Firewall Rules with Alias only works after rebooting the pfSense
-
Hi,
we have a problem with our pfSense (Version 2.4.4_P1). We have a rule on our WAN Interface and if we disable this rule and apply the config the port is still open. After rebooting the pfSense the port is closed.
We have this problem also when we add a hostname to an already existing Alias (which is also used in the Firewall rules).In my opinion, the rule should work directly, because we can't restart the firewall every time we add a new rule or new host to an existing alias.
Any suggestions? -
@marco-jaeger said in Firewall Rules with Alias only works after rebooting the pfSense:
Hi,
we have a problem with our pfSense (Version 2.4.4_P1). We have a rule on our WAN Interface and if we disable this rule and apply the config the port is still open. After rebooting the pfSense the port is closed.
We have this problem also when we add a hostname to an already existing Alias (which is also used in the Firewall rules).In my opinion, the rule should work directly, because we can't restart the firewall every time we add a new rule or new host to an existing alias.
Any suggestions?Are there existing states for the hosts that you add to an alias?
If so, you would need to kill those states. A stateful inspection firewall does not check every packet against all the rules. It checks the initial flow of packets in a new connection (after considering protocol, ports and IP addresses), and if the flow is allowed, an entry is created in a state table for that connection. Thereafter, until the states expire, traffic on that flow bypasses the firewall rule chain. Rebooting the firewall will clear out all states, but you can do this on an "all flows" or per flow basis under the DIAGNOSTICS menu in pfSense without the need to reboot.
Some users have also reported issues from time to time with the firewall daemon
filterdns
resolving FQDN aliases where a large number of FQDNs are stacked into a single alias entry. Perhaps you are hitting that problem. -
Hi bmeeks,
Thank you for your reply!
We cleared all the States and checked again but still the connection was successfully. We also tried "Reset States" but the Port was still open.Is there a option (with ssh or Web) to restart this firewall daemon "filterdns"?
-
@marco-jaeger said in Firewall Rules with Alias only works after rebooting the pfSense:
Hi bmeeks,
Is there a option (with ssh or Web) to restart this firewall daemon "filterdns"?
Not that I am aware of. Are you adding aliases with fixed IP addresses or are they fully qualified domain names. If domain names, look under DIAGNOSTICS > TABLES and then choose the Alias name in the drop-down selector on the page that opens. You will see then all of the IP addresses resolved for that host. Check that the IP for the host is correctly resolved.
If the host you are trying to block is part of a CDN, note that the IP address at any given instant can change depending on when say a LAN client and then the
filterdns
daemon looked up the IP address for the host name. -
So we saw on Diagnostics > Tables on the new Alias no entrys but after killing the filterdns and restarting it with Status > Filter Reload we saw 4 IPs (these were the 4 hosts).
But still the connection was successfully after deactivating the rule on the WAN Interface. (We also deactivated the rule then kill and restart the filterdns. Still not working)Check this redmine ticket: https://redmine.pfsense.org/issues/9296
We have exact the same issue. -
Face-palm! I forgot about the filter reload option in the menu ... .
You may indeed be getting hit by whatever that
filterdns
bug is. You might consider adding your information to the bug ticket you linked. Every little bit of info can help the pfSense guys track down the problem. -
@marco-jaeger said in Firewall Rules with Alias only works after rebooting the pfSense:
Check this redmine ticket: https://redmine.pfsense.org/issues/9296
Still, the issue seems far less then 6 month ago - I tend to say : for me : no more issues.
@marco-jaeger said in Firewall Rules with Alias only works after rebooting the pfSense:
our pfSense (Version 2.4.4_P1)
@marco-jaeger : what about simply updating to p3 ? The problem will be probably be less - and don't forget the other problem : less other issues which some are security related.
The issue could not be 'filterdns' related, but more 'ipfw' - and this is based out of FreeBSD....( I think I saw flying @bmeeks other palm now ^^ )