Unable to delete alias - firewall thinks its in use

michmoor · Jun 4, 2024, 3:46 PM

I am unable to delete an alias as the system believes its still in use on firewall rules that no longer exist on my firewall. Rules are not in the GUI so i suspect there is something lingering in the filesystem.
How can i delete this alias?

Cannot delete alias. Currently in use by filter rule 'Permit traceroute from Zabbix server', filter rule 'Permit Monitoring to LAN', filter rule 'Permit SCP file transfer'.

mcury · Jun 4, 2024, 4:09 PM

@michmoor I would try this method: https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html#edit-in-place

Backup your config first, then check if the firewall rule exists in /conf/config.xml
If so, remove the rule, save the file and then, rm /tmp/config.cache
Go to the GUI and save that tab where the firewall rule was, then try to remove the alias.

But perhaps, it may be a good idea to wait a little longer a better suggestion.

michmoor · Jun 4, 2024, 4:14 PM

@mcury
Good thinking. I do see it in the config.xml file
I dislike editing the config.xml as i strongly suspect I'm going to mess this up. Dont think i have another choice.
I'll wait to see if anyone else chimes in.

stephenw10 · Jun 4, 2024, 4:23 PM

If it's in the config file is should appear in the GUI.

We have seen situations where it's in a rule that is hidden because the interface is disabled or similar. You should be able to temporarily re-expose the rule though to remove the alias.

michmoor · Jun 4, 2024, 4:34 PM

@stephenw10
I edited the config.xml and somehow not corrupted everything in the process. Reboot. I am able to delete the alias

To your point, this was an IPsec VTI that was in use awhile ago. Not sure how i would go about exposing it if something like this happens in the future.

stephenw10 · Jun 4, 2024, 5:47 PM

Hmm, possibly you changed the IPSec filtering mode? That can hide tabs for VTI or IPSec interfaces.