rules error
-
Hi!
I'm getting the following error:
There were error(s) loading the rules: /tmp/rules.debug:77: could not parse host specification - The line in question reads [77]: rdr pass on igb1 inet6 proto tcp from any to ::1010101 port 80 -> ::1 port 8081
@ 2022-10-12 20:56:21rdr pass on igb1 inet6 proto tcp from any to ::1010101 port 80 -> ::1 port 8081.I'm on 2.6.0-RELEASE and I'm really NOT trying to narrow the solution space, but I suspect this may have something to do with pfBlockerNG-devel 3.1.0_5 as I just updated earlier this week and that seems to be about when the problem started.
Any ideas where to look or what to update? And, any idea what impact this is having on my firewall?
This is on a Netgate 5100.
Thanks!!!
-
@garyn Setting clearing the IPv6 DNSBL check box under firewall -> pfblockerNG -> DNSBL does not change the error.
-
@garyn I have a work around:
Firewall -> pfBlockerNG -> DNSBL and set Global Logging/Blocking Mode to DNSBL WebServer/VIP. Then, status -> services and restart everything pfblocker. Then, status -> filter reload and reload the firewall rules.
If you're dealing with this issue, the output file that is being loaded is /tmp/rules.debug and (i think) it is being generated by the script /usr/local/pkg/pfblockerng/pfblockerng.inc. Looking at the sections that seemed to assemble the line, dnsbl_vip appeared to be involved. A BUNCH of big leaps, but resetting the global logging worked around this error and my firewall rules are now loading.
-
This is fixed in pfBlocker-dev: https://redmine.pfsense.org/issues/12330
Steve
-
@stephenw10 Thanks Steve!
How do I tell pfsense to select the dev branch? Or, if I pull the branch locally, how do I manually install?
I looked at the commit and there are only 8 files updated and some of those are just versioning information. Alternatively, maybe I can manually grab the .inc and .sh and replace them locally?
Gary
-
pfBlockerNG-dev is available in the package manager as a separate package. All the recent development is done there, the package developer recommends using that. It will likely become the only pfBlockerNG package shortly.
Steve
-
@stephenw10 Ohhh, so this error happened to me on the devel branch. I have 3.1.0_5 installed. It has the same symptoms as their original bug fix where a portion of the path was not being initialized. This error will only happen on installs that select 'Permit firewall rules' enabled and then left 'Global logging/blocking mode' defaulted to 'no global mode'. That combination may not be the best logical choice, but it also results in firewall rules failing to load.
-
Then add your new result onto that bug and we can set it back to open.
-
@garyn said in rules error:
I have 3.1.0_5 installed
But isn't _6 available - that is what I have installed on 22.05..
-
Mmm, that should have been merged in 3.1.0_0 though.
