Duplicated Firewall Rules w/ Expanding config.xml
-
I have been using pfSense for many years with only minor issues. A few days ago, I made a minor change to the pfBlocker configuration by applying inbound and outbound rules to the same interfaces. Perviously, I have set inbound rules to be applied to the WAN and outbound to the LAN. In this case, I set both to WAN and LAN. Within a short time of applying that change, the web interface ceased to load and SSH was incredibly slow. Upon reboot, I started receiving error messages:
PHP Fatal error: Allowed memory size of 1073741824 bytes exhausted (tried to allocate 20480 bytes) in /etc/inc/config.lib.inc on line 112
Even though I doubled the size of memory allocated for PHP, the error persisted.
I looked at the /conf/backup folder and noticed that the config.xml backups were growing rapidly over time. I rollder the config.xml back by dropping a smaller config.xml file into the /conf folder and rebooting. everything started working again and I left the device to run.
By the end of the day, I found that the config.xml file had once again grown. I opened the bloated file and found that firewall rules were repeated over 20 times on the WAN and LAN interface. This time, I downloaded one of the smaller config.xml files as well as dropped that file into the /conf folder and rebooted. Once the device came back on line, I used the web interface to restore the backed up config.xml file. I then removed all the duplicated firewall rules.
I went into pfBlocker and forced an update. Immediately, the firewall rules were duplicated and the config.xml file began to expand. I went back the pfBlocker config and changed the interfaces back to inbound Wan and outbound LAN, saved the config, cleaned up the firewall rules and forced pfBlocker to update.
These steps 100% resolved the issue. The config.xml file did not grow after multiple updates.
This means there is a bug in the way in which pfBlocker processes firewall rules when the same set of rules are applied to two different interfaces. This needs to be investigated and fixed. Technically, there is no reason to apply the inbound and outbound rules to WAN and LAN but I am sure people might configure that setting and ultimately crash their router.
So the fix is to NOT apply Inbound and Outbound rules to both WAN and LAN. Apply outbound to LAN and Inbound to WAN. Clean up your firewall rule duplications and watch for stability in the size of the /conf/config.xml file.
I am using the latest pfBlockerNG-devel version.
This issue cost me several hours debugging and I am sure that it could cost others serious downtime especially if there is no good config backup.