Problem with Thu Mar 3 17:43:05 EST 2011



  • 2.0-RC1 (i386)
    built on Thu Mar 3 17:43:05 EST 2011

    There were error(s) loading the rules: /tmp/rules.debug:138: syntax error/tmp/rules.debug:139: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [138]: pass in quick on $LAN proto from 192.168.168.0/24 to keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"…

    It has stopped routing. I cannot browse the internet and my servers inside cannot be accessed from the outside.



  • Yes, I also got alike problem, when I updated this morning, my notice is syntax errors which preventing the rules to be loaded.



  • I downgraded to built on Wed Mar 2 17:47:38 EST 2011, but still I'm getting the same error. How to fix this?



  • Had the same.
    Firewall - Rules - LAN
    Edit "Default LAN -> any", changed Protocol to Any, saved.



  • Same here - last snapshot (Mar 3) has completely trashed my config.



  • I solve this by editing all the rules which display empty field at summary for protocol column, in my case all those containing *



  • But is it a problrm with hoe the latest snapshot reads the XML or how a previous version wrote it?

    Andrew


  • Rebel Alliance Developer Netgate

    Little of both. It was an issue with an upgrade code bit I added to fix another issue.

    If you gitsync and reboot it should be fine.

    http://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots

    Or wait for the next new snap which is building now.



  • Meanwhile, installing an older snapshot and then using the Config History tab to restore a pre-update configuration will fix the problem.


  • Rebel Alliance Developer Netgate

    Or you could move forward instead of back and make sure the fixes really work for you. :-)



  • Sure, but I believe you'd have to be on the fixed snapshot, which wasn't available when I last checked!


  • Rebel Alliance Developer Netgate

    See above, re: gitsync.



  • The customer had no Internet access, so a gitsync was no possible; fortunately, he had previous snapshots downloaded.


  • Rebel Alliance Developer Netgate

    They had no access from LAN because pf didn't load the NAT rules, from the box itself it would have been fine.



  • I appreciate the feedback, but had to fix the problem within a very narrow time frame (happened on a customer deployment); the idea of gitsync'ing did not occur to me (and when it happened, there was no indication on the forum threads that it had already been fixed, so a rollback really seemed the safe choice then).

    I am really thankful for the work you guys have been putting on this, and - on top of that - that you still have time to offer support on the forum: amazing!

    Marcello
    Sao Paulo - SP - Brazil



  • I shall start coming here first and checking. Then proceed with caution,

    Perhaps there should be an open Red Alert Thread.

    Totally hosed one box, could not go forward or backward  ::)


  • Rebel Alliance Developer Netgate

    The new snapshot is up now, so it's sort of a moot point.



  • Yeah right - until the next gotcha  ::)

    Is this the "good" snapshot?

    pfSense-Full-Update-2.0-RC1-i386-20110304-0811.tgz

    @jimp:

    The new snapshot is up now, so it's sort of a moot point.


  • Rebel Alliance Developer Netgate

    @mromero:

    Yeah right - until the next gotcha  ::)

    Welcome to snapshot land. If you don't want to take risks, run the official RC1 image and not snapshots. :-)

    @mromero:

    Is this the "good" snapshot?

    pfSense-Full-Update-2.0-RC1-i386-20110304-0811.tgz

    Looks like that's the one.



  • @mromero:

    I shall start coming here first and checking. Then proceed with caution,

    Perhaps there should be an open Red Alert Thread.

    Totally hosed one box, could not go forward or backward  ::)

    nice plan but the bad build was built on Thu Mar 3 17:43:05 EST 2011 and this thread was opened on Friday Mar 4 at 03:19:57 am…

    http://forum.pfsense.org/index.php/topic,33905.0.html is another fun experience for me and some others. I posted that at 12:13am but since I was so tired when I did this, the post is a little hard to read.

    But many thanks to Jimp. Many enterprise firewall providers would not have found and fixed the problem as quickly as you did. Kudos!



  • I had to roll back to the signed RC1 tonight on my home Alix as I upgraded this morning and had the same issues.  It's bad when my Alix is blinking SOS at me.  From now on I'm only testing on my office's spare router.



  • @cellobita:

    I appreciate the feedback, but had to fix the problem within a very narrow time frame (happened on a customer deployment)…

    That is pretty brave to be rolling out RC's to customers…



  • From the RC1 announcement:

    "This is considered a stable release suitable for production use, as we’ve already widely deployed it over the past several months in beta and upgraded numerous systems to RC1 over the weekend. This is the preferred version for new installations at this point."

    Also, they actually need some of the new features in 2.0.



  • I think we all know that RC really means we are getting close and we want to entice a few more people  to help with Beta Testing the product.  :)

    Roy…



  • I don't have any problem with that, and never complained about the (few) bugs we've encountered on our half a dozen 2.0 deployments so far (as mentioned, for customers that had needs addressed only by the new version); my original reply above was just meant to offer an additional way to recover from the bug in this particular snapshot.

    I've been dealing with computers since the Apple II, and have to tell you: if every single piece of software on these past 30 years had been as reliable as pfSense, I'd certainly have fewer gray hairs today  :)

    Marcello
    Sao Paulo - SP - Brazil


Log in to reply