Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED]All pass rules appear disabled

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    17 Posts 5 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      I am running into a situation where pass rules on every LAN interface become invisible to traffic and the only effective rule is the final one, which is a block. I am several weeks into this issue and have run out of ideas ….

      Initially I could resolve this by removing PFBlockerNG. Eventually I stopped using PFBlocker .... But today with PFBlockerNG being not installed it happened again while I was reading my email (Protonmail.com)

      Until today I could resolve the problem by performing a factory reset and then restoring my previous configuration, except for today. That has not worked. And WAN traffic is not passing either for unbound, for the first time as well

      I have a Netgate SG2440 and now also a Netgate C2758 - same problem doesn't matter what machine.

      I have been using PFSense on Netgate hardware since January of 2016 - Never needed to ask for help till now.

      Posting this without firewall protection - which I desperately need.

      One wrinkle I am concerned about is this - I sent in a USB stick of mine to Sentinel One and they documented a significant threat on it. So I don't think it's unreasonable to believe this is not a failure of PFSense or Netgate but a real exploit in the software.

      How do I reload from the command line, all the operating system files on the device ?

      1 Reply Last reply Reply Quote 0
      • ivorI
        ivor
        last edited by

        We offer installation guides for all official pfSense appliances here: https://www.netgate.com/docs/pfsense/index.html

        I'm not sure what's going on, I don't recall any bugs as you describe.

        @Locked:

        One wrinkle I am concerned about is this - I sent in a USB stick of mine to Sentinel One and they documented a significant threat on it.

        What USB stick specifically?

        Need help fast? Our support is available 24/7 https://www.netgate.com/support/

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by

          @Locked:

          One wrinkle I am concerned about is this - I sent in a USB stick of mine to Sentinel One and they documented a significant threat on it. So I don't think it's unreasonable to believe this is not a failure of PFSense or Netgate but a real exploit in the software.

          What's on this USB stick?

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            The USB Stick was recieved & analyzed by in early July of 2016  and the attack identified as the notorious APT ….    Project Sauron

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              I am waiting for a null modem cable -> usb to arrive from a ham radio ebay vendor
              The ones I have bought locally did not seem to work

              which usb port on the C2758 do I flash from ?

              Got the image downloaded - thanks

              Just being able to bounce ideas off of the group is going to help me a lot
              But I may have to contract a special support incident from Netgate
              it's been 5 years of hacking hell for me here .. I need this to end so I can get on with everyday life

              1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad
                last edited by

                https://www.netgate.com/docs/pfsense/sg-4860/reinstall-pfsense.html

                Put that machine you mention into a DMZ.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  All ethernet is disconnected physically from all devices at this point - except the computer I am posting from and it's not behind any firewall I'd like to get the 8 core unit running as the 2 core 2440 is frustratingly slow to work with. though both need flashing and I do have the original gold USB console cable that came with the 2440 from netgate

                  Using Debian 9.3.3 and connecting to the C2758  with my current Null modem cable:

                  using Putty the error message is –-->  "unable to open connection to :"  ---> "unable to open serial port"

                  115200
                  data bits 8
                  no parity
                  stop bits 1
                  XON/OFF

                  Or ...

                  screen /dev/ttyUSB0 115200 ---> gives me a square blinking cursor and no response to the keyboard, the terminal session freezes and I have to kill it

                  If I assume this is a null modem cable problem then I have got a delay in terms of days for C2758 while i wait for cable shipping so Meanwhile doing a factory reset again on the C2758 and enabling ssh

                  I guess I'll tackle the 2440 re-flash now, since I actually have a netgate supplied console cable for it.

                  Thanks for helping me ... I need it

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User
                    last edited by

                    Hi,

                    I'm with Netgate Global Support and I'd like to help you get the SG-2440 back up and running. Can you please create a ticket at https://go.netgate.com?

                    Thank you,

                    -James

                    edit: fixed (replaced) "buck" with back.

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      James - I have opened a ticket

                      I need a factory image for re-install - the public one did not work for me - perhaps I botched it

                      Thank you very much

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User
                        last edited by

                        Hi,

                        You mentioned you've got the Factory Image and are going to try a reimage with the guide I provided.

                        If there are any other questions, please post a reply on your existing ticket at https://go.netgate.com.

                        Thank you,

                        -James

                        1 Reply Last reply Reply Quote 0
                        • ?
                          Guest
                          last edited by

                          James,

                          I just sent in now, a bunch of log files I pulled off of the firewall last week under the correct ticket ID this morning.

                          Additional analysis and a suggestion from me regarding a new piece of companion hardware to deal with this problem, which will compliment the Netgate suite of solutions,  will be emailed to support in the next day or two .

                          It's impossible for me to sufficiently express my appreciation regarding Netgates response to this issue

                          Thanks very much

                          1 Reply Last reply Reply Quote 0
                          • ?
                            Guest
                            last edited by

                            Thanks very much to Netgate Global support for the assistance but we were unable to to fully reproduce the error or find evidence of a vector - So I am back to community support for assistance

                            Today another Filter corruption / failure / error / hack has occurred

                            Earlier today, all filter rules were dropped. And this time there are clues.

                            How do I find the log file that has the record of notifications which are displayed in the upper right hand corner of the WEBGUI ?

                            I've posted more specific pfBlockerNG questions here https://forum.pfsense.org/index.php?topic=145348.0

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User
                              last edited by

                              "hacker hell"
                              Not on topic but a couple tips
                              I used to run Debian for decades, "systemd" changed all that. Now I only run Devuan (Debian fork) and luckily my laptop installed OpenBSD with out a hitch.
                              Devuan Ascii has been rock solid for my needs. Do some research into systemd and also check out user.js mods
                              at https://github.com/pyllyukko/user.js for firefox hardening. GUFW or without GUI the program UFW can be set to DENY inbound and Outbound and just allow OUT the ports you absolutely need.
                              Jessie Stable/Ascii Developement  https://devuan.org/

                              P.S- as a fellow Canuck remember, don't let on to the Yanks here we are in cahoots with the Russians and we have Alaska surrounded. ;)

                              1 Reply Last reply Reply Quote 0
                              • ?
                                Guest
                                last edited by

                                Good advice, but I have Debian so hardened that the enemy has no choice but to go after the firewall. Using Same methodology, I believe they attack from the inside with altered scripts disguised as updates.

                                The last two Debian Kernels have been Excellent in terms of security, and I have customized my own Firefox apparmor profile, plus utterly destroyed any ability to add extensions or pluging's to firefox from the system level. I love GUFW, very simple to use.  I'd like to spend time hardening sysctl.config for my own purposes but can't find the time to do so

                                Yes I hear there are a lot of complaints about systemd but my beef is with the TLD root servers, rogue NOCTION IP BGP attacks, and AKAMAI CDN IP mappings to Japan and Honk Kong from Vancouver.

                                Debian is back in the game and we await your return webtyro !

                                But I'll consider OpenBSD for my dedicated pfSense administrators workstation

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  Guest
                                  last edited by

                                  @Locked:

                                  Today another Filter corruption / failure / error / hack has occurred
                                  Earlier today, all filter rules were dropped. And this time there are clues.

                                  I've posted more specific pfBlockerNG questions here https://forum.pfsense.org/index.php?topic=145348.0

                                  So bearing in mind that this most recent Filter Failure occurred with a pfBlockerNG configuration which solely consisted of GEOIP blocks … NO DNSBL entries what so ever.

                                  There has been a revelation - an error on my part:
                                  In all previous versions of pfBlockerNG - TLD Blacklist - I discovered I was able to enter FQDN's as well as TLD's, so I kept doing so unaware that FQDN's can be entered as a custom block list under DNSBL Feeds.  OK - everything worked fine until recent versions of pfBlockerNG corrected the ability to make non TLD entries in the TLD Blacklist.

                                  So the conclusion is that historical mis-configurations of the TLD Blacklist (FQDNS) under newer versions crash the FILTER or wipe it completely. Netgate has closed the support on "all pass rules dropped" mystery.  Fair enough.

                                  EXCEPT refer back to item 1) which is not explained by 2)

                                  So the next instance of "all filter rules being dropped" - Which as also happened to me during a "File system Full" incident - I will gladly open a PAID INCIDENT support ticket.  Because we still have not got to the bottom of this. But I now believe it is a BUG and not a HACK, which has not yet been resolved.

                                  Thanks very much to James and Steve for the free support, I've got no problem with pulling out the credit card the next time my filter blows up. And the incident will be titled "Filter blows up"

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    Guest
                                    last edited by

                                    To summarize and conclude PACKET LOSS issues caused 2 of 3 problems

                                    I now realize that all instances of filter failure (except filesystem full (#3)) can be attributed to packet loss at my router which is a residential cable connection.  It's been an issue here for years. Gateway pinger has been documenting it very well.

                                    In one instance of filter failure (#1)We discovered intermittent DNS failure to resolve names which populate aliases used to evaluate pass rules. The evaluation fails because the alias has a null value and the rule "appears to be ignored" - I am now 100% certain this intermitent DNS failure has been caused by packet loss.  This is my original condition and the basic premise for this thread.

                                    In the second instance of filter failure after downloading pfb_NAmerica GeoIP datasets by maxmind, the error message before filter failure was something to  the effect of "bad characters in …" and the application of the new block rules failed because of that, which took out the entire set of firewall rules. Once again I will attribute this to packet loss creating a faulty download and subsequent IP data set applied to the filter crashed it.

                                    I feel Negate Support should be compensated for the time which has been spent for me to arrive at this conclusion (and inspire me to program my new firewall rules to avoid future problems)

                                    James or Steve please get in touch and lets agree on an invoice amount to be paid, I believe in fairness and healthy client / provider relationships - Netgate got the short end of the straw here when they stepped up to the plate

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      Guest
                                      last edited by

                                      I just got off the phone with the Cable company here in Delta BC, and their statistics for my modem for the past month, show packet loss to the extent that front line support was extremely apologetic.

                                      My fault again for not pressuring Cable support, previously, as they have me flagged as "has own router" (pfSense) - therefore customer is not eligible for support.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.