Syntax error in /tmp/rules.debug = NO POLICY

awebster

Strange thing occurred on pfSense instance (2.4.3-p1). Something appears to have gotten corrupted in the configuration, and I'm getting an error the system log, but more worriesome is that this failure mode brings up pfSense without any policy whatsoever, leaving web/ssh interface exposed on the WAN interface to the internet for all the miscreants to try whatever they want on the box.

Nov  9 16:41:20 mtlvpn1-master php-cgi: rc.bootup: New alert found: There were error(s) loading the rules: /tmp/rules.debug:152: syntax error - The line in question reads [152]: pass out  route-to ( em0 x.x.x.254 ) from  to !/ tracker 1000110343 keep state allow-opts label "let out anything from firewall host itself"

The section of /tmp/rules.debug appears to relate to host-self specifically there are a pair of from/to IP addresses missing, the 3rd pass-out line is the issue:

pass out  route-to ( em0 x.x.x.254 ) from x.x.x.37 to !x.x.x.0/24 tracker 1000110341 keep state allow-opts label "let out anything from firewall host
itself"
pass out  route-to ( em0 x.x.x254 ) from x.x.x.137 to !x.x.x.0/24 tracker 1000110342 keep state allow-opts label "let out anything from firewall host
 itself"
pass out  route-to ( em0 x.x.x.254 ) from  to !/ tracker 1000110343 keep state allow-opts label "let out anything from firewall host itself"

I've tried backing up/reloading the config, but issue persists. If anyone has a clue what part of the config is busted to get this fixed I'd really appreciate it.

awebster

Some digging later, it is somehow related to the CARP configuration.
em0 = WAN i/f

In /etc/inc/filter.inc in the filter_rules_generate function, $FilterIflist is cooked up and contains the following information at the point that the code produces the erroneous output. Notice that the vips array element 1 is missing information, which seems to be the source of the problem which gets spit into the config file at line 3624 of filter.inc.

I am going to update to 2.4.4 to see if that fixes the issue, but failing which, any ideas where this is coming from??

# [FilterIflist] => Array
(
    [if] => em0
    [ifv6] => em0
    [ip] => x.x.x.37
    [ipv6] => xxxx:xxxx:1100::25
    [sn] => 24
    [snv6] => 64
    [mtu] => 1500
    [mss] =>
    [descr] => WAN
    [sa] => x.x.x.0
    [sav6] => xxxx:xxxx:1100::
    [nonat] =>
    [alias-address] =>
    [alias-subnet] => 32
    [gateway] => WANGW
    [gatewayv6] => WANGWv6
    [spoofcheck] => yes
    [bridge] =>
    [vips] => Array
        (
            [0] => Array
                (
                    [mode] => carp
                    [ip] => x.x.x.137
                    [sn] => 24
                )

            [1] => Array
                (
                    [mode] => carp
                )

        )

    [vips6] => Array
        (
            [1] => Array
                (
                    [mode] => carp
                    [ip] => xxxx:xxxx:1100::89
                    [sn] => 64
                )

        )

)

Grimson

Fixed in 2.4.4 https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html#firewall-rules-nat-shaping update your installation.

awebster

@grimson Thanks, upgrading to 2.4.4 did indeed fix the issue.
Strange as I have several other instances on 2.4.3-p1 with CARP working perfectly fine.
Upgrade the lot it is.