Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "Deny Inbound" and "Alias Match" kill ALL outbound states during reload

    Scheduled Pinned Locked Moved
    pfBlockerNG
    2
    3
    181
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      totowentsouth
      last edited by

      pfSense/pfBlockerNG kills existing OUTbound states with IPs in "Deny Inbound" and "Alias Match" IPv4 categories.
      I suspect and have not verified the other action types will kill matching states regardless of direction.

      Running pfSense 24.03-RELEASE on Netgate hardware with pfBlockerNG 3.2.0_10

      In Firewall > pfBlockerNG > General, Kill States is checked.

      A "Deny Inbound" config is:

      Firewall > pfBlockerNG > Edit > IPv4 is as follows:
      Alias Name: Google_ASN
      IPv4 Lists: Format: ASN, State: ON, Source: AS15169 [ GOOGLE, US ], Header/Label: AS15169
      List Action: Deny Inbound
      Update Frequency: Once a day
      Enable Logging: Disabled
      States Removal: Enable

      The pfBlockerNG log file has entries with multiple Google IPv4 addresses and private LAN IPv4 connected to those IPv4:

      [ pfB_Google_ASN_v4 ] Removed 2 state(s) for [ 130.211.16.53 ]

	igc1 tcp 130.211.16.53:443 <- 192.168.X.Y:59190       FIN_WAIT_2:FIN_WAIT_2
	ix3 tcp 167.248.12.173:59190 (192.168.X.Y:59190) -> 130.211.16.53:443       FIN_WAIT_2:FIN_WAIT_2

      More "alias configs" with different IPv4 addresses and "List Action" set to "Alias Match" exist. The pfblockerng update log contains entries similar to the above example with IPv4 addresses in these "Alias Match" configurations.

      An old thread describes states NOT killed when aliases are updated:
      https://forum.netgate.com/topic/121921/states-not-being-killed-pfblockerng

      The description of the global kill states option, emphasis mine:

      When 'Enabled', after a cron event or any 'Force' commands, any blocked IPs found in the Firewall states will be cleared.

      Is the intent of the "States Removal" option for individual configs to be set to "Disabled" to skip the kill state action when the "List Action" is set to one of the non-deny-both types?

      1 Reply Last reply Reply Quote 0
      • T
        tman222
        last edited by

        Hi @totowentsouth - I'm curious if you ever found a resolution to this? I ran into the same issue yesterday and also wondered whether disabling "States Removal" on the individual list is the solution / workaround? I'm also a bit perplexed why outbound states are being removed if the List Action with the IP addresses in question is set to e.g. Deny Inbound. Thanks in advance.

        T 1 Reply Last reply Reply Quote 0
        • T
          totowentsouth @tman222
          last edited by

          @tman222 Yes, disabling the "States Removal" for the particular list(s) is what I did as a workaround. I looked for the code responsible when I made the post and recall pfblockerng is behaving as described in my first post. That is, if an IP address in a list is found in states, and "States Removal" is enabled, regardless of the "List Action", the state is removed. I retired my investigation since.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post