making changes to rules applied only after reboot
-
hi :)
after last upgrade, if a make a change of a rule.
it doenst apply...
i do reset stats and still nothing.
only after reboot the machine rules are applied and working correctly.
any advice? -
Did you validate that the state was no longer there, and that the rules actually reloaded.
You do not need to reboot to apply rules.
-
not sure how to do that..
if you can tell me how to verify it will be great.
i just go to stats check the reset all. and apply. as i used to do for years and it use to apply immediately the changes... -
i can see under stats that its reloading
-
For whatever reason the states might not have fully reset?
You can validate rules reloaded here.
You could validate rule listed in /tmp/rules.debug via a cat
Or you could view your rules via
https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html
If rules were not being applied, either there was a state, or the rules didn't actually reload to include the rule.
-
ok i think i got it fixed after disable pfblocker and enabling it back.
thanks for assisting. -
maybe something with auto rules in pfblocker? Are you using those? I don't recall seeing any complaints on that - but that would be my educated "guess" to why say the rules might of got hung and didn't full reload. etc..
-
yes im using them to block incoming via geolocation.
and i started getting some error that i was unable to fix about memory so i kept adding more to
Firewall Maximum States
and to Firewall Maximum Table Entries -
@oren1031 said in making changes to rules applied only after reboot:
error that i was unable to fix
What was the specific error - yeah if you had issues with the memory and tables - that for sure could of caused issues with load of rules..
Not talking about geoip, I use those in pfblocker - more talking about letting pfblocker auto create rules.. Which I don't use.. I just use it to create native aliases that I put in the rules.
-
Cannot allocate memory - The line in question reads [48]: table <pfB_NAmerica_v6> persist file "/var/db/aliastables/pfB_NAmerica_v6.txt"
-
yeah that list is going to be freaking HUGE ;) NA v6...
You need to up the table size.. if your going to use such a list. What do you have yours set to?
-
now i took it up to 2400000 for now im getting no error.
-
but look like pfblocker is doing its job...
-
Wouldn't it just be easier to allow what you want ;) Out of the box all is blocked anyway. Just use geoip list of what you want to allow to hit your port forward/exposed ports..
-
that is what i did. blocked all but what i want to be enabled.
-
Why are you loading the NA list then? Just for your picture of where IPs are from?
-
im blocking all inbounds. from everywhere but my country.
isnt that the way to go? if i have a service i want to be accessed only from my country to minimize exposer? -
Again just allow your country on your rule/port forward. All is blocked by default.. There is little reason to load up some table of all NA v6, when ALL is blocked by default. And your allow is only your country list of IP ranges.
-
so when allowing only 1 country all others will be blocked by pfblocker?
is that what you mean?
no need for block rules because all that is not allowed is blocked? -
what is the downside? of using it the way i do?
keeping in mind i have i3 with 8 gig ram. so its not really
working that hard.. its a home environment.
