TCP Options set in web interface not created in the raw pf rules
-
Running 2.0.3-RELEASE (amd64)
I was trying to cut down on some of the non-important rule logging and in trying to do so I found out that rules are not getting generated with the TCP Options set even when setup to do so in the GUI.
I am trying to not log FA packets from clients on the LAN when expired connections timeout on the firewall before the client.
I setup the rule as follows in the gui:
Action: Block
Interface: LAN
Protocol: TCP
Source: LAN subnet
Destination: any
Log: Drop harmless FA packets from logging on LAN (The idea is not to set this because I want to filter this out but I set it to see that the rule is indeed blocking SYN only packets)
TCP Flags: SET:FIN,ACK OUTOF:FIN,SYN,RST,ACK,URG
State Type: none (none because I don't want these already expired packets from and old connection creating another state in the firewall)The rule blocks SYN only packets:
BLOCK Jun 14 18:01:04 LAN 192.168.x.x:38168 178.33.x.x:80 TCP:SThe rule that triggered this action is:
@69 block drop in log quick on em1 inet proto tcp from 192.168.250.0/24 to any port = 8080 label "USER_RULE: Drop harmless FA and FPA packets from logging on LAN"After looking at the generated rule in /tmp/rules.debug I see why…
block in log quick on $LAN proto tcp from 192.168.250.0/24 to any port 8080 label "USER_RULE: Drop harmless FA and FPA packets from logging on LAN"The rule didn't get the TCP Options restrictions added to the rule.
Is this a known bug?
-
They were only being added on pass rules. They are valid on block or reject. I just fixed that, tomorrow's 2.1 snapshot will work with that.
-
Any chance on the next maintenance release of 2.0.x getting that in there? I realize that could be a very long time.
I am really surprised that nobody has used such rules… Well it might be more accurate to say nobody noticed it doesn't work anyway :).
Thanks for the fix in 2.1. Your time looking into it is appreciated.
-
There almost certainly won't be any more 2.0.x releases since 2.1 is near release, and it's not as simple as cherry picking it over to RELENG_2_0 so it's not fixed there.
-
Understood. I didnt realize that 2.0.x would be EOL (no updates including security i assume) so soon after 2.1 is released. Thanks again.
-
I just tested this on todays 2.1 snapshot and it is working.
The rule that triggered this action is:
@99 block drop in log quick on em1 inet proto tcp from 192.168.x.0/24 to any flags FA/FSRPAU label "USER_RULE: Drop harmless FA and FPA packets from logging"
I can now disable logging of that rule to happily never see them again.
-
Removed comment. Not related. The fix worked for this.