Rules ignored when gateway set other than default?
wan1 on nic1 static ip (default), wan2 on nic2 static ip
routing group pool1=wan1+wan2 failover
vlan1 on nic3, vlan2 on nic3
captive portal on vlan1
rules on vlan1:
1. allow src:vlan1.net -> dest:vlan2.host1 gw:* port:21
2. allow src:vlan1.net -> dest:any gw:pool1 port:alias1(=80,443)
if the last rule (2.) sets an gateway other then default, ANY traffic
vom vlan1 is passed to anywhere on any port!
i can for example rdp host_x on any net even if rdp is not allowed anywhere on vlan1.
The rule that triggered this action is:
@348 pass in log quick on em0_vlan1 inet proto tcp from vlan1-network/24 to <negate_networks:18>flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
I don't understand this, this has nothing to do with deny everything which isn't explicitly allowed.
Any clarification appreciated.
ok, found this:
so is this considered a bug?
cmb last edited by
it should be shown to the user, and probably not as permissive as it is in that particular instance.
2.1 has an option under System>Advanced to disable negate rules entirely. Or you can just comment that line out in /etc/inc/filter.inc to accomplish the same, then when you upgrade to 2.1 when it's out just make sure you check that box.
thank's for that.
But will disabling negate rules in 2.1 mean you can't specify gateways/gw-groups anmore?
Maybe I just don't really get the route negation thing… I only found
Shouldn't specifying a gateway leave rules intact? What exactly gets "negated" when a gateway
is defined in rule? If its just greayed out on creation, it would mean that someone has to add block
rules before the (final) gateway rule, right? Maybe someone can help me out with that.
some draft example, let's say for an wlan-zone:
1. allow to virus-update in dmz1, default gw
2. allow to mailservices in dmz2, default gw
3. allow rdp to some machines in zone_x
(!)4. disallow everything to all zones (maybe alias for dmz1,dmz2,zone_x)
5. allow standard web-service ports to anywhere using defined gateway/gw-group
(greyed out in 2.1?)6. this route negation stuff rule allowing everything ;-)
has it to look like this when defining gateway in a rule?
cmb last edited by
it negates policy routing, you just have to add your own rules if you remove it to not force traffic out to a wrong gateway.