN proto udp from any port = 68 to any port = 67 ridentifier 1000000462 label "allow dhcp client out WAN"  
 # Not installing DHCP server firewall rules for WAN which (IPs)@, an error is configured for DHCP. 
 antispoof log for $WAN ridentifier 1000001470 

 # loopback 
 pass in    on $loopback inet all ridentifier 1000001511 label "pass IPv4 loopback" 
 pass out    on $loopback inet all ridentifier 1000001512 label "pass IPv4 loopback" 
 # let out anything from the firewall host itself produced and decrypted IPsec traffic 
 pass out    inet all keep state allow-opts ridentifier 1000001513 label "let out anything IPv4 from firewall host itself" 

 pass out    route-to ( vmx0 10.0.5.1 ) from 10.0.5.219 to !10.0.5.0/24 ridentifier 1000001611 keep state allow-opts label "let out anything from firewall host itself" 
 # make sure the user cannot lock himself out of the webConfigurator or SSH 
 pass in    quick on vmx0 proto tcp from any to (vmx0) port { 443 80 22 } ridentifier 10002 keep state label "anti-lockout rule" 

 # User-defined rules follow 

 anchor "userrules/*" 
 # Unresolvable source alias 'testipalias' for rule 'testiprule' label "USER_RULE: testiprule" 
 pass    in    quick    on $WAN reply-to ( vmx0 10.0.5.1 ) inet from $testurlalias to any ridentifier 1673395080 keep state label "USER_RULE: testurlrule" label "id:1673395080" 
 pass    in    quick    on $WAN reply-to ( vmx0 10.0.5.1 ) inet from any to any ridentifier 1672689732 keep state label "USER_RULE: allow all" label "id:1672689732" 
 # array key "lan" filter does not exist for "Default allow LAN to any rule" in array: {WAN } label "USER_RULE: Default allow LAN to any rule" load the ruleset. Essentially the same issue as: 
 # array key "lan" does not exist for "Default allow LAN IPv6 to any rule" in array: {WAN } label "USER_RULE: Default allow LAN IPv6 to any rule" 

 # VPN Rules 

 anchor "tftp-proxy/*" 


 </pre> https://redmine.pfsense.org/issues/4893

Back