[SOLVED]All pass rules appear disabled
-
I am running into a situation where pass rules on every LAN interface become invisible to traffic and the only effective rule is the final one, which is a block. I am several weeks into this issue and have run out of ideas ….
Initially I could resolve this by removing PFBlockerNG. Eventually I stopped using PFBlocker .... But today with PFBlockerNG being not installed it happened again while I was reading my email (Protonmail.com)
Until today I could resolve the problem by performing a factory reset and then restoring my previous configuration, except for today. That has not worked. And WAN traffic is not passing either for unbound, for the first time as well
I have a Netgate SG2440 and now also a Netgate C2758 - same problem doesn't matter what machine.
I have been using PFSense on Netgate hardware since January of 2016 - Never needed to ask for help till now.
Posting this without firewall protection - which I desperately need.
One wrinkle I am concerned about is this - I sent in a USB stick of mine to Sentinel One and they documented a significant threat on it. So I don't think it's unreasonable to believe this is not a failure of PFSense or Netgate but a real exploit in the software.
How do I reload from the command line, all the operating system files on the device ?
-
We offer installation guides for all official pfSense appliances here: https://www.netgate.com/docs/pfsense/index.html
I'm not sure what's going on, I don't recall any bugs as you describe.
@Locked:
One wrinkle I am concerned about is this - I sent in a USB stick of mine to Sentinel One and they documented a significant threat on it.
What USB stick specifically?
-
@Locked:
One wrinkle I am concerned about is this - I sent in a USB stick of mine to Sentinel One and they documented a significant threat on it. So I don't think it's unreasonable to believe this is not a failure of PFSense or Netgate but a real exploit in the software.
What's on this USB stick?
-
The USB Stick was recieved & analyzed by in early July of 2016 and the attack identified as the notorious APT …. Project Sauron
-
I am waiting for a null modem cable -> usb to arrive from a ham radio ebay vendor
The ones I have bought locally did not seem to workwhich usb port on the C2758 do I flash from ?
Got the image downloaded - thanks
Just being able to bounce ideas off of the group is going to help me a lot
But I may have to contract a special support incident from Netgate
it's been 5 years of hacking hell for me here .. I need this to end so I can get on with everyday life -
https://www.netgate.com/docs/pfsense/sg-4860/reinstall-pfsense.html
Put that machine you mention into a DMZ.
-
All ethernet is disconnected physically from all devices at this point - except the computer I am posting from and it's not behind any firewall I'd like to get the 8 core unit running as the 2 core 2440 is frustratingly slow to work with. though both need flashing and I do have the original gold USB console cable that came with the 2440 from netgate
Using Debian 9.3.3 and connecting to the C2758 with my current Null modem cable:
using Putty the error message is –--> "unable to open connection to :" ---> "unable to open serial port"
115200
data bits 8
no parity
stop bits 1
XON/OFFOr ...
screen /dev/ttyUSB0 115200 ---> gives me a square blinking cursor and no response to the keyboard, the terminal session freezes and I have to kill it
If I assume this is a null modem cable problem then I have got a delay in terms of days for C2758 while i wait for cable shipping so Meanwhile doing a factory reset again on the C2758 and enabling ssh
I guess I'll tackle the 2440 re-flash now, since I actually have a netgate supplied console cable for it.
Thanks for helping me ... I need it
-
Hi,
I'm with Netgate Global Support and I'd like to help you get the SG-2440 back up and running. Can you please create a ticket at https://go.netgate.com?
Thank you,
-James
edit: fixed (replaced) "buck" with back.
-
James - I have opened a ticket
I need a factory image for re-install - the public one did not work for me - perhaps I botched it
Thank you very much
-
Hi,
You mentioned you've got the Factory Image and are going to try a reimage with the guide I provided.
If there are any other questions, please post a reply on your existing ticket at https://go.netgate.com.
Thank you,
-James
-
James,
I just sent in now, a bunch of log files I pulled off of the firewall last week under the correct ticket ID this morning.
Additional analysis and a suggestion from me regarding a new piece of companion hardware to deal with this problem, which will compliment the Netgate suite of solutions, will be emailed to support in the next day or two .
It's impossible for me to sufficiently express my appreciation regarding Netgates response to this issue
Thanks very much
-
Thanks very much to Netgate Global support for the assistance but we were unable to to fully reproduce the error or find evidence of a vector - So I am back to community support for assistance
Today another Filter corruption / failure / error / hack has occurred
Earlier today, all filter rules were dropped. And this time there are clues.
How do I find the log file that has the record of notifications which are displayed in the upper right hand corner of the WEBGUI ?
I've posted more specific pfBlockerNG questions here https://forum.pfsense.org/index.php?topic=145348.0
-
"hacker hell"
Not on topic but a couple tips
I used to run Debian for decades, "systemd" changed all that. Now I only run Devuan (Debian fork) and luckily my laptop installed OpenBSD with out a hitch.
Devuan Ascii has been rock solid for my needs. Do some research into systemd and also check out user.js mods
at https://github.com/pyllyukko/user.js for firefox hardening. GUFW or without GUI the program UFW can be set to DENY inbound and Outbound and just allow OUT the ports you absolutely need.
Jessie Stable/Ascii Developement https://devuan.org/P.S- as a fellow Canuck remember, don't let on to the Yanks here we are in cahoots with the Russians and we have Alaska surrounded. ;)
-
Good advice, but I have Debian so hardened that the enemy has no choice but to go after the firewall. Using Same methodology, I believe they attack from the inside with altered scripts disguised as updates.
The last two Debian Kernels have been Excellent in terms of security, and I have customized my own Firefox apparmor profile, plus utterly destroyed any ability to add extensions or pluging's to firefox from the system level. I love GUFW, very simple to use. I'd like to spend time hardening sysctl.config for my own purposes but can't find the time to do so
Yes I hear there are a lot of complaints about systemd but my beef is with the TLD root servers, rogue NOCTION IP BGP attacks, and AKAMAI CDN IP mappings to Japan and Honk Kong from Vancouver.
Debian is back in the game and we await your return webtyro !
But I'll consider OpenBSD for my dedicated pfSense administrators workstation
-
@Locked:
Today another Filter corruption / failure / error / hack has occurred
Earlier today, all filter rules were dropped. And this time there are clues.I've posted more specific pfBlockerNG questions here https://forum.pfsense.org/index.php?topic=145348.0
So bearing in mind that this most recent Filter Failure occurred with a pfBlockerNG configuration which solely consisted of GEOIP blocks … NO DNSBL entries what so ever.
There has been a revelation - an error on my part:
In all previous versions of pfBlockerNG - TLD Blacklist - I discovered I was able to enter FQDN's as well as TLD's, so I kept doing so unaware that FQDN's can be entered as a custom block list under DNSBL Feeds. OK - everything worked fine until recent versions of pfBlockerNG corrected the ability to make non TLD entries in the TLD Blacklist.So the conclusion is that historical mis-configurations of the TLD Blacklist (FQDNS) under newer versions crash the FILTER or wipe it completely. Netgate has closed the support on "all pass rules dropped" mystery. Fair enough.
EXCEPT refer back to item 1) which is not explained by 2)
So the next instance of "all filter rules being dropped" - Which as also happened to me during a "File system Full" incident - I will gladly open a PAID INCIDENT support ticket. Because we still have not got to the bottom of this. But I now believe it is a BUG and not a HACK, which has not yet been resolved.
Thanks very much to James and Steve for the free support, I've got no problem with pulling out the credit card the next time my filter blows up. And the incident will be titled "Filter blows up"
-
To summarize and conclude PACKET LOSS issues caused 2 of 3 problems
I now realize that all instances of filter failure (except filesystem full (#3)) can be attributed to packet loss at my router which is a residential cable connection. It's been an issue here for years. Gateway pinger has been documenting it very well.
In one instance of filter failure (#1)We discovered intermittent DNS failure to resolve names which populate aliases used to evaluate pass rules. The evaluation fails because the alias has a null value and the rule "appears to be ignored" - I am now 100% certain this intermitent DNS failure has been caused by packet loss. This is my original condition and the basic premise for this thread.
In the second instance of filter failure after downloading pfb_NAmerica GeoIP datasets by maxmind, the error message before filter failure was something to the effect of "bad characters in …" and the application of the new block rules failed because of that, which took out the entire set of firewall rules. Once again I will attribute this to packet loss creating a faulty download and subsequent IP data set applied to the filter crashed it.
I feel Negate Support should be compensated for the time which has been spent for me to arrive at this conclusion (and inspire me to program my new firewall rules to avoid future problems)
James or Steve please get in touch and lets agree on an invoice amount to be paid, I believe in fairness and healthy client / provider relationships - Netgate got the short end of the straw here when they stepped up to the plate
-
I just got off the phone with the Cable company here in Delta BC, and their statistics for my modem for the past month, show packet loss to the extent that front line support was extremely apologetic.
My fault again for not pressuring Cable support, previously, as they have me flagged as "has own router" (pfSense) - therefore customer is not eligible for support.
