Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static route filtering bug?

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    9 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      josey
      last edited by

      Hello guys
      im running
      2.0-BETA4 (i386)
      built on Wed Sep 29 12:15:10 EDT 2010

      i have couple of interfaces, and on one of them i had more subnets
      interface address is 10.20.0.0/24
      subnets are
      10.20.170.0/24
      10.20.240.0/24
      …
      etc
      (static routes are set)

      i have problem with static route filtering (system->advanced->firewall)
      Pfs is showing strange behaviour,
      it doesent matter is this option checked or unchecked, pfs is acting same. It want pass any traffic except icmp.

      I had this option checked on 1.2.3 and asked why is not working when this option is unchecked (it didnt work no matter if firewall rules are set properly), and get answer that is a bug.

      Now i had that option checked on 2.0beta, since when unchecked it shows same behaviour as on 1.2.3. And it worked until day ago (i reboot it i dont remember why), pfs stops passing traffic between subnets on same interface.

      Example
      computer on 10.20.240.0/24 network can ping computer on 10.20.0.0/24 but nothing else can pass.

      computer on 10.20.240.0/24 can access al other networks 10.x.y.z if they are behind other interfaces.

      i made lots of tests, and take many logs, and they confirm what i type here.

      can you help me with this guys?

      thanks

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        It wasn't a bug before and isn't now, you have asymmetric routing in that case and hence cannot statefully filter traffic. You must enable that option for traffic to pass correctly. If it doesn't with it enabled, go to Diagnostics>Command, and run:

        grep "no state" /tmp/rules.debug

        and post the output here.

        1 Reply Last reply Reply Quote 0
        • J
          josey
          last edited by

          as i wrote, it does not work in eather cases, and when i check option, is like i didnt, nothing happens.
          Also, i dont understand why that option exists, its just trouble maker.
          I suppose it was intended for users to chose if they want to pass traffic on same interface through firewall?

          here is log

          this is with option unchecked

          $ grep no state /tmp/rules.debug
          /tmp/rules.debug:#Snort2C table
          /tmp/rules.debug:table <snort2c>/tmp/rules.debug:set optimization normal
          /tmp/rules.debug:set limit src-nodes 324000
          /tmp/rules.debug:# We use the mighty pf, we cannot be fooled.
          /tmp/rules.debug:# snort2c
          /tmp/rules.debug:block quick from <snort2c>to any label "Block snort2c hosts"
          /tmp/rules.debug:block quick from any to <snort2c>label "Block snort2c hosts"
          /tmp/rules.debug:# make sure the user cannot lock himself out of the webConfigurator or SSH
          /tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp  array key does not exist for  label "USER_RULE"
          /tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp  array key does not exist for  label "USER_RULE"
          /tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp  array key does not exist for  label "USER_RULE"

          this is with option checked

          $ grep no state /tmp/rules.debug
          /tmp/rules.debug:#Snort2C table
          /tmp/rules.debug:table <snort2c>/tmp/rules.debug:set optimization normal
          /tmp/rules.debug:set limit src-nodes 324000
          /tmp/rules.debug:# We use the mighty pf, we cannot be fooled.
          /tmp/rules.debug:# snort2c
          /tmp/rules.debug:block quick from <snort2c>to any label "Block snort2c hosts"
          /tmp/rules.debug:block quick from any to <snort2c>label "Block snort2c hosts"
          /tmp/rules.debug:# make sure the user cannot lock himself out of the webConfigurator or SSH
          /tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp  array key does not exist for  label "USER_RULE"
          /tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp  array key does not exist for  label "USER_RULE"
          /tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp  array key does not exist for  label "USER_RULE"</snort2c></snort2c></snort2c></snort2c></snort2c></snort2c>

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Note the quotes:
            @cmb:

            grep "no state" /tmp/rules.debug

            try again.

            @josey:

            Also, i dont understand why that option exists, its just trouble maker.

            No not in the least, it's much easier for you that way. The alternative is trying to tell you how to manually create proper 'no state' rules for that traffic. When you have asymmetric routing, no stateful firewall can function properly, hence you must have that.

            1 Reply Last reply Reply Quote 0
            • J
              josey
              last edited by

              @cmb:

              grep "no state" /tmp/rules.debug

              no, nothing happens when i copy-paste that to
              Diagnostics>Command, and run:

              BUT, since you wrote that you should explain us how to create no state firewall rules,
              i add firewall rule to pass * * * * * *
              with advanced feature> state type-none
              and bzzzap it works, from first. :)
              (i logged some traffic and i noticed that firewall or tracking traffic works with reverse logic, source and destination addresses are reversed is this correct?
              im opening shared documents on 10.20.0.0/24 from 10.20.240.0/24 and log said that im oppening from source 10.20.0.0/24.
              please dont get me wrong im not complaining, i just want to understand how it works. thanks)

              but again, since that check box > static routing seems it is not working you should check it

              thanks for helpand for the explanation

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                It is not working because you must be overriding one of them.
                Since in 2.0 you can override them which is not possible in 1.2.3

                The command to grep is:
                grep sloppy /tmp/rules.debug

                1 Reply Last reply Reply Quote 0
                • J
                  josey
                  last edited by

                  override? hmm…
                  maybe :(

                  here is file

                  [GREP SLOPPY.txt](/public/imported_attachments/1/GREP SLOPPY.txt)

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    The rule is there so the checkbox is working.
                    Just you are overriding that with some previous firewall rule.

                    1 Reply Last reply Reply Quote 0
                    • J
                      josey
                      last edited by

                      checkbox is working?
                      ok than, it have to be something local at my pfs box.
                      thanks for all help

                      you can lock

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.