Changing pysical interface definition - And firewall rules
-
I found a mistake in my interface config today.
I have just put a VLAN interface with some rules applied in production , and was wondering why it didn't work (dhcp).After a bit of debugging i saw that ny interface was set to IGB1 , instead of VLAN-xxx on IGB1.
No worries i thought , i'll just switch to the correct vlan on the interface definition.Well it worked ... kinda'.
The client got the correct dhcp addr , and i was told that "Internet" worked (could go to google).
But i saw a lot of deny's on the interface, on packets i had permitted in the interface rules (when it was assigned to the old - wrong interface).
My suspicion is that even though i switched the interface from IGB1 to VLAN-xxx on IGB1 (think it was opt7) , the rules might still have been applied to IGB1. Could that be correct ?
What i have done now , is that i have edited every rule on the "New interface" , changing nothing , just pressing save. In the hope that it would update the interface to the newly selected.
I see no blocks of packets permitted anymore, all seems good.
But is this "edit/save" the way to do this , or should i delete all rules and recreate them ?
I'm primarily thinking if something is messed up , by me switching interface (number) on the fly, and just "touching" the rules
Any reassurance or tips are welcome.
/Bingo
-
You shouldn't have to do that. The firewall rules in the config are created against 'opt7'. You can change what opt7 is assigned as and the rules will follow it.
It's a big change, you might find some things that are not updated or at least not immediately. You will probably have states open on the old assignment for example.
Resaving things on that interface will regenerate any config and correct anything still using the old interface assignment as you found.If you rebooted it should all come up correctly, that's not always possible of course.
Steve
-
Thanx Steve.
For the reassurance.And yes .. A reboot would not have been optimal.
/Bingo
