Duplicate EasyRule



  • 2.0-RC1 (i386)
    built on Mon Mar 7 12:03:17 EST 2011

    Minor annoyance:
    When clicking Easy Rule: Add to Block list in the Firewall, the address gets added into the EasyRuleBlockHostsWAN like it should and then adds the Alias to the WAN interface. But when I click on another address to add, EasyRuleBlockHostsWAN alias gets added in again on the WAN interface.

    Minor annoyance:
    One can also click multiple times on Easy Rule: Pass this traffic and add the same address too.


  • Rebel Alliance Developer Netgate

    I can't reproduce any kind of duplication of the block alias or addresses inside the block alias. No matter how many times I click various addresses to block, there is only one rule with the alias.

    Also, multiple pass rules isn't something that is checked for. It's just doing what it's told there. If it were using aliases or some other means it might have to check for duplication, but as it is, it just adds the rule you requested.



  • I had a similar issue for a while but because of how I want it to work I just dealt with it. The Alias record itself isn't be duplicated on my box.. Every IP I block via EasyRule goes into the same Alias record.

    When I first used EasyRule, it created a rule and an alias. This rule was placed at the bottom of my firewall rule table. I moved the rule to the first position on my firewall rule table. So when the rules are be applied to packets(Top to bottom), it would stop IPs that are trying to hack into my a box I have open for remote access. I have NAT/FW rules opening up certain ports for different things.

    Now when I add a new host using the EasyRule on the firewall log, it would create another rule in the firewall rules table. This rule is placed last on the table.. Now I can't duplicate this all the time but it will create another rule as for every host I want to block. Its like its not checking the rules table to see if one if already create…I think it should be place first in the list like the 'Block bogon networks', 'Block private networks' Rules are...


  • Rebel Alliance Developer Netgate

    Unless you changed the name of the alias, or the interface on the rule, it should be detected properly:

    function easyrule_block_rule_exists($int = 'wan') {
    	global $blockaliasname, $config;
    	/* No rules, we we know it doesn't exist */
    	if (!is_array($config['filter']['rule'])) {
    		return false;
    	}
    
    	/* Search through the rules for one referencing our alias */
    	foreach ($config['filter']['rule'] as $rule)
    		if (!is_array($rule) || !is_array($rule['source']))
    			continue;
    		if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int))
    			return true;
    	return false;
    }
    

    I'll see what I can do about making it add the rule at the top.


  • Rebel Alliance Developer Netgate

    Ah, I found it. That foreach is missing some {}'s.

    Should be OK once the commit makes it into snapshots.



  • As always Jim, thank you!!

    I manually added the changes into my box and its working correctly….
    sidenote:  After March 3rd snapshots , I'm a little scared to update to them, packages didn't auto re-install, lcdproc would hang on startup until I manually restarted that service.. May do gitsync later tonight and see what happens to the RC1 IPv6 snapshot I'm currently using...

    Stephen



  • Thank You jimp


Log in to reply