Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sticky-address cannot be redefined

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 264 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      hieroglyph
      last edited by

      I have come across an error that I can only get to appear with sticky connections enabled and the "ok_Custom IP Whitelist v4" firewall rule directly below either of the ICMP echoreq rules above it.

      There were error(s) loading the rules: /tmp/rules.debug:1292: sticky-address cannot be redefined - The line in question reads [1292]: pass  in  quick  on $2_VLAN16_IRIS  $GW0_WAN_ClientTor_DIPs inet from $TorVPN_Client_DIP_Gateway_Exit to $pfB_Custom_IP_Whitelist_v4 tracker 1611266190 keep state  dnqueue( 1,2)  label "USER_RULE: ok_Custom IP Whitelist v4"

      It is similar to this issue, except I do not have an ICMP message type selected for the specific rule.

      And it is also similar to this issue, where the issue goes away if it is not directly below an ICMP echoreq rule.

      Here is the rule, along with the two echoreq rules above it:

                      <rule>
                        <id></id>
                        <tracker>1605834260</tracker>
                        <type>reject</type>
                        <interface>opt11</interface>
                        <ipprotocol>inet</ipprotocol>
                        <tag></tag>
                        <tagged></tagged>
                        <max></max>
                        <max-src-nodes></max-src-nodes>
                        <max-src-conn></max-src-conn>
                        <max-src-states></max-src-states>
                        <statetimeout></statetimeout>
                        <statetype><![CDATA[keep state]]></statetype>
                        <os></os>
                        <protocol>icmp</protocol>
                        <icmptype>echoreq</icmptype>
                        <source>
                                <address>All_Eyes</address>
                        </source>
                        <destination>
                                <network>opt11</network>
                        </destination>
                        <descr><![CDATA[Reject Cameras Pinging Devices On Local Network]]></descr>
                        <created>
                                <time>1605834260</time>
                                <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username>
                        </created>
                        <updated>
                                <time>1605932991</time>
                                <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username>
                        </updated>
                </rule>
                <rule>
                        <id></id>
                        <tracker>1605831833</tracker>
                        <type>pass</type>
                        <interface>opt11</interface>
                        <ipprotocol>inet</ipprotocol>
                        <tag></tag>
                        <tagged></tagged>
                        <max></max>
                        <max-src-nodes></max-src-nodes>
                        <max-src-conn></max-src-conn>
                        <max-src-states></max-src-states>
                        <statetimeout></statetimeout>
                        <statetype><![CDATA[keep state]]></statetype>
                        <os></os>
                        <protocol>icmp</protocol>
                        <icmptype>echoreq</icmptype>
                        <source>
                                <address>All_Eyes</address>
                                <not></not>
                        </source>
                        <destination>
                                <network>opt11</network>
                        </destination>
                        <descr><![CDATA[Allow NonCameras To Ping Devices On Local Network]]></descr>
                        <created>
                                <time>1605831833</time>
                                <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username>
                        </created>
                        <updated>
                                <time>1611270521</time>
                                <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username>
                        </updated>
                </rule>
                <rule>
                        <id></id>
                        <tracker>1611266190</tracker>
                        <type>pass</type>
                        <interface>opt11</interface>
                        <ipprotocol>inet</ipprotocol>
                        <tag></tag>
                        <tagged></tagged>
                        <max></max>
                        <max-src-nodes></max-src-nodes>
                        <max-src-conn></max-src-conn>
                        <max-src-states></max-src-states>
                        <statetimeout></statetimeout>
                        <statetype><![CDATA[keep state]]></statetype>
                        <os></os>
                        <protocol>tcp/udp</protocol>
                        <source>
                                <address>TorVPN_Client_DIP_Gateway_Exit</address>
                        </source>
                        <destination>
                                <address>pfB_Custom_IP_Whitelist_v4</address>
                        </destination>
                        <descr><![CDATA[ok_Custom IP Whitelist v4]]></descr>
                        <gateway>0_WAN_ClientTor_DIPs</gateway>
                        <dnpipe>UploadQueue</dnpipe>
                        <pdnpipe>DownloadQueue</pdnpipe>
                        <created>
                                <time>1611266190</time>
                                <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username>
                        </created>
                        <updated>
                                <time>1611271877</time>
                                <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username>
                        </updated>
                </rule>

      Screenshot_2021-01-21 Firewall Rules 2_VLAN16_IRIS - AlphaTrion tld.png

      There appears to be a bug open for this #10726. But it sounds like it is saying the bug only applies when the rule itself has an ICMP-type set.

      Before I submit a new bug, I wanted to see if this is the same bug that needs to have what I am seeing added to it? Or if this is something different I should submit a new bug for?

      Doing any of these seems to stop the error from showing on the Filter Reload page:

      • Moving the "ok_Custom IP Whitelist v4" rule above the ICMP echoreq rules.

      • Moving the "ok_Custom IP Whitelist v4" rule two below the last ICMP echoreq rule.

      • Disabling System > Advanced > Miscellaneous > Load Balancing (unchecked)

      • Changing the "Allow NonCameras To Ping Devices On Local Network" rule to have an ICMP echo type of any

      • Inserting a rule between the "Allow NonCameras To Ping Devices On Local Network" rule and the "ok_Custom IP Whitelist v4" rule.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.