Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    default let out anything from firewall host itself rule breaks rules

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.8k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rfauske
      last edited by

      After an upgrade (I think) the firewall rules does not load any more. And it seems like the line is missing something after from and after !

      How can one find what makes that line missing data. Or how can it be debugged in some way.

      No extra packages are installed but snort has been in the past.

      Setting up logging information
      Setting up SCRUB information
      There were error(s) loading the rules: /tmp/rules.debug:321: syntax error - The line in question reads [321]: pass out route-to ( em0 62.50.xx.xx ) from to !/ tracker 1000044762 keep state allow-opts label "let out anything from firewall host itself"

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        There are system patches available for this issue. It will be fixed in 2.4.4.
        The patch commit IDs are:
        63b2c4c878655746f903565dec3f34b3d410153f
        c9159949e06cc91f6931bf2326672df7cad706f4
        If you want to test them you can install them using the System Patches package

        Install the System Patches package in System > Package Manager, Available Packages. It will be at System > Patches when you are done.
        Add a new patch
        Enter a description
        Enter 63b2c4c878655746f903565dec3f34b3d410153f as the Commit ID
        Set the path strip count to 1
        Set Base Directory to /
        Check Ignore Whitespace.
        Save

        That should retrieve the patch.

        Then Fetch it then test it. It should say it CAN be applied cleanly and CANNOT be reverted (those test results will flip after it is applied).
        Then you can apply it.
        Repeat for the other patch(es).

        You can simply revert the patches if they cause issues.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • R Offline
          rfauske
          last edited by

          Thats great. Now I got my changes to the ruleset to work :)

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            🎉

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.