New Install - Reboot to activate the rules?



  • All,

    A little new to PFSense, however not to routing/switching/firewalling etc.

    To build an router/firewall on a new vSphere5/ESXi platform we deployed pfSense with 6 interfaces. 2 External, 4 internal. The secondary external interface is disabled as we speak. The issue occurs with fault tolerance enabled and disabled.

    When changing any of the firewall rules they don't take effect until the system is rebooted. I read an other message that it's due to a broken package. I have only 2 installed:

    • Open-VM-Tools 8.7.0.3046 (build-313025)
    • OpenVPN Client Export Utility 1.0.1

    I checked the non-reloading with "pfctl -sr | grep ssh" as I simply toggled the logging on the rule. It doesn't change.
    Also any other rule changes require an reboot to activate.

    Alternative is to go back to linux with shorewall… But rather run pfsense.

    Details info on the platform:
    *** Welcome to pfSense 2.0.2-RELEASE-pfSense (amd64) on <<removed>> ***

    PUBLICUPLINK (wan)        -> em0        -> 192.168.124.97
      MGMT (lan)                -> em4        -> 192.168.125.129
      PRIVATEVM (opt1)          -> em2        -> 192.168.126.1
      PUBLICVM (opt2)          -> em3        -> 192.168.127.1
      PRIVATEUPLINK (opt3)      -> em1        -> NONE
      HA (opt4)                -> em5        -> NONE

    If this is indeed due to a broken package, what would be the way to verify this?

    Thx in advance,
    Stijn</removed>



  • hi,

    what kind of rules are you having issues with ? pass/reject/block ??

    have you reset states ?
    i've never had this issue before and i run a couple on esxi



  • I would say nearly nothing. See below as the entire setup is still being build nothing advance in there. As it's not a known issue I'll probally do an re-install but instead of the OVA do it with an iso install.

    scrub on em0 all fragment reassemble
    scrub on em4 all fragment reassemble
    scrub on em2 all fragment reassemble
    scrub on em3 all fragment reassemble
    anchor "relayd/" all
    block drop in log all label "Default deny rule"
    block drop out log all label "Default deny rule"
    block drop in quick inet6 all
    block drop out quick inet6 all
    block drop quick proto tcp from any port = 0 to any
    block drop quick proto tcp from any to any port = 0
    block drop quick proto udp from any port = 0 to any
    block drop quick proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in on ! em0 inet from 192.168.124.0/24 to any
    block drop in inet from 192.168.124.97 to any
    block drop in on ! em4 inet from 192.168.125.128/25 to any
    block drop in inet from 192.168.125.129 to any
    block drop in on em0 inet6 from fe80::250:56ff:febd:7675 to any
    block drop in on em4 inet6 from fe80::250:56ff:febd:230c to any
    pass in quick on em4 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on em4 inet proto udp from any port = bootpc to 192.168.125.129 port = bootps keep state label "allow access to DHCP server"
    pass out quick on em4 inet proto udp from 192.168.125.129 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    block drop in on ! em2 inet from 192.168.126.0/24 to any
    block drop in inet from 192.168.126.1 to any
    block drop in on ! em3 inet from 192.168.127.0/24 to any
    block drop in inet from 192.168.127.1 to any
    block drop in on em2 inet6 from fe80::250:56ff:febd:1df9 to any
    block drop in on em3 inet6 from fe80::250:56ff:febd:2742 to any
    pass in on lo0 all flags S/SA keep state label "pass loopback"
    pass out on lo0 all flags S/SA keep state label "pass loopback"
    pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (em0 192.168.124.254) inet from 192.168.124.97 to ! 192.168.124.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on em4 proto tcp from any to (em4) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on em4 proto tcp from any to (em4) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on em4 proto tcp from any to (em4) port = ssh flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/
    " all
    pass in on em4 inet proto icmp from <internal_networks>to <sia01_ips>keep state label "USER_RULE"
    pass in on em2 inet proto icmp from <internal_networks>to <sia01_ips>keep state label "USER_RULE"
    pass in on em3 inet proto icmp from <internal_networks>to <sia01_ips>keep state label "USER_RULE"
    pass in on openvpn inet proto icmp from <internal_networks>to <sia01_ips>keep state label "USER_RULE"
    pass in log quick on em0 inet proto tcp from 192.168.124.0/24 to 192.168.124.97 port = ssh flags S/SA keep state label "USER_RULE: Allow SSH Inbound"
    pass in quick on em0 inet proto tcp from any to 192.168.124.97 port = https flags S/SA keep state label "USER_RULE: Allow OpenVPN IN"
    pass in quick on em4 inet from 192.168.125.128/25 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    pass in quick on openvpn all flags S/SA keep state label "USER_RULE: Allow all VPN traffic for now "
    pass in quick on em2 proto tcp from <internal_networks>to <dns_servers>port = domain flags S/SA keep state label "USER_RULE: Allow DNS Traffic"
    pass in quick on em2 proto udp from <internal_networks>to <dns_servers>port = domain keep state label "USER_RULE: Allow DNS Traffic"
    pass in quick on em2 proto tcp from <internal_networks>to <cen_mgr>port = 8140 flags S/SA keep state label "USER_RULE: Allow Puppet"
    pass in quick on em2 proto tcp from <internal_networks>to <dns_servers>port = https flags S/SA keep state label "USER_RULE: Allow HTTPS"
    pass in quick on em2 proto tcp from <internal_networks>to <cen_mgr>port = https flags S/SA keep state label "USER_RULE: Allow HTTPS"
    pass in log quick on em2 proto tcp from <dns_servers>to any port = domain flags S/SA keep state label "USER_RULE: Allow DNS outbound"
    pass in log quick on em2 proto udp from <dns_servers>to any port = domain keep state label "USER_RULE: Allow DNS outbound"
    pass in log quick on em2 inet from 192.168.126.0/24 to any flags S/SA keep state label "USER_RULE"
    pass in log quick on em2 inet proto icmp from 192.168.126.0/24 to any keep state label "USER_RULE"
    anchor "tftp-proxy/*" all</dns_servers></dns_servers></cen_mgr></internal_networks></dns_servers></internal_networks></cen_mgr></internal_networks></dns_servers></internal_networks></dns_servers></internal_networks></sia01_ips></internal_networks></sia01_ips></internal_networks></sia01_ips></internal_networks></sia01_ips></internal_networks></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>



  • Just did a re-install from ISO instead of OVA now the rules apply.

    Not sure what the issue is but resolved.


  • Rebel Alliance Developer Netgate

    Usually it's a package that causes that, but if it happens again, watch Status > Filter Reload and see where it's getting stuck.



  • Hi Jlmp,

    I read that in an other post, but the strange thing was it showed the reload was successful. However on the console "pfctl -sr" didn't reflect that and old rules were still present.

    Stijn


Locked