Notification of tmp/rules.debug syntax error



  • I am getting a syntax error every time the firewall rules are reloaded.  /tmp/rules.debug has “to !1.2.3.32/29” whereas the notice only says “to !/”.  How do I tell if rules.debug is valid, or why the notification is mangled?

    The IP addresses below have been edited.  1.2.3.34 is the IP address of the WAN port.  1.2.3.33 is the upstream gateway to the Internet.  1.2.3.32/29 is the net the WAN port is on.

    [2.4.2-RELEASE]# find / -type f -print0 | xargs -0 fgrep -n ‘tracker 1000004861’
    /tmp/rules.debug:152:pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label “let out anything from firewall host itself”
    /tmp/notices:1:a:19:{i:1517588425;a:5:{s:2:“id”;s:11:“filter_load”;s:6:“notice”;s:275:"There were error(s) loading the rules: /tmp/rules.debug:147: syntax error - The line in question reads [147]: pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !/ tracker 1000004861 keep state allow-opts label “let out anything from firewall host itself”
    … 19 more lines like that …
    /tmp/rules.debug.old:152:pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label “let out anything from firewall host itself”
    /var/db/notices_lastmsg.txt:1:There were error(s) loading the rules: /tmp/rules.debug:150: syntax error - The line in question reads [150]: pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !/ tracker 1000004861 keep state allow-opts label “let out anything from firewall host itself”
    [2.4.2-RELEASE]#



  • Hi,

    I’m surely not an “ip” firewall expert, but this “!” looks strange to me …
    Try ditching the rules that inserted this “!”.


  • Netgate

    Are you running Suricata?

    What is the configuration of the WAN interface? (static, DHCP, PPPoE, etc)?

    Is there a WAN down or up event happening at the time those are logged?

    Is there an interruption in traffic or is there just that log entry / alert?

    If you look at the rule set after the fact, does the rule look normal? (grep 1000004861 /tmp/rules.debug) (or even better, pfctl -vvsr | grep ‘^@152’)

    What version of pfSense?



  • The ! seems OK  - it probably means “all addresses except this CIDR block” and it probably make sense in the context “all addresses not on the connected net must be routed to the gateway”.

    No rule I have added has a ! - this is something pfSense generated.

    I am not running Suricata.

    The WAN port is configured as types “Static IPv4” & “DHCP6”, IPv4 address 1.2.3.34/29 gateway “WANGW 1.2.3.33”.  The DHCPv6 Prefix Delegation size is set to “64”.

    There do not appear to have been any up or down events on the interface, nor any traffic interruption, just the log alert.

    The only functional problem I am having is that only one of my global IP addresses is working.  The ISP (Time Warner / Spectrum in Austin Texas USA) provides five globally visible addresses (1.2.3.34 through 1.2.3.38) but packets sent to 1.2.3.35-1.2.3.38 don’t appear in Diagnostics->Packet Capture in promiscuous mode.  I don’t know if my pfSense configuration is incorrect or if the ISP isn’t routing correctly.

    This is pfSense version:

    2.4.2-RELEASE-p1 (amd64)
    built on Tue Dec 12 13:14:55 CST 2017
    FreeBSD 11.1-RELEASE-p6

    [2.4.2-RELEASE]# fgrep -n .33 /tmp/rules.debug | fgrep .34
    152:pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
    169:pass  in  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto udp  from any to 1.2.3.34 port 1194 keep state  label "USER_RULE: OpenVPN remote client UDP wizard"
    170:pass  in log  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto esp  from any to 1.2.3.34 tracker 1505464764 keep state  label "USER_RULE"
    171:pass  in log  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto ah  from any to 1.2.3.34 tracker 1505464848 keep state  label "USER_RULE"
    172:pass  in log  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto gre  from any to 1.2.3.34 tracker 1505464889 keep state  label "USER_RULE"
    173:pass  in  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto udp  from any to 1.2.3.34 port 1194 keep state  label “USER_RULE: OpenVPN routed client wizard”
    [2.4.2-RELEASE]#

    [2.4.2-RELEASE]# pfctl -vvsr | fgrep .33 | fgrep .34
    @83(1000004861) pass out route-to (igb4 1.2.3.33) inet from 1.2.3.34 to ! 1.2.3.32/29 flags S/SA keep state allow-opts label “let out anything from firewall host itself”
    @98(0) pass in quick on igb4 reply-to (igb4 1.2.3.33) inet proto udp from any to 1.2.3.34 port = openvpn keep state label “USER_RULE: OpenVPN remote client UDP wizard”
    @99(1505464764) pass in log quick on igb4 reply-to (igb4 1.2.3.33) inet proto esp from any to 1.2.3.34 keep state label “USER_RULE”
    @100(1505464848) pass in log quick on igb4 reply-to (igb4 1.2.3.33) inet proto ah from any to 1.2.3.34 keep state label “USER_RULE”
    @101(1505464889) pass in log quick on igb4 reply-to (igb4 1.2.3.33) inet proto gre from any to 1.2.3.34 keep state label “USER_RULE”
    @102(0) pass in quick on igb4 reply-to (igb4 1.2.3.33) inet proto udp from any to 1.2.3.34 port = openvpn keep state label “USER_RULE: OpenVPN routed client wizard”
    [2.4.2-RELEASE]#

    [2.4.2-RELEASE]# pfctl -vvsr | fgrep ‘“let out anything from firewall host itself”’ /tmp/rules.debug
    pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
    pass out  route-to ( igb4 fe80::xxxx:xxxx:xxxx:xxxx ) inet6 from 2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy to !2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy/64 tracker 1000004862 keep state allow-opts label “let out anything from firewall host itself”
    [2.4.2-RELEASE]#

    [2.4.2-RELEASE]#  fgrep ‘“let out anything from firewall host itself”’ /tmp/rules.debug
    pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
    pass out  route-to ( igb4 fe80::xxxx:xxxx:xxxx:xxxx ) inet6 from 2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy to !2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy/64 tracker 1000004862 keep state allow-opts label “let out anything from firewall host itself”
    [2.4.2-RELEASE]#

    [2.4.2-RELEASE]# pfctl -vvsr | grep “^@152”
    [2.4.2-RELEASE]#


  • Netgate

    If the packets aren’t appearing in a packet capture it means the ISP isn’t sending them to you.

    Thanks for the other answers.


  • Netgate

    Bug submitted at https://redmine.pfsense.org/issues/8360

    There is a patch available at https://redmine.pfsense.org/attachments/download/2355/8360.diff

    If you want to test it you can install it using the System Patches package

    Install the System Patches package. It will be at System > Patches when you are done.
    Add a new patch
    Enter a description
    Enter https://redmine.pfsense.org/attachments/download/2355/8360.diff as the URL
    Set the path strip count to 2
    Set Base Directory to /
    Check Ignore Whitespace.
    Save

    That should retrieve the patch.

    Then Fetch it then test it. It should say it CAN be applied cleanly and CANNOT be reverted (those test results will flip after it is applied)
    Then you can apply it

    Please let us know if that clears it up and if you see any adverse effects.

    If you wish to have this run on boot, edit the patch and check Auto Apply and Save.

    You can simply revert the patch if it causes issues.




  • I just applied the patch in my 2.4.2-RELEASE-p1 and it seems to do the trick. I’ll post here again if not.
    Thanks for providing the patch  🙂



  • Agreed: it resolves the issue in my case and does not seem to cause any other issue or change.  Thanks.



  • Good morning,

    Can you help me explain how i install the patch?

    In my pfsens (latest update) i dont have a patch under system menu so it must be something i dont get.

    Thanks!



  • You need to install a package called “System Patches” to see the menu item.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy