Getting errors loading rules after using easyrule
-
Hi,
I recently tried to use easyrule to add a firewall rule to my SG1100 from the command line.
Easyrule itself didn't report an error, but since then I am getting
rule expands to no valid combinationerrors, and the rule that's causing the problems is not visible in the GUI, so I can't delete it.Specifically:
There were error(s) loading the rules: /tmp/rules.debug:180: rule expands to no valid combination The line in question reads [180]: pass in quick on $WAN reply-to ( mvneta0.4090 <router-ipv4-addr> ) inet proto tcp from any to <client-ipv6-addr>/128 tracker 1612037148 flags S/SA keep state label 'USER_RULE: Easy Rule: Passed from Firewall Log View'I can see that this rule makes no sense because it mixes IPv4 and IPv6, but how can I get rid of it,
/tmp/rules.debugis only a dump...I eventually found the rule in
/cf/conf/config.xml:<rule> <type>pass</type> <interface>wan</interface> <ipprotocol>inet</ipprotocol> <descr><![CDATA[Easy Rule: Passed from Firewall Log View]]></descr> <protocol>tcp</protocol> <source> <any></any> </source> <destination> <address>{client-ipv6-addr}/128</address> </destination> <created> <time>1612037148</time> <username><![CDATA[Easy Rule]]></username> </created> <tracker>1612037148</tracker> </rule>The root account doesn't keep any history, so I don't know exactly which easyrule command I used, but as best I can recall, all I did was:
easyrule pass wan tcp any <ipv6-addr>As far as I can tell, easyrule doesn't mention IPv6.
Should I have usedtcp6perhaps?Are there any easyrule commands for listing/deleting rules? (the documentation is seriously lacking)
Is it safe to just delete the
<rule>...</rule>block from/cf/conf/config.xml? (and then reboot?)Thanks in advance,
Steve
PS: the reason for using easyrule is that I was trying to enable access to one of my raspi's while logged in remotely - so all I had was ssh/CLI -
@hoopy The best ideas I have are...
- Go to Diagnostics > Backup & Restore > Config History and look for the configuration change that has when the easy rule was added. Select 'Revert Config' for the config before the one with the easy rule. Depending on how many changes were made between when the easy rule was created and now the Config History may or may not show when the easy rule was added.
OR
- Go to Diagnostics > Backup And Restore > Backup & Restore select 'Download Configuration as XML'. Save the downloaded configuration somewhere you can edit the XML file. Open the *.xml in nano, vi, etc... do not use word or notepad. The remove the rule as you have described above. Remove <rule> ... </rule>. This includes the removing the <rule> </rule> tags. Once you have very carefully made the edits, go ahead and do a restore configuration using the edited *.xml.
OR
- Follow the pfsense documentation on editing the config.
-
@hieroglyph Thanks for that succinct answer!
I eventually "discovered" your first solution by the time-honored technique of "messing around till I found something that somehow worked" - so I thought I let someone else do the honors of providing a proper answer :-)
Thanks, I've noted them now.
-
Redmine issue created:
https://redmine.pfsense.org/issues/11439
