2.0 - 63 character description maximum causes filter rule error
-
So, like everyone else in the world (I'm assuming), I was super-excited when 2.0 RC1 finally dropped. I proceeded to upgrade my employer's firewalls. The basic "research network" firewall upgraded without issues. I thought our primary firewall updated fine as well, as I was able to ping our other regions and access resources over the IPSec tunnels.
Turns out, I didn't think to do such a simple test as "ping google" (hello implementation/verification plans…). Our production firewall had 0 states in the state table, yet the IPSec tunnels worked, LAN communication worked. The basic issue here was that the firewall simply was not forwarding packets from the LAN out the WAN interface to the Internet. You could access the firewall from the Internet, and you could access it from the LAN, but no forwarding was occurring. I troubleshooted the issue as best I could in the early morning hours. The firewall rules looked fine, there wasn't anything silly set like "block private networks", etc. I had to do what any sane person would do and restore the firewall back to 1.2.3 (luckily I saved the config).
Fast forward to tonight. I thought it was worth another shot to figure out what was wrong, or at the very least gather enough information to make an informed post on this forum. The same issue occured, after the upgrade the firewall was not forwarding packets. I even used the auto-updater to get the latest RC1 build. No dice. I then proceeded to review all the advanced settings and try to figure out where this was going wrong.
Turns out, the filter rules weren't being loaded. Somehow, in one of my IPSec connections, I had a description that was longer than 63 characters. The actual string didn't look that long, so it must had some junk characters in there somehow. Once I removed that description from the rule in question, the firewall began populating the state table and Internet connectivity was restored. I couldn't be happier. Now I can really start playing with the new 2.0 features.
Just thought I'd give a heads up to everyone on here that a single misconfigured rule can wreck enough havoc with your state table to break the entire thing.
-
On most rules that description is chopped off at the proper length, I'm not sure how that one slipped by. It would have been interesting to see what the /tmp/rules.debug line that failed looked like.