Static route filtering bug?

josey · Oct 25, 2010, 7:07 PM

Hello guys
im running
2.0-BETA4 (i386)
built on Wed Sep 29 12:15:10 EDT 2010

i have couple of interfaces, and on one of them i had more subnets
interface address is 10.20.0.0/24
subnets are
10.20.170.0/24
10.20.240.0/24
…
etc
(static routes are set)

i have problem with static route filtering (system->advanced->firewall)
Pfs is showing strange behaviour,
it doesent matter is this option checked or unchecked, pfs is acting same. It want pass any traffic except icmp.

I had this option checked on 1.2.3 and asked why is not working when this option is unchecked (it didnt work no matter if firewall rules are set properly), and get answer that is a bug.

Now i had that option checked on 2.0beta, since when unchecked it shows same behaviour as on 1.2.3. And it worked until day ago (i reboot it i dont remember why), pfs stops passing traffic between subnets on same interface.

Example
computer on 10.20.240.0/24 network can ping computer on 10.20.0.0/24 but nothing else can pass.

computer on 10.20.240.0/24 can access al other networks 10.x.y.z if they are behind other interfaces.

i made lots of tests, and take many logs, and they confirm what i type here.

can you help me with this guys?

thanks

cmb · Oct 25, 2010, 7:26 PM

It wasn't a bug before and isn't now, you have asymmetric routing in that case and hence cannot statefully filter traffic. You must enable that option for traffic to pass correctly. If it doesn't with it enabled, go to Diagnostics>Command, and run:

grep "no state" /tmp/rules.debug

and post the output here.

josey · Oct 25, 2010, 8:05 PM

as i wrote, it does not work in eather cases, and when i check option, is like i didnt, nothing happens.
Also, i dont understand why that option exists, its just trouble maker.
I suppose it was intended for users to chose if they want to pass traffic on same interface through firewall?

here is log

this is with option unchecked

$ grep no state /tmp/rules.debug
/tmp/rules.debug:#Snort2C table
/tmp/rules.debug:table <snort2c>/tmp/rules.debug:set optimization normal
/tmp/rules.debug:set limit src-nodes 324000
/tmp/rules.debug:# We use the mighty pf, we cannot be fooled.
/tmp/rules.debug:# snort2c
/tmp/rules.debug:block quick from <snort2c>to any label "Block snort2c hosts"
/tmp/rules.debug:block quick from any to <snort2c>label "Block snort2c hosts"
/tmp/rules.debug:# make sure the user cannot lock himself out of the webConfigurator or SSH
/tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp array key does not exist for label "USER_RULE"
/tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp array key does not exist for label "USER_RULE"
/tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp array key does not exist for label "USER_RULE"

this is with option checked

$ grep no state /tmp/rules.debug
/tmp/rules.debug:#Snort2C table
/tmp/rules.debug:table <snort2c>/tmp/rules.debug:set optimization normal
/tmp/rules.debug:set limit src-nodes 324000
/tmp/rules.debug:# We use the mighty pf, we cannot be fooled.
/tmp/rules.debug:# snort2c
/tmp/rules.debug:block quick from <snort2c>to any label "Block snort2c hosts"
/tmp/rules.debug:block quick from any to <snort2c>label "Block snort2c hosts"
/tmp/rules.debug:# make sure the user cannot lock himself out of the webConfigurator or SSH
/tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp array key does not exist for label "USER_RULE"
/tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp array key does not exist for label "USER_RULE"
/tmp/rules.debug:# WANLANOPT1OPT2OPT3pptp array key does not exist for label "USER_RULE"</snort2c></snort2c></snort2c></snort2c></snort2c></snort2c>

cmb · Oct 26, 2010, 3:39 AM

Note the quotes:
@cmb:

grep "no state" /tmp/rules.debug

try again.

@josey:

Also, i dont understand why that option exists, its just trouble maker.

No not in the least, it's much easier for you that way. The alternative is trying to tell you how to manually create proper 'no state' rules for that traffic. When you have asymmetric routing, no stateful firewall can function properly, hence you must have that.

josey · Oct 26, 2010, 6:00 AM

@cmb:

grep "no state" /tmp/rules.debug

no, nothing happens when i copy-paste that to
Diagnostics>Command, and run:

BUT, since you wrote that you should explain us how to create no state firewall rules,
i add firewall rule to pass * * * * * *
with advanced feature> state type-none
and bzzzap it works, from first. :)
(i logged some traffic and i noticed that firewall or tracking traffic works with reverse logic, source and destination addresses are reversed is this correct?
im opening shared documents on 10.20.0.0/24 from 10.20.240.0/24 and log said that im oppening from source 10.20.0.0/24.
please dont get me wrong im not complaining, i just want to understand how it works. thanks)

but again, since that check box > static routing seems it is not working you should check it

thanks for helpand for the explanation

eri-- · Oct 26, 2010, 10:09 AM

It is not working because you must be overriding one of them.
Since in 2.0 you can override them which is not possible in 1.2.3

The command to grep is:
grep sloppy /tmp/rules.debug

josey · Oct 26, 2010, 11:23 AM

override? hmm…
maybe :(

here is file

[GREP SLOPPY.txt](/public/imported_attachments/1/GREP SLOPPY.txt)

eri-- · Oct 26, 2010, 12:18 PM

The rule is there so the checkbox is working.
Just you are overriding that with some previous firewall rule.

josey · Oct 26, 2010, 12:35 PM

checkbox is working?
ok than, it have to be something local at my pfs box.
thanks for all help

you can lock