• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Getting errors loading rules after using easyrule

Scheduled Pinned Locked Moved Firewalling
4 Posts 3 Posters 490 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    hoopy
    last edited by hoopy Feb 6, 2021, 9:58 AM Feb 6, 2021, 9:43 AM

    Hi,

    I recently tried to use easyrule to add a firewall rule to my SG1100 from the command line.

    Easyrule itself didn't report an error, but since then I am getting rule expands to no valid combination errors, and the rule that's causing the problems is not visible in the GUI, so I can't delete it.

    Specifically:

    There were error(s) loading the rules: /tmp/rules.debug:180: rule expands to no valid combination
The line in question reads [180]:
pass in quick on $WAN reply-to ( mvneta0.4090 <router-ipv4-addr> ) inet proto tcp from any to <client-ipv6-addr>/128 tracker 1612037148 flags S/SA keep state label 'USER_RULE: Easy Rule: Passed from Firewall Log View'

    I can see that this rule makes no sense because it mixes IPv4 and IPv6, but how can I get rid of it, /tmp/rules.debug is only a dump...

    I eventually found the rule in /cf/conf/config.xml:

    <rule>                                                                      
        <type>pass</type>                                                   
        <interface>wan</interface>                                          
        <ipprotocol>inet</ipprotocol>                                       
        <descr><![CDATA[Easy Rule: Passed from Firewall Log View]]></descr> 
        <protocol>tcp</protocol>                                            
        <source>                                                            
                <any></any>                                                 
        </source>                                                           
        <destination>                                                       
                <address>{client-ipv6-addr}/128</address>                   
        </destination>                                                      
        <created>                                                           
                <time>1612037148</time>                                     
                <username><![CDATA[Easy Rule]]></username>                  
        </created>                                                          
        <tracker>1612037148</tracker>                                       
</rule>

    The root account doesn't keep any history, so I don't know exactly which easyrule command I used, but as best I can recall, all I did was:

    easyrule pass wan tcp any <ipv6-addr>

    As far as I can tell, easyrule doesn't mention IPv6.
    Should I have used tcp6 perhaps?

    Are there any easyrule commands for listing/deleting rules? (the documentation is seriously lacking)

    Is it safe to just delete the <rule>...</rule> block from /cf/conf/config.xml? (and then reboot?)

    Thanks in advance,

    Steve
    PS: the reason for using easyrule is that I was trying to enable access to one of my raspi's while logged in remotely - so all I had was ssh/CLI

    H 1 Reply Last reply Feb 13, 2021, 6:45 PM Reply Quote 0
    • H
      hieroglyph @hoopy
      last edited by hieroglyph Feb 13, 2021, 6:46 PM Feb 13, 2021, 6:45 PM

      @hoopy The best ideas I have are...

      • Go to Diagnostics > Backup & Restore > Config History and look for the configuration change that has when the easy rule was added. Select 'Revert Config' for the config before the one with the easy rule. Depending on how many changes were made between when the easy rule was created and now the Config History may or may not show when the easy rule was added.

      OR

      • Go to Diagnostics > Backup And Restore > Backup & Restore select 'Download Configuration as XML'. Save the downloaded configuration somewhere you can edit the XML file. Open the *.xml in nano, vi, etc... do not use word or notepad. The remove the rule as you have described above. Remove <rule> ... </rule>. This includes the removing the <rule> </rule> tags. Once you have very carefully made the edits, go ahead and do a restore configuration using the edited *.xml.

      OR

      • Follow the pfsense documentation on editing the config.
      H 1 Reply Last reply Feb 15, 2021, 4:25 PM Reply Quote 1
      • H
        hoopy @hieroglyph
        last edited by Feb 15, 2021, 4:25 PM

        @hieroglyph Thanks for that succinct answer!

        I eventually "discovered" your first solution by the time-honored technique of "messing around till I found something that somehow worked" - so I thought I let someone else do the honors of providing a proper answer :-)

        Thanks, I've noted them now.

        1 Reply Last reply Reply Quote 0
        • V
          viktor_g Netgate
          last edited by Feb 18, 2021, 9:06 AM

          Redmine issue created:
          https://redmine.pfsense.org/issues/11439

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received