Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Syntax error in /tmp/rules.debug = NO POLICY

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 625 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • awebsterA
      awebster
      last edited by

      Strange thing occurred on pfSense instance (2.4.3-p1). Something appears to have gotten corrupted in the configuration, and I'm getting an error the system log, but more worriesome is that this failure mode brings up pfSense without any policy whatsoever, leaving web/ssh interface exposed on the WAN interface to the internet for all the miscreants to try whatever they want on the box.

      Nov  9 16:41:20 mtlvpn1-master php-cgi: rc.bootup: New alert found: There were error(s) loading the rules: /tmp/rules.debug:152: syntax error - The line in question reads [152]: pass out  route-to ( em0 x.x.x.254 ) from  to !/ tracker 1000110343 keep state allow-opts label "let out anything from firewall host itself"
      

      The section of /tmp/rules.debug appears to relate to host-self specifically there are a pair of from/to IP addresses missing, the 3rd pass-out line is the issue:

      pass out  route-to ( em0 x.x.x.254 ) from x.x.x.37 to !x.x.x.0/24 tracker 1000110341 keep state allow-opts label "let out anything from firewall host
      itself"
      pass out  route-to ( em0 x.x.x254 ) from x.x.x.137 to !x.x.x.0/24 tracker 1000110342 keep state allow-opts label "let out anything from firewall host
       itself"
      pass out  route-to ( em0 x.x.x.254 ) from  to !/ tracker 1000110343 keep state allow-opts label "let out anything from firewall host itself"
      

      I've tried backing up/reloading the config, but issue persists. If anyone has a clue what part of the config is busted to get this fixed I'd really appreciate it.

      –A.

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        Some digging later, it is somehow related to the CARP configuration.
        em0 = WAN i/f

        In /etc/inc/filter.inc in the filter_rules_generate function, $FilterIflist is cooked up and contains the following information at the point that the code produces the erroneous output. Notice that the vips array element 1 is missing information, which seems to be the source of the problem which gets spit into the config file at line 3624 of filter.inc.

        I am going to update to 2.4.4 to see if that fixes the issue, but failing which, any ideas where this is coming from??

        # [FilterIflist] => Array
        (
            [if] => em0
            [ifv6] => em0
            [ip] => x.x.x.37
            [ipv6] => xxxx:xxxx:1100::25
            [sn] => 24
            [snv6] => 64
            [mtu] => 1500
            [mss] =>
            [descr] => WAN
            [sa] => x.x.x.0
            [sav6] => xxxx:xxxx:1100::
            [nonat] =>
            [alias-address] =>
            [alias-subnet] => 32
            [gateway] => WANGW
            [gatewayv6] => WANGWv6
            [spoofcheck] => yes
            [bridge] =>
            [vips] => Array
                (
                    [0] => Array
                        (
                            [mode] => carp
                            [ip] => x.x.x.137
                            [sn] => 24
                        )
        
                    [1] => Array
                        (
                            [mode] => carp
                        )
        
                )
        
            [vips6] => Array
                (
                    [1] => Array
                        (
                            [mode] => carp
                            [ip] => xxxx:xxxx:1100::89
                            [sn] => 64
                        )
        
                )
        
        )
        

        –A.

        1 Reply Last reply Reply Quote 0
        • GrimsonG
          Grimson Banned
          last edited by

          Fixed in 2.4.4 https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html#firewall-rules-nat-shaping update your installation.

          awebsterA 1 Reply Last reply Reply Quote 1
          • awebsterA
            awebster @Grimson
            last edited by

            @grimson Thanks, upgrading to 2.4.4 did indeed fix the issue.
            Strange as I have several other instances on 2.4.3-p1 with CARP working perfectly fine.
            Upgrade the lot it is.

            –A.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.