Notification of tmp/rules.debug syntax error

jrv · Mar 6, 2018, 9:02 PM

I am getting a syntax error every time the firewall rules are reloaded. /tmp/rules.debug has "to !1.2.3.32/29" whereas the notice only says "to !/". How do I tell if rules.debug is valid, or why the notification is mangled?

The IP addresses below have been edited. 1.2.3.34 is the IP address of the WAN port. 1.2.3.33 is the upstream gateway to the Internet. 1.2.3.32/29 is the net the WAN port is on.

[2.4.2-RELEASE]# find / -type f -print0 | xargs -0 fgrep -n 'tracker 1000004861'
/tmp/rules.debug:152:pass out route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
/tmp/notices:1:a:19:{i:1517588425;a:5:{s:2:"id";s:11:"filter_load";s:6:"notice";s:275:"There were error(s) loading the rules: /tmp/rules.debug:147: syntax error - The line in question reads [147]: pass out route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !/ tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
… 19 more lines like that ...
/tmp/rules.debug.old:152:pass out route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
/var/db/notices_lastmsg.txt:1:There were error(s) loading the rules: /tmp/rules.debug:150: syntax error - The line in question reads [150]: pass out route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !/ tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
[2.4.2-RELEASE]#

Gertjan · Mar 6, 2018, 11:43 PM

Hi,

I'm surely not an "ip" firewall expert, but this "!" looks strange to me …
Try ditching the rules that inserted this "!".

Derelict · Mar 7, 2018, 1:02 AM

Are you running Suricata?

What is the configuration of the WAN interface? (static, DHCP, PPPoE, etc)?

Is there a WAN down or up event happening at the time those are logged?

Is there an interruption in traffic or is there just that log entry / alert?

If you look at the rule set after the fact, does the rule look normal? (grep 1000004861 /tmp/rules.debug) (or even better, pfctl -vvsr | grep '^@152')

What version of pfSense?

jrv · Mar 7, 2018, 7:35 AM

The ! seems OK - it probably means "all addresses except this CIDR block" and it probably make sense in the context "all addresses not on the connected net must be routed to the gateway".

No rule I have added has a ! - this is something pfSense generated.

I am not running Suricata.

The WAN port is configured as types "Static IPv4" & "DHCP6", IPv4 address 1.2.3.34/29 gateway "WANGW 1.2.3.33". The DHCPv6 Prefix Delegation size is set to "64".

There do not appear to have been any up or down events on the interface, nor any traffic interruption, just the log alert.

The only functional problem I am having is that only one of my global IP addresses is working. The ISP (Time Warner / Spectrum in Austin Texas USA) provides five globally visible addresses (1.2.3.34 through 1.2.3.38) but packets sent to 1.2.3.35-1.2.3.38 don't appear in Diagnostics->Packet Capture in promiscuous mode. I don't know if my pfSense configuration is incorrect or if the ISP isn't routing correctly.

This is pfSense version:

2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:14:55 CST 2017
FreeBSD 11.1-RELEASE-p6

[2.4.2-RELEASE]# fgrep -n .33 /tmp/rules.debug | fgrep .34
152:pass out route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
169:pass in quick on $WAN reply-to ( igb4 1.2.3.33 ) inet proto udp from any to 1.2.3.34 port 1194 keep state label "USER_RULE: OpenVPN remote client UDP wizard"
170:pass in log quick on $WAN reply-to ( igb4 1.2.3.33 ) inet proto esp from any to 1.2.3.34 tracker 1505464764 keep state label "USER_RULE"
171:pass in log quick on $WAN reply-to ( igb4 1.2.3.33 ) inet proto ah from any to 1.2.3.34 tracker 1505464848 keep state label "USER_RULE"
172:pass in log quick on $WAN reply-to ( igb4 1.2.3.33 ) inet proto gre from any to 1.2.3.34 tracker 1505464889 keep state label "USER_RULE"
173:pass in quick on $WAN reply-to ( igb4 1.2.3.33 ) inet proto udp from any to 1.2.3.34 port 1194 keep state label "USER_RULE: OpenVPN routed client wizard"
[2.4.2-RELEASE]#

[2.4.2-RELEASE]# pfctl -vvsr | fgrep .33 | fgrep .34
@83(1000004861) pass out route-to (igb4 1.2.3.33) inet from 1.2.3.34 to ! 1.2.3.32/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
@98(0) pass in quick on igb4 reply-to (igb4 1.2.3.33) inet proto udp from any to 1.2.3.34 port = openvpn keep state label "USER_RULE: OpenVPN remote client UDP wizard"
@99(1505464764) pass in log quick on igb4 reply-to (igb4 1.2.3.33) inet proto esp from any to 1.2.3.34 keep state label "USER_RULE"
@100(1505464848) pass in log quick on igb4 reply-to (igb4 1.2.3.33) inet proto ah from any to 1.2.3.34 keep state label "USER_RULE"
@101(1505464889) pass in log quick on igb4 reply-to (igb4 1.2.3.33) inet proto gre from any to 1.2.3.34 keep state label "USER_RULE"
@102(0) pass in quick on igb4 reply-to (igb4 1.2.3.33) inet proto udp from any to 1.2.3.34 port = openvpn keep state label "USER_RULE: OpenVPN routed client wizard"
[2.4.2-RELEASE]#

[2.4.2-RELEASE]# pfctl -vvsr | fgrep '"let out anything from firewall host itself"' /tmp/rules.debug
pass out route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( igb4 fe80::xxxx:xxxx:xxxx:xxxx ) inet6 from 2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy to !2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy/64 tracker 1000004862 keep state allow-opts label "let out anything from firewall host itself"
[2.4.2-RELEASE]#

[2.4.2-RELEASE]# fgrep '"let out anything from firewall host itself"' /tmp/rules.debug
pass out route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( igb4 fe80::xxxx:xxxx:xxxx:xxxx ) inet6 from 2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy to !2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy/64 tracker 1000004862 keep state allow-opts label "let out anything from firewall host itself"
[2.4.2-RELEASE]#

[2.4.2-RELEASE]# pfctl -vvsr | grep "^@152"
[2.4.2-RELEASE]#

Derelict · Mar 7, 2018, 7:37 AM

If the packets aren't appearing in a packet capture it means the ISP isn't sending them to you.

Thanks for the other answers.

Derelict · Mar 7, 2018, 6:38 PM

Bug submitted at https://redmine.pfsense.org/issues/8360

There is a patch available at https://redmine.pfsense.org/attachments/download/2355/8360.diff

If you want to test it you can install it using the System Patches package

Install the System Patches package. It will be at System > Patches when you are done.
Add a new patch
Enter a description
Enter https://redmine.pfsense.org/attachments/download/2355/8360.diff as the URL
Set the path strip count to 2
Set Base Directory to /
Check Ignore Whitespace.
Save

That should retrieve the patch.

Then Fetch it then test it. It should say it CAN be applied cleanly and CANNOT be reverted (those test results will flip after it is applied)
Then you can apply it

Please let us know if that clears it up and if you see any adverse effects.

If you wish to have this run on boot, edit the patch and check Auto Apply and Save.

You can simply revert the patch if it causes issues.

sbreit · Mar 10, 2018, 3:19 PM

I just applied the patch in my 2.4.2-RELEASE-p1 and it seems to do the trick. I'll post here again if not.
Thanks for providing the patch :)

jrv · Mar 11, 2018, 6:04 AM

Agreed: it resolves the issue in my case and does not seem to cause any other issue or change. Thanks.

Modesty · Apr 17, 2018, 6:55 AM

Good morning,

Can you help me explain how i install the patch?

In my pfsens (latest update) i dont have a patch under system menu so it must be something i dont get.

Thanks!

jrv · Apr 17, 2018, 8:01 AM

You need to install a package called "System Patches" to see the menu item.