pfsense / pfctl bug? clicking X does not kill states.
-
Working with opnsense... Google lead me to this post. Thank you @luckman212 for posting your success. I really appreciate it when people do that and I try to do it myself.
My topic on opnsense is here: https://forum.opnsense.org/index.php?topic=20901.0
I have the same issue - on opnsense. I suspect the same issue exists on both systems.
I've been wondering though about labeling rules or other more organized ways of flushing certain states.
-
Thanks @chemlud - in our case we can't rely on killing all states. Consider today... certain traffic from certain clients needs to be flushed to enable reconnection (switching to an alternate proxy on our side). Relying on killall for this means we'd have to work outside their hours / be unable to manage this. so pretty critical for us to fix. that said, I think the pfctl WORKS - the call from opnsense / pfsense to pfctl seems to be the issue.
Will continue to update my notes on both forums if I can, but I this man is relevant.
https://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8To kill a state with ID 4823e84500000018 created from a backup firewall with hostid 00000002 use: # pfctl -k id -k 4823e84500000018/2
In the case of opnsense the creator id always seems to be set, and changes as states are updated / replaced.
One other interesting option would be if we were able to kill states by label. To do that, we need to "label" the rule. Is that possible? then we could kill states in the form:
It is also possible to kill states by rule label or state ID. In this mode the first -k argument is used to specify the type of the second argument. The following command would kill all states that have been created from rules carrying the label "foobar": # pfctl -k label -k foobar
Any ideas / knowledge appreciated. Even if the bug can't be fixed, that would help us (and others) work around the issue. Thanks everyone!
Mitch
-
pppoe0 tcp 217.xxx.xxx.xxx:18728 (192.168.10.22:52626) -> 81.171.2.181:443 ESTABLISHED:ESTABLISHED [3007704979 + 30336] wscale 8 [362943345 + 131328] wscale 7 age 00:00:19, expires in 119:59:41, 4:4 pkts, 742:328 bytes, rule 115 id: 000000006217f3bf creatorid: 3d277c5d [2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: pfctl -k id -k 000000006217f3bf killed 1 states [2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: pfctl -s state -vv | grep 000000006217f3bf [2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root:
?
-
@kiokoman hey - it DOES seems like it works sometimes.
Just like clicking the X works sometimes. Not sure why as no error is shown.
I've done the same thing and seen "killed 0 states" then added the creator, and seen "killed 1 states"
Maybe there is another cause? -
@bb-mitch
idk, I'm not using it every day but those few times that I used it I never really noticed the problem