Rules and port forwads go missing
-
After Applying a change some times firewall rules disappear from the Gui and are no longer active.
On further inspection they are however in the config.xml
Logs show unknown changes in configuration from configuratorI end use has complained that this has occurred on several occasions
I witnessed it after enabling Ntop a port forward vanishedVersion is 2.2.2-RELEASE Mon Apr 13 20:10:22 CDT 2015
The site is complicated with
5 vlans on the lan
3 Wan Connections with dozens of port forwards on each linkplenty of CPU and RAM
-
Perhaps start by upgrading to an uptodate pfSense version.
-
Do you have uPnP enabled?
-
Perhaps start by upgrading to an uptodate pfSense version.
Rebuild would be a safer option, Not comfortable about updating until I know what is going on as updates could exacerbate the problem, especially if the problem is not a known one.
My one suspicion is it is the result of multiple unsaved changes caused by a browser tab hopping user, being applied at once.
-
-
-
Do you have pfblocker installed? That's the only thing I can think of that does anything with rules, but you mentioned they're still in the config file so that probably shouldn't be related.
Upgrading is a good idea and won't make things any worse.
Most changes in the config history will be noted as "unknown change" and the page name. Do a diff between the revisions, what changed? I'm guessing maybe the instance of adding a ntop port forward, you were actually editing an existing port forward rather than duplicating it or creating a new one. In which case it'd replace the "missing" one by design.
-
@cmb:
Do you have pfblocker installed? That's the only thing I can think of that does anything with rules, but you mentioned they're still in the config file so that probably shouldn't be related.
Upgrading is a good idea and won't make things any worse.
Most changes in the config history will be noted as "unknown change" and the page name. Do a diff between the revisions, what changed? I'm guessing maybe the instance of adding a ntop port forward, you were actually editing an existing port forward rather than duplicating it or creating a new one. In which case it'd replace the "missing" one by design.
The rule that went missing was totally unrelated to ntop
it was rule associated wait a port 80 forward to an internal server -
What does the config diff look like between those revisions?
-
@cmb:
What does the config diff look like between those revisions?
when I enabled ntop the difference in the config was the addition of ntop
the rule that was missing in the gui list (and not in effect) was still in the config.
In the past when the end user had the problem they tried rebooting and the rule still didn't appearI re added it manually when it happened to me, live site with un happy people