Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Deleting interface does not delete firewall rules

    2.5 Development Snapshots (Retired)
    2
    12
    473
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      strangegopher last edited by strangegopher

      I deleted vlan interface and the firewall rules associated with the interface did not get deleted. I know this because I couldn't delete port and ip alias only used on a rule on deleted interface. Also I saw the rules still show up in config.xml. I manually deleted those rules from config.xml and rebooted and it seems to now let me delete the aliases. Note: I did try reboot before editing config.xml to see if it would allow me to delete aliases but no luck.

      Another error in logs that popped up was: pfr_update_stats: assertion failed. spam like twice an hour. Not sure if related. Google says its issue with pfb-devel but I removed that package before deleting the interface and had no issues before deleting the interface. I reinstalled the package and setup bare minimum blocking (easylist) for dnsbl and no ip blocking and turned on suppression but the error still shows up. Not sure what the issue is, I have downloaded and restored config to see if that fixes the issue. Will report back. Edit: didn't fix it. I'll check the config.xml again to see if I missed any rules.

      Edit2: I just remembered, the rules were on a interface group (sorry I deleted both vlan and interface group and forgot)

      edit3: just did a full reinstall, hoping this will fix the error

      another edit: reinstalled with no pfblockerng and still seeing pfr_update_stats: assertion failed. code is not very clear either: https://github.com/pfsense/FreeBSD-src/blob/a595f803281ea3b25079c9d04a3f5b9a3f0b8a52/sys/netpfil/pf/pf_table.c#L1988

      1 Reply Last reply Reply Quote 0
      • S
        strangegopher last edited by strangegopher

        viewing rules in console doesn't show any invalid rules. Ref: https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html

        edit: it could be another bug https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234874

        1 Reply Last reply Reply Quote 0
        • S
          strangegopher last edited by strangegopher

          this seems like the fix (mute the message): https://svnweb.freebsd.org/base/stable/12/sys/netpfil/pf/pf_table.c?r1=343289&r2=343288&pathrev=343289

          1 Reply Last reply Reply Quote 0
          • S
            strangegopher last edited by

            a1c96692-b5ae-4d45-9f73-719d86aacc86-image.png

            bump

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              That error has nothing to do with deleting an interface or rules. Probably just a coincidence.

              We could add that patch, though, open a request on https://redmine.pfsense.org/ and reference that error message, FreeBSD bug report, and the diff. Do not mention deleting the interface/rules though because that isn't related.

              As for deleted interface rules, that's how it's always worked. I think there is already an open issue to change things there.

              S 1 Reply Last reply Reply Quote 0
              • S
                strangegopher @jimp last edited by

                @jimp done https://redmine.pfsense.org/issues/9459

                1 Reply Last reply Reply Quote 0
                • S
                  strangegopher last edited by

                  completely rebuilt pfsense in virtualbox, then deployed it on baremetal box. I don't see the issue anymore. Will update if it continues.

                  1 Reply Last reply Reply Quote 0
                  • S
                    strangegopher last edited by strangegopher

                    nevermind the issue is back. idk i tried everything to fix it.

                    1 Reply Last reply Reply Quote 0
                    • S
                      strangegopher last edited by strangegopher

                      alright so played around with more settings.
                      disabled nat reflection and port forward to plex manjaro box. No warnings in last hour. I still have another port forward to deluge with no issues. clearly some odd nat reflection issue.

                      b652f6bd-0aec-4f4d-a67a-13c511896d1b-image.png

                      1 Reply Last reply Reply Quote 0
                      • S
                        strangegopher last edited by

                        no warnings for 2 hrs. nat reflection is clearly the reason for this warning. possible bug.

                        1 Reply Last reply Reply Quote 0
                        • S
                          strangegopher last edited by

                          no warning for past day.

                          1 Reply Last reply Reply Quote 0
                          • S
                            strangegopher last edited by

                            So I was able to find another way to keep nat reflection turned on and stop the spam. I changed one of the port forward rules from tcp/udp to separate tcp and udp rules. It fixed the issue. tcp/udp port forward rule might be broken.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy