ACL (Access Control List) rule order issue
-
Hello fellow Netgate community members,
Can you please help.
As of lately when I create a new firewall rule or change one that is already in my list the order of the rules I have in place gets completely mixed up. It's like it goes into random order for some reason.
Is anyone else seeing this on the 2100 appliance?
-
@JonathanLee nope been running pfsense since really it came out and have never seen such a thing.
Are you using something that auto adds rules, that could effect order? Pfblocker?
Are you using any sort of interface groups and apply rules to multiple interfaces? When you add a rule you can have it put it at the top of the list or the bottom? Your saying if you do either the rule order changes? Could you post it doing such a thing, say screenshot of the rules. And then add a rule or edit a rule and then place screenshot of these rules in a different order?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz I have NAT rules but that's it. All the sudden if I add a new rule it goes haywire and everything is mixed up. I have to drag everything all around again. It's not just moving down it's a new random order.
-
(before rule adaption)
(changing ACL 1 to all and not alias apple systems)I hit save and this happens every time now
(after)
My DNS NTP, and allow proxy and moved to random spots every time. This was after the update and recent patches.This is on an official Netgate 2100 appliance
Make sure to upvote
-
I restore the last config change and it goes back. I also noticed one day my separators some were all the sudden missing. Just weird
-
It even mixed up my ethernet rules and moves my ipv6 block that should be on top
-
@JonathanLee said in ACL (Access Control List) rule order issue:
I hit save and this happens every time now
Huh? You mean you hit apply changes? Save is for the order of rules.. Why would you hit that? Unless you have moved rules around?
-
@johnpoz when I click on a rule to change it and hit save right after the order is mixed up. I don't move the rules the next screen after looks like someone dragged the rules around. See I changed the rule in position one from an alias to all and at the bottom of the specific rule has save the next screen is apply that's when it's mixed up.
-
@JonathanLee said in ACL (Access Control List) rule order issue:
when I click on a rule to change it and hit save right after the order is mixed up.
Again why would you click the save button?? The only time you would hit save button is when you moved the order around..
When you edit a rule - you should hit the apply button, not the save button.
I just edited this rule - the button to click after edit is the apply button, not the save button
-
@johnpoz "apply" I must have gotten mixed up with the verbage. Why does my rule set order get mixed up directly after?
Make sure to upvote
-
@JonathanLee have no idea - have never seen that ever happen, ever..
Are these rules copied rules, there was a thing before that when copied a rule it would reuse the RID.. Maybe something like that could happen.. maybe you actually had the rule order changed, and never "saved" it and then when you apply rules it puts them back to the original order?
I don't use seps for rules - I could add them and try and duplicate your issue. But again in all my years with working with pfsense, I have never seen that ever happen.
I would look at your rules. Save the order, then edit some rule - could be as something as editing the description - then hit apply.. Does your order change?
You might want to remove your separators, and try again - do your rules reorder without those? I will add some seps to my rules and see if I can duplicate.
-
@johnpoz some of the rules I have created from the copy icon next to the original rule. I can attest to the fact one time I was missing my separators that might point to some issues with them as you don't use them.
Make sure to upvote
-
@JonathanLee ok added some seps.. So when you move a rule, notice it should have its check mark set, and the color of the save button changes.
Once you hit save, the color changes and the apply button should show up.
I then edited a rule - and while the apply button shows up the save button does not change color.
I tried all kinds of edits, even adding rules - I can not get it to do what you are saying its doing.
-
@johnpoz could it be a 2100 thing? I wonder why it all the sudden started doing this for me.
-
@JonathanLee I would go over the rules with your mouse over them and make sure all the IDs are different.
Prob better yet, look at your /tmp/rules.debug with cat and see if any duplicate RID or IDs
edit: I don't see how it could be related to a specific appliance - that makes no sense at all..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz I found the issue, as soon as I removed all the "Seperators" the order stays.
(Rule set before I have made changes to rule #3 no seperators)
(Rule set after I have made changes with no separators resulting in no mix ups)Why is the seperators causing this issue for my system?
Make sure to upvote
-
@johnpoz I have also checked for duplicate tracking ids. I have none thankfully. It took longer than usual to apply after I removed the separators. Once the first apply was completed now it has no issues again. Weird right?
-
@JonathanLee if I had to guess, you were not saving after a move or something. Again in all the years I have been using pfsense, and all the years on this board. I have never seen this for sure, and do not recall ever seeing anyone reporting such an issue.
Maybe there is something weird with separators? I personally have never used them, other then testing then when they first came out. I believe lots of people do use them, so if there was some issue with them - you would think it would have been reported. Would have to go through redmine to see if such an issue has ever been reported.
Rule order is vital part of firewall, so if there was something that was re-ordering rules.. It would be of great concern.
-
@johnpoz So something got mixed up from a backup config or something and never was fully applied and stuck and bonked up, it is fixed now. Removing the separators did resolve my issues. Your right this was a one off for me too. I originally thought it had to do with the experimental layer 2 rules. You know how I test stuff and reapply the old config I saved all the time, I wonder if one was mid save and I reapplied it and the mid save was just in a half way point.
-
@JonathanLee maybe - I have not done anything with the new L2 rules as of yet, I have no use for them.. I don't see playing with them even until someone has a question about them that interests me enough to play with them ;)
