Fresh install 2.2.3 firewall alias question [solved]
-
Hi,
installed 2.2.3 - have problems with transparent squid too, i am comparing with upgrade version on other hardware
what i noticed:
if i select "WAN net" built in alias in a Firewall Rule - pfctl shows me two rule-lines for that rule:
first line is the "WAN address"
second line is the "WAN net"f.e.
block drop in quick on re0 reply-to (re0 192.168.111.1) inet proto udp from 192.168.111.254 port = ntp to <broadcast>port = ntp label "USER_RULE: Block NTP Broadcasts"
block drop in quick on re0 reply-to (re0 192.168.111.1) inet proto udp from 192.168.111.0/24 port = ntp to <broadcast>port = ntp label "USER_RULE: Block NTP Broadcasts"is that intended…?</broadcast></broadcast>
-
AFAIK it is not intended, and it is not happening on my 2.2.3 system when I put it a similar rule.
Post a screenshot of the rules on that interface. There must be some rational reason it happened. -
Screenshots…
![Screenshot console.jpg_thumb](/public/imported_attachments/1/Screenshot console.jpg_thumb)
![Screenshot console.jpg](/public/imported_attachments/1/Screenshot console.jpg)
![Screenshot Rules.jpg_thumb](/public/imported_attachments/1/Screenshot Rules.jpg_thumb)
![Screenshot Rules.jpg](/public/imported_attachments/1/Screenshot Rules.jpg) -
Where are you getting the output for that console screen shot? I guess from some pf command to show the rules?
In /tmp/rules.debug do you also see both rules?
I can't replicate that here on 2.2.3 - I tried on my WAN that is in private address space also, happens to be in 192.168.100.0/24. I made an alias to use for the destination… - but I get just 1 rule in /tmp/rules.debug as expected.
-
i used
pfctl -s rules
in putty ssh console.
I will try to reproduce it in a VM.
Screenshot /tmp/rules.debug attached
![Screenshot console rules.debug.jpg](/public/imported_attachments/1/Screenshot console rules.debug.jpg)
![Screenshot console rules.debug.jpg_thumb](/public/imported_attachments/1/Screenshot console rules.debug.jpg_thumb) -
My
pfctl -s rules
output has just 1 line with the whole /24 network. Its form is identical to yours - just differences in the actually device name and subnet numbers.
Now to think. Anyone else with a good idea why "pfctl -s rules" would produce the extra line of output? -
i'm such a fool….sorry...
it was MY failure - used a wrong netmask on wan interface...
thx for your attention phil...