Policy changes drop active connections?



  • It seems that whenever changes are made to firewall rules, all active connections through the firewall get dropped? This isn’t a major problem for HTTP /HTTPS sessions, but does break all SSH ones.

    Is there any way of preventing this happening (I don’t have the same issue on Cisco or Checkpoint firewalls)


  • LAYER 8 Global Moderator

    Have never seen this.. Your going to have provide more details.



  • Pfsense 2.4.1-RELEASE .
    A few IPSEC VPN tunnels and one OpenVPN tunnel to remote sites.
    Changes to the either the IPSEC tunnels or firewall rules (not been able to determine which as the affected users can't give me exact timings) seem to cause active telnet and ssh connections from the OpenVPN tunnel to drop.

    Have also seen stalling on the web interface at the same time and even SSH sessions to the firewall be dropped.

    I'll try and experiment further when the system's not in use to see if I can replicate the problem.


  • LAYER 8 Global Moderator

    A reload of firewall rules does not klll states.. If one of your wans is going down that could be killing states.

    I change firewall rules all the time via openvpn connection to pfsense, and shelled in, and never loose connectivity to anything on a firewall rule change.


  • Rebel Alliance Developer Netgate

    The usual case when this complaint pops up is:

    1. System > Advanced, Miscellaneous tab, State Killing on Gateway Failure is checked
    2. A gateway is flagged as down on the firewall at the time of the filter reload.

    So you can fix the down gateway (e.g. correct the issue or disable monitoring), or uncheck that box.



  • @jimp said in Policy changes drop active connections?:

    The usual case when this complaint pops up is:

    1. System > Advanced, Miscellaneous tab, State Killing on Gateway Failure is checked
    2. A gateway is flagged as down on the firewall at the time of the filter reload.

    So you can fix the down gateway (e.g. correct the issue or disable monitoring), or uncheck that box.

    Ah... That box was checked... I've unchecked it and tried a few policy tweaks .. so far so good.

    Thanks for the help.


Log in to reply