[solved, I am dumb] Is there a bug with networks alias usage & FW rules?

lightingman117

Logging on or off doesn't matter.
A single network src/dst with or without logging (no aliases) works.
A single network in alias1 & alias2 replacing rule above works.

Bob.Dig

@lightingman117 We need screenshots to help you, from your rule and your aliases.

johnpoz

@lightingman117 said in Is there a bug with networks alias usage & FW rules?:

Randomly change things until the aliases work properly.

Keep in mind - once a state is created, if a state allows traffic rules are not evaluated.

If you create an alias, and you validate that it populated - you can view your aliases in diag, tables.

example

Also in your rules if you hover over the alias a little popup should show up with whats in the table.

There is no random anything.. Firewall does what you tell it to do.. Biggest problem I see users having is not understanding why something is not blocked when they block it.. Comes down there was already a state allowing it, until that state times out, is closed or killed that state will allow traffic before rules are looked at.

Rules are also evaluated in order top down, once a rule triggers no other rules are evaluated.

If you want help in creating firewall rules to do xyz, and use of aliases - then post up your aliases, and your rules..

lightingman117

Yes...usually it is me.

But In this case it might not be.

I have tried multiple different scenarios to test this and it keeps coming back to multiple networks in a single alias.

I clear states between firewall refreshes to test if something is 'working' or not.

johnpoz

@lightingman117 first off those first 2 you list in alias 1 neteworks - are not networks, those are host addresses..

Those rules show no evaluations 0/0 B in the states..

If there was a state already, then again those rules would not be evaluated..

lightingman117

@johnpoz

FML I looked at that 100 times before posting

My goodness why am I so dumb.

johnpoz

@lightingman117 which is why posting is so helpful ;)

Sometimes you can not see the tree in the forest or the forest for the trees..

Extra eyes on something can quite often find something that is clearly obvious - but if you have been looking at it too long, you just don't see it..

if you want to log something specific by putting an allow rule above your any any rule - that is fine, but you have to make sure you kill off any states that are allowing the traffic before you will see hits on your new rule.

lightingman117

@johnpoz

Thank you for being nice about it anyways :)

Sry screen shots took a bit. Had to edit for privacy, but I wanted to keep their character the same.

Is there a marked 'solved' in the forum?
[I changed title & thumbed up]

@johnpoz said in Is there a bug with networks alias usage & FW rules?:

if you want to log something specific by putting an allow rule above your any any rule - that is fine, but you have to make sure you kill off any states that are allowing the traffic before you will see hits on your new rule.

You're referring to my reject any any rule?
Or my vague reference to logging?

I'm just narrowing down traffic to as few ports & protocols as possible and putting logging on them to spit out to syslog.

I do clear states between FW changes (just on this interface) as there's only a few devices right now during testing.

Edit: Ahh I see what you mean. 0/0B evaluations for my 'no work' image. Not sure about that one. I cleared the states. Refreshed the FW. Checked states again. Let RDP rip and it no works. Perhaps I didn't wait long enough for the page to refresh evaluations? I dunno.

Thanks for the help!
Cheers!

AndyRH

@lightingman117 said in [solved, I am dumb] Is there a bug with networks alias usage & FW rules?:

FML I looked at that 100 times before posting

My goodness why am I so dumb.

Don't think of it as dumb, just under experienced.
Experience is the thing you get after you needed it.

johnpoz

@lightingman117 said in [solved, I am dumb] Is there a bug with networks alias usage & FW rules?:

You're referring to my reject any any rule?

No there is nothing wrong with a reject on a local interface - I use them myself, this can cut down on a retrans, and faster notification that its not going to work in a browser or app, etc...

If your looking at your rules page, I don't think it updates states column at any specific time - you need to actually reload the page I believe.

But yeah if your seeing 0/0 in the rules page, and your not seeing any hits there, then that rule for whatever reason is not being evaluated.. If the rule was used to create a state you would see that in the X/Y where X his how many active states, and the Y is how much traffic.

0/0 means it has not been evaluated, if you refresh the page and still seeing 0/0 and your traffic is working - something else let it pass, be it an existing state, a rule on floating maybe? Or your rule order where for some reason that rule didn't trigger be it source or destination IP/port or protocol on the rule tcp/udp/icmp etc..