• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PASS rule as an exception to a REJECT rule doesn't match

Scheduled Pinned Locked Moved Firewalling
9 Posts 4 Posters 1.0k Views 3 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    Manatee
    last edited by Manatee Jan 13, 2021, 5:20 AM Jan 13, 2021, 5:02 AM

    Hello everyone,

    I'm running 2.5.0.a.20210111.1027 on x86_64 hardware and I have an issue I seem to cannot solve myself.

    There are currently two rules, in this order for the LAN device (not floating rules):
    firefox_Fh2RwMXn5q.png

    In the Facebook_WhatsApp alias there's this address:
    firefox_bsnwfDFCVW.png

    In the Facebook alias there's this address range:
    firefox_1qbijuAHUu.png

    Relevant parts of the config file:
    https://paste.ee/p/fMnGp

    What I expected would happen:
    All connections to the hosts in Facebook_WhatsApp passed via the VPN_PIA_US_VPNV4 gateway.
    All connections to hosts that are in the Facebook alias but not in the Facebook_WhatsApp alias will be rejected, just because of the order of the rules.

    What actually happens:
    All connections to hosts that are in the Facebook alias are rejected, wether or not they're in the Facebook_WhatsApp alias.
    firefox_K8CN3TfHgD.png

    There's nothing suspicious in the log files at all.

    What am I missing? 😕

    M G 2 Replies Last reply Jan 14, 2021, 4:09 PM Reply Quote 0
    • M Offline
      Manatee @Manatee
      last edited by Manatee Jan 14, 2021, 4:51 PM Jan 14, 2021, 4:09 PM

      Because I can't edit my previous post anymore, I have to post a reply to my own thread.

      I now realize that pfSense fails to populate the table:
      firefox_Fo1Ma5oXWL.png

      That's despite there being copious log entries that would make me believe otherwise:
      putty_01Um4xayTL.png

      The Facebook_WhatsApp table remains empty even in the rules.debug file:
      putty_Fx5VEmPlox.png

      I still can't find any log entry relating to this alias with an explanation of what's happening.

      Again, I'd be very thankful for anyone who could point me in the right direction.

      1 Reply Last reply Reply Quote 0
      • S Offline
        serbus
        last edited by Jan 14, 2021, 4:49 PM

        Hello!

        My limited experience with aliases is that they can be finicky.

        While probably not directly on target, https://redmine.pfsense.org/issues/9296 might give you some insights.

        Maybe you could divide the the Facebook_Whatsapp alias into separate ip/fqdn aliases and see if it helps with the table generation.

        John

        Lex parsimoniae

        M 1 Reply Last reply Jan 14, 2021, 4:56 PM Reply Quote 0
        • M Offline
          Manatee @serbus
          last edited by Manatee Jan 14, 2021, 5:41 PM Jan 14, 2021, 4:56 PM

          @serbus Thank you very much for replying! Seems that I'm experiencing Bug #9296 indeed!

          Splitting Facebook_WhatsApp into Facebook_WhatsApp_IP and Facebook_WhatsApp_FQDN makes it seem that pfSense has an issue resolving the FQDNs for the table as the table Facebook_WhatsApp_FQDN seems to remain empty still:
          putty_3V90VLZWn4.png

          putty_TLSQV7CZgC.png

          1 Reply Last reply Reply Quote 0
          • S Offline
            serbus
            last edited by serbus Jan 14, 2021, 7:55 PM Jan 14, 2021, 7:44 PM

            Hello!

            A workaround from left field would be to do your own fqdn lookups and build your own ip alias table/feed. I am just spitballing here...

            It might look something like:

            • make a file /usr/local/www/mytable.fqdn that contains one fqdn per line
            • run something like
            dig @8.8.8.8 +noall +answer -f /usr/local/www/mytable.fqdn | awk '$4 == "A" {print $5}' | tee /usr/local/www/mytable.ips
            

            Make a system URL Table Alias using http://127.0.0.1/mytable.ips or pfb feed using /usr/local/www/mytable.ips

            You would probably want to cron the dig.
            Prodding the alias to reload the url table might be problematic. Using pfb to refresh the alias might be easier.

            John

            Lex parsimoniae

            M 1 Reply Last reply Jan 15, 2021, 9:20 AM Reply Quote 1
            • M Offline
              Manatee @serbus
              last edited by Jan 15, 2021, 9:20 AM

              @serbus Thank you very much, again!

              I'll use your workaround in the meantime, until there's a proper fix. I added some parallelism and sorting tho 😁 :

              find /usr/local/www/ -name '*.fqdn.txt' | parallel --plus 'parallel -I // -j 30 dig // A @1.1.1.1 +time=2 +tries=1 +noall +answer :::: {} | awk '\''$4 == "A" {print $5}'\'' | tee {%.fqdn.txt}.ip.txt; sort -t. +0n -1 +1n -2 +2n -3 +3n -u -o {%.fqdn.txt}.ip.txt {%.fqdn.txt}.ip.txt'
              

              (requires pkg add http://pkg.freebsd.org/FreeBSD:12:amd64/release_2/All/parallel-20200922.txz)

              1 Reply Last reply Reply Quote 1
              • G Offline
                Gertjan @Manatee
                last edited by Gertjan Jan 15, 2021, 10:44 AM Jan 15, 2021, 10:05 AM

                @manatee said in PASS rule as an exception to a REJECT rule doesn't match:

                What I expected would happen:

                @manatee said in PASS rule as an exception to a REJECT rule doesn't match:

                I now realize that pfSense fails to populate the table:

                Read me first.

                Take note of this note :

                d62838fc-9290-4402-a093-e62395a6f141-image.png

                Using Hostnames in Aliases

                Hostnames can also be used in aliases. Any hostname can be entered into a host or network alias and it will be periodically resolved and updated by the firewall. If a host name returns multiple IP addresses, all of the returned IP addresses are added to the alias. This is useful for tracking dynamic DNS entries to allow specific users into services from dynamic IP addresses.

                Big public sites like the Google, Apple, Facebook, Twitter, etc etc etc use many thousands of IP's, they change all the time. You never have them all listed, even if you try to resolve them every second.

                edit : Your alias only shows a couple of IPs at best. The ones that were valid at that moment.
                What happens is : in the facebook == Watsapp app have a list with build host names and/or IP's (carefully hidden of course). These hosts are CDN's, and these have the actual lists with all the real domain names of the domain servers that resolves Facebook IPs.

                And I guess you'll agree with : Do you think Facebook has the financial and technical resources to make it possible so that their users can access Facebook's services as long as they have a 'working' Internet connection that doesn't have half of the possible IP addresses and half of the port blocked ??
                Well, guess what : they did just that : investing heavily in make it your task more difficult, they threw in multiple of millions. I even suspect Facebook has a department called "anti-patental-control". And that department does not communicate its findings on the net. It's their "NSA".

                Blocking these guys needs special treatment, it's a real sport.
                It's one of the reasons packages like this one has been created.

                use the search function of this forum, and you'll find out that many posted questions on the forum already. Come of them even have answers, about can be done.
                Or open a big search engine and type : "how to block Facebook ?"
                Read the first 10 hits. You'll get the picture. A simple pfSense alias won't pull it.

                Good news is : Facebook is planning to help you blocking Whatsapp, as they (were forced to) to "tell the public" their intentions. (and the fun part is that there were people that were surprised, or at least, this is what the media is trying to to tell us ..... as we all know that share holders will have their annual bonus, what ever happens, and the money comes from ..... etc etc ).
                In short : the fading out process is started.

                @serbus : nice !
                But it's still like finding a path throughout moving sable.
                Servers are being maintained at FB's side : they are shut down, upgraded, replaced, etc. FB, and the others like Microsoft, Google, etc etc do not remap the used IP's to other servers while doing so - un purpose. They have crafted their clients to find a way to reach them.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                M 1 Reply Last reply Jan 15, 2021, 12:01 PM Reply Quote 1
                • M Offline
                  Manatee @Gertjan
                  last edited by Jan 15, 2021, 12:01 PM

                  @gertjan Thanks for your reply, too.

                  Of course I agree with you (and I'm looking forward to a world with less WhatsApp and more Signal, Threema and the likes) and I'm very grateful for you pointing out this flaw in my thinking, but I feel like you're missing the point of this thread a bit. I'm afraid focusing on the example provided by me may distract from the real problem at hand.
                  The fact that some tables aren't being populated / FQDNs in rules aren't resolved properly (thus firewall rules not matching) has nothing to do with Facebook in particular (at least I don't think it does?). I don't see how this could possibly be intended behavior. So it still seems to me like a bug in pfSense / filterdns(?) that absolutely needs to be fixed asap and independently of what an idiot like myself is trying to achieve specifically.
                  The Facebook_WhatsApp alias is not the only case that exhibits this problem, it was just the one that made me aware of the issue, because I still have to use WhatsApp frequently 😢. That is the only reason Facebook and WhatsApp are mentioned in this thread at all.

                  But again, thank you very much for your time writing that detailed reply, it's honestly much appreciated! I'll act accordingly!

                  N 1 Reply Last reply Jan 15, 2021, 12:07 PM Reply Quote 0
                  • N Offline
                    NogBadTheBad @Manatee
                    last edited by NogBadTheBad Jan 15, 2021, 12:08 PM Jan 15, 2021, 12:07 PM

                    @manatee Your best bet would be use pfBlocker-NG and use ASN numbers to create an alias to use in your firewall rules.

                    Screenshot 2021-01-15 at 12.08.01.png

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    1 Reply Last reply Reply Quote 1
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received