Bug #14054
Updated by Marcos M about 1 year ago
Some minutes after configuring a firewall rule, the pfBlockerNG cron job ran and incorrectly modified one of the floating rules which resulted in the filter failing to reload. Firewall alert: <pre> Unresolvable source alias 'pfB_Bogons_v6_v4' for rule 'Bogons (outside) IPv6' @ 2023-03-09 13:00:24 </pre> Affected rule: <pre> block in quick on { vmx0.99 gif0 } inet from $pfB_Bogons_v6 to any ! tagged "passlist" ridentifier 1677447028 label "USER_RULE: Bogons (outside) IPv6" label "id:1677447028" </pre> Config history difference and pfBlockerNG update log- see attached. Setup: * Using pfBlockerNG 3.2.0_3 on pfSense+ 23.01. * The general IP settings page has the following options checked: @De-Duplication@, @CIDR Aggregation@, @Floating Rules@. * There are 5 IP lists configured as @Alias Deny@ which result in the following aliases created by pfBlockerNG: @pfB_Bogons_v4@, @pfB_Bogons_v6@, @pfB_PRI1_v4@, @pfB_Top_v4@, @pfB_Top_v6@. While configuring floating rules on the firewall, the pfBlockerNG cron job ran and incorrectly modified one of the floating rules which resulted in the filter failing to reload. Comparing two current and previous configuration history, pfBlockerNG made the following changes (note the new invalid alias name @pfB_Bogons_v6_v4@: <pre> --- /conf/backup/config-1677520581.xml 2023-02-27 11:56:23.760787000 -0600 +++ /conf/config.xml 2023-02-27 11:56:23.776961000 -0600 @@ -1771,37 +1771,6 @@ <filter> <rule> <id></id> - <tracker>1677520514</tracker> - <type>pass</type> - <interface>opt10</interface> - <ipprotocol>inet</ipprotocol> - <tag></tag> - <tagged></tagged> - <max></max> - <max-src-nodes></max-src-nodes> - <max-src-conn></max-src-conn> - <max-src-states></max-src-states> - <statetimeout></statetimeout> - <statetype><![CDATA[keep state]]></statetype> - <os></os> - <source> - <any></any> - </source> - <destination> - <any></any> - </destination> - <descr><![CDATA[TEST]]></descr> - <updated> - <time>1677520514</time> - <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> - </updated> - <created> - <time>1677520514</time> - <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> - </created> - </rule> - <rule> - <id></id> <tracker>1627764969</tracker> <type>pass</type> <interface>wan,opt7</interface> @@ -4287,7 +4256,7 @@ <statetype><![CDATA[keep state]]></statetype> <os></os> <source> - <address>pfB_Bogons_v6</address> + <address>pfB_Bogons_v6_v4</address> </source> <destination> <any></any> @@ -4550,6 +4519,37 @@ </rule> <rule> <id></id> + <tracker>1677520514</tracker> + <type>pass</type> + <interface>opt10</interface> + <ipprotocol>inet</ipprotocol> + <tag></tag> + <tagged></tagged> + <max></max> + <max-src-nodes></max-src-nodes> + <max-src-conn></max-src-conn> + <max-src-states></max-src-states> + <statetimeout></statetimeout> + <statetype><![CDATA[keep state]]></statetype> + <os></os> + <source> + <any></any> + </source> + <destination> + <any></any> + </destination> + <descr><![CDATA[TEST]]></descr> + <updated> + <time>1677520514</time> + <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> + </updated> + <created> + <time>1677520514</time> + <username><![CDATA[admin@10.0.5.50 (Local Database)]]></username> + </created> + </rule> + <rule> + <id></id> <tracker>1649823169</tracker> <type>pass</type> <interface>wan</interface> @@ -15234,8 +15234,8 @@ <qinqs></qinqs> <laggs></laggs> <revision> - <time>1677520581</time> - <description><![CDATA[(system): [pfSense-pkg-WireGuard] Applied package default settings as necessary.]]></description> + <time>1677520583</time> + <description><![CDATA[(system): pfBlockerNG: saving Firewall rules]]></description> <username><![CDATA[(system)]]></username> </revision> <gateways> </pre>