Error in system logs after enabling ipsec
-
hello,
i'm kinda newbie on pfsense and working my way on configuring to a state that protects my internal LAN…
after a few day of leaving it to the default working state, i decided i should enable IPSec VPN so i could access my LAN remotely in a secure way. All worked brilliantly and i could access my LAN from my iPhone...
After a few days i decided to restart the firewall and there way a yellow error message on my WebConfigurator...:_Feb 23 14:02:37 php: : There were error(s) loading the rules: /tmp/rules.debug:101: macro '' not defined /tmp/rules.debug:101: syntax error /tmp/rules.debug:102: macro '' not defined /tmp/rules.debug:103: macro '' not defined /tmp/rules.debug:104: macro '' not defined /tmp/rules.debug:105: macro '' not defined /tmp/rules.debug:106: macro '' not defined pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [101]: pass out on $ proto udp from any to any port = 500 keep state label "IPsec: RemoteAccess - outbound isakmp"
Feb 23 14:02:37 php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:101: macro '' not defined /tmp/rules.debug:101: syntax error /tmp/rules.debug:102: macro '' not defined /tmp/rules.debug:103: macro '' not defined /tmp/rules.debug:104: macro '' not defined /tmp/rules.debug:105: macro '' not defined /tmp/rules.debug:106: macro '' not defined pfctl: Syntax error in config file: pf rules not loaded The line in question reads [101]: pass out on $ proto udp from any to any port = 500 keep state label "IPsec: RemoteAccess - outbound isakmp"
Feb 23 14:02:37 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:101: macro '' not defined /tmp/rules.debug:101: syntax error /tmp/rules.debug:102: macro '' not defined /tmp/rules.debug:103: macro '' not defined /tmp/rules.debug:104: macro '' not defined /tmp/rules.debug:105: macro '' not defined /tmp/rules.debug:106: macro '' not defined pfctl: Syntax error in config file: pf rules not loaded'_
it definitely came up after configuring IPsec, since i tried reverting back to default and re configuring it again. came up after a restart again…(although i think i noticed a few restarts where the error doesn't occur...)
everything seems to work fine, though i'd like to fix this issue but don't know how...:-(anyone have any ideas?
Edit: i definitely doesn't come up on every restart...i did one after i finished this post and the logs were clear...
-
I have similar error, different line. Around line 118ff.
I'm on 2.0.2; didn't see that under 2.0.1.
First I had snort installed and thought its linked to it. But actually even after snort is gone the error remains. I'm also a newbie on pfsense (6 month); like it a lot. But not yet understand that error. Any help would be much appreciated.
-
Without seeing a copy of /tmp/rules.debug when it's broken, it's impossible to speculate about the cause of the problem.
-
Fair enough :-[ (classical newbie error on my side)
here a copy from my file
[code]
113: # User-defined rules follow
114:
115: anchor "userrules/*"
116: block in quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) from $EasyRuleBlockHostsWAN to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
117: block in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto tcp from any to PPP.PPP.PPP.PPP port 445 label "USER_RULE: Easy Rule: Block but not log MS ds"
118: pass in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any port 500 to any keep state label "USER_RULE: VPN Traffic"
119: pass in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any port 4500 to any keep state label "USER_RULE: VPN traffic"
120: pass in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto { tcp udp } from 17.0.0.0/8 to PPP.PPP.PPP.PPP/32 keep state label "USER_RULE: We trust Apple"
121: pass in quick on $LAN proto tcp from LLL.LLL.LLL.LLL/24 to MMM.MMM.MMM.MMM port 993 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
122: pass in quick on $LAN proto tcp from LLL.LLL.LLL.LLL/24 to 184.24.0.0/13 port 80 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View Akamai Tech"
123: pass in quick on $LAN from LLL.LLL.LLL.LLL/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
124: pass in quick on $LAN proto tcp from HHH.HHH.HHH.HHH to LLL.LLL.LLL.LLL/24 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
125: # returning at dst == "/" label "USER_RULE: Management Network"
126: pass in quick on $LAN inet proto icmp from LLL.LLL.LLL.LLL/24 to LLL.LLL.LLL.LLL/24 keep state label "USER_RULE"
127: pass in quick on $IPsec from any to LLL.LLL.LLL.LLL/24 keep state label "USER_RULE: VPN full access"
128: pass in quick on $IPsec proto tcp from VVV.VVV.VVV.VVV/24 to any flags S/SA keep state label "USER_RULE: VPN Full support"I masked the valid IP adresses in the file
GGG.GGG.GGG.GGG for my external gateway to WAN (from ISP)
PPP.PPP.PPP.PPP my fixed external IP address (from ISP)LLL.LLL.LLL.LLL my local LAN
HHH.HHH.HHH.HHH my pfSense host IP in local LANVVV.VVV.VVV.VVV my IPsec Virtual Lan
Thanks in advance for your help …
-
are you sure that is when it was broken?
And we need the full file, not just that section. Masking is OK, just include the entire file when doing so, along with the exact error/notice you received at the time.
-
Now I really need to ask a rookie question: in which log file the error message from the front page will be stored. I would like to get you the exact text. The number in the error message don't fit with the /tmp/rules.debug file; funny enough.
Seems I can easy reproduce by just restart my pfSense VM to get the message back.
set limit tables 3000 set optimization conservative set timeout { udp.first 300, udp.single 150, udp.multiple 900 } set limit states 195000 set limit src-nodes 195000 #System aliases loopback = "{ lo0 }" WAN = "{ pppoe0 }" LAN = "{ em1 }" IPsec = "{ enc0 }" #SSH Lockout Table table <sshlockout>persist table <webconfiguratorlockout>persist #Snort tables table <snort2c>table <virusprot># User Aliases table <easyruleblockhostswan>{ 118.96.244.163/32 } EasyRuleBlockHostsWAN = "<easyruleblockhostswan>" # Gateways GWManagement = " route-to ( em0 HHH.HHH.HHH.HHH ) " GWGW_WAN = " route-to ( pppoe0 GGG.GGG.GGG.GGG ) " set loginterface em1 set skip on pfsync0 scrub on $WAN all fragment reassemble scrub on $LAN all fragment reassemble no nat proto carp no rdr proto carp nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules # Subnets to NAT tonatsubnets = "{ QQQ.QQQ.QQQ.QQQ/24 LLL.LLL.LLL.LLL/24 AAA.AAA.AAA.AAA/24 127.0.0.0/8 }" nat on $WAN from $tonatsubnets port 500 to any port 500 -> PPP.PPP.PPP.PPP/32 port 500 nat on $WAN from $tonatsubnets to any -> PPP.PPP.PPP.PPP/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table <negate_networks>{ PPP.PPP.PPP.PPP/32 LLL.LLL.LLL.LLL/24 QQQ.QQQ.QQQ.QQQ/24 } # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log all label "Default deny rule" block out log all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # Block all IPv6 block in quick inet6 all block out quick inet6 all # Snort package block quick from <snort2c>to any label "Block snort2c hosts" block quick from any to <snort2c>label "Block snort2c hosts" # SSH lockout block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout" # webConfigurator lockout block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout" block in quick from <virusprot>to any label "virusprot overload table" table <bogons>persist file "/etc/bogons" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN" antispoof for pppoe0 # block anything from private networks on interfaces with the option set antispoof for $WAN block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" antispoof for em1 # allow access to DHCP server on LAN pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $LAN proto udp from any port = 68 to HHH.HHH.HHH.HHH port = 67 label "allow access to DHCP server" pass out quick on $LAN proto udp from HHH.HHH.HHH.HHH port = 67 to any port = 68 label "allow access to DHCP server" # loopback pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( pppoe0 GGG.GGG.GGG.GGG ) from PPP.PPP.PPP.PPP to !PPP.PPP.PPP.PPP/32 keep state allow-opts label "let out anything from firewall host itself" pass out on $IPsec all keep state label "IPsec internal host to host" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on em1 proto tcp from any to (em1) port { 443 80 22 } keep state label "anti-lockout rule" # User-defined rules follow anchor "userrules/*" block in quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) from $EasyRuleBlockHostsWAN to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View" block in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto tcp from any to PPP.PPP.PPP.PPP port 445 label "USER_RULE: Easy Rule: Block but not log MS ds" pass in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any port 500 to any keep state label "USER_RULE: VPN Traffic" pass in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any port 4500 to any keep state label "USER_RULE: VPN traffic" pass in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto { tcp udp } from 17.0.0.0/8 to PPP.PPP.PPP.PPP/32 keep state label "USER_RULE: We trust Apple" pass in quick on $LAN proto tcp from LLL.LLL.LLL.LLL/24 to MMM.MMM.MMM.MMM port 993 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in quick on $LAN proto tcp from LLL.LLL.LLL.LLL/24 to 184.24.0.0/13 port 80 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View Akamai Tech" pass in quick on $LAN from LLL.LLL.LLL.LLL/24 to any keep state label "USER_RULE: Default allow LAN to any rule" pass in quick on $LAN proto tcp from HHH.HHH.HHH.HHH to LLL.LLL.LLL.LLL/24 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" # returning at dst == "/" label "USER_RULE: Management Network" pass in quick on $LAN inet proto icmp from LLL.LLL.LLL.LLL/24 to LLL.LLL.LLL.LLL/24 keep state label "USER_RULE" pass in quick on $IPsec from any to LLL.LLL.LLL.LLL/24 keep state label "USER_RULE: VPN full access" pass in quick on $IPsec proto tcp from VVV.VVV.VVV.VVV/24 to any flags S/SA keep state label "USER_RULE: VPN Full support" # VPN Rules pass out on $WAN route-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any to any port = 500 keep state label "IPsec: iDevice - outbound isakmp" pass in on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any to any port = 500 keep state label "IPsec: iDevice - inbound isakmp" pass out on $WAN route-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any to any port = 4500 keep state label "IPsec: iDevice - outbound nat-t" pass in on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any to any port = 4500 keep state label "IPsec: iDevice - inbound nat-t" pass out on $WAN route-to ( pppoe0 GGG.GGG.GGG.GGG ) proto esp from any to any keep state label "IPsec: iDevice - outbound esp proto" pass in on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto esp from any to any keep state label "IPsec: iDevice - inbound esp proto" anchor "tftp-proxy/*"</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></easyruleblockhostswan></easyruleblockhostswan></virusprot></snort2c></webconfiguratorlockout></sshlockout>
Thanks for your patience !
-
It's in the system log (Status > System Logs, or clog /var/log/system.log)
If the line numbers do not match up, then it is likely an old error that hasn't been cleared.