Upgrade to 2.2.4 - Firewall alias not working

stefanfa

Hello.

After the upgrade to 2.2.4 my one and only firewall alias fetched from a URL stopped working for some reason.

Checked the URL and it looks just fine. It's basically a textfile with ip's listed in it just like before.

But now I am getting this error:

php-fpm[32459]: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address found for
Tried removing it and recreating it. I find no
Is this a bug introduced in 2.2.4 ?

Thanks.

johnpoz

can what does cat of /var/db/aliastables/BadSitesList.txt look like?

NOYB

I had a firewall URL alias issue yesterday too.  But different symptom.

In my case the alias was being used on the LAN interface to block bogons destinations.

https://www.Team-CYMRU.org/Services/Bogons/fullbogons-ipv4.txt
( with private address space removed - IPv4: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 )

LAN Rule
src: any : any
dst: Bogons_IPv4 : any
action: Block & Log

Had been working fine for months.  Then suddenly yesterday it started blocking src: 192.168.2.9 dst: 255.255.255.255.

Was fine again after pfSense reboot.

stefanfa

That file is giving me the contents of a html file.

Basically saying: <title>Error 400 (Bad request!)</title>

Also tried rebooting. Didn't help.

BBcan177

Bad request 400
The request had bad syntax or was inherently impossible to be satisfied.

What is the URL?

Seems that there is no validation of the download success, and the website error message is being parsed into the aliastable 'as is'… This is why your getting:

The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address found for contains bad data'

You can also use pfBlockerNG to download these URLs and create the appropriate Rules/Tables…

stefanfa

The URL is to an internal webserver.

http://192.168.10.1/temp/iplist.txt

johnpoz

"In my case the alias was being used on the LAN interface to block bogons destinations."

For what possible freaking reason??  Got to be one of the stupidest things I have ever heard anyone use a bogon list for!!

stefanfa

Tried pfBlockerNG now and that way i can create an alias from an url without any problems.

So i'll be using that then for a while.

Good to know that for now the internal function is broken.

Thanks =)

Heiler

This is caused by pfsense trying to send his UUID with User-Agent on GET command

If you UNCHECK the "Do NOT send HOST UUID with user agent", it will work