Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    New Install - Reboot to activate the rules?

    Firewalling
    3
    6
    1373
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sjcjonker last edited by

      All,

      A little new to PFSense, however not to routing/switching/firewalling etc.

      To build an router/firewall on a new vSphere5/ESXi platform we deployed pfSense with 6 interfaces. 2 External, 4 internal. The secondary external interface is disabled as we speak. The issue occurs with fault tolerance enabled and disabled.

      When changing any of the firewall rules they don't take effect until the system is rebooted. I read an other message that it's due to a broken package. I have only 2 installed:

      • Open-VM-Tools 8.7.0.3046 (build-313025)
      • OpenVPN Client Export Utility 1.0.1

      I checked the non-reloading with "pfctl -sr | grep ssh" as I simply toggled the logging on the rule. It doesn't change.
      Also any other rule changes require an reboot to activate.

      Alternative is to go back to linux with shorewall… But rather run pfsense.

      Details info on the platform:
      *** Welcome to pfSense 2.0.2-RELEASE-pfSense (amd64) on <<removed>> ***

      PUBLICUPLINK (wan)        -> em0        -> 192.168.124.97
        MGMT (lan)                -> em4        -> 192.168.125.129
        PRIVATEVM (opt1)          -> em2        -> 192.168.126.1
        PUBLICVM (opt2)          -> em3        -> 192.168.127.1
        PRIVATEUPLINK (opt3)      -> em1        -> NONE
        HA (opt4)                -> em5        -> NONE

      If this is indeed due to a broken package, what would be the way to verify this?

      Thx in advance,
      Stijn</removed>

      1 Reply Last reply Reply Quote 0
      • H
        heper last edited by

        hi,

        what kind of rules are you having issues with ? pass/reject/block ??

        have you reset states ?
        i've never had this issue before and i run a couple on esxi

        1 Reply Last reply Reply Quote 0
        • S
          sjcjonker last edited by

          I would say nearly nothing. See below as the entire setup is still being build nothing advance in there. As it's not a known issue I'll probally do an re-install but instead of the OVA do it with an iso install.

          scrub on em0 all fragment reassemble
          scrub on em4 all fragment reassemble
          scrub on em2 all fragment reassemble
          scrub on em3 all fragment reassemble
          anchor "relayd/" all
          block drop in log all label "Default deny rule"
          block drop out log all label "Default deny rule"
          block drop in quick inet6 all
          block drop out quick inet6 all
          block drop quick proto tcp from any port = 0 to any
          block drop quick proto tcp from any to any port = 0
          block drop quick proto udp from any port = 0 to any
          block drop quick proto udp from any to any port = 0
          block drop quick from <snort2c>to any label "Block snort2c hosts"
          block drop quick from any to <snort2c>label "Block snort2c hosts"
          block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
          block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
          block drop in quick from <virusprot>to any label "virusprot overload table"
          block drop in on ! em0 inet from 192.168.124.0/24 to any
          block drop in inet from 192.168.124.97 to any
          block drop in on ! em4 inet from 192.168.125.128/25 to any
          block drop in inet from 192.168.125.129 to any
          block drop in on em0 inet6 from fe80::250:56ff:febd:7675 to any
          block drop in on em4 inet6 from fe80::250:56ff:febd:230c to any
          pass in quick on em4 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
          pass in quick on em4 inet proto udp from any port = bootpc to 192.168.125.129 port = bootps keep state label "allow access to DHCP server"
          pass out quick on em4 inet proto udp from 192.168.125.129 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
          block drop in on ! em2 inet from 192.168.126.0/24 to any
          block drop in inet from 192.168.126.1 to any
          block drop in on ! em3 inet from 192.168.127.0/24 to any
          block drop in inet from 192.168.127.1 to any
          block drop in on em2 inet6 from fe80::250:56ff:febd:1df9 to any
          block drop in on em3 inet6 from fe80::250:56ff:febd:2742 to any
          pass in on lo0 all flags S/SA keep state label "pass loopback"
          pass out on lo0 all flags S/SA keep state label "pass loopback"
          pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
          pass out route-to (em0 192.168.124.254) inet from 192.168.124.97 to ! 192.168.124.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
          pass in quick on em4 proto tcp from any to (em4) port = https flags S/SA keep state label "anti-lockout rule"
          pass in quick on em4 proto tcp from any to (em4) port = http flags S/SA keep state label "anti-lockout rule"
          pass in quick on em4 proto tcp from any to (em4) port = ssh flags S/SA keep state label "anti-lockout rule"
          anchor "userrules/
          " all
          pass in on em4 inet proto icmp from <internal_networks>to <sia01_ips>keep state label "USER_RULE"
          pass in on em2 inet proto icmp from <internal_networks>to <sia01_ips>keep state label "USER_RULE"
          pass in on em3 inet proto icmp from <internal_networks>to <sia01_ips>keep state label "USER_RULE"
          pass in on openvpn inet proto icmp from <internal_networks>to <sia01_ips>keep state label "USER_RULE"
          pass in log quick on em0 inet proto tcp from 192.168.124.0/24 to 192.168.124.97 port = ssh flags S/SA keep state label "USER_RULE: Allow SSH Inbound"
          pass in quick on em0 inet proto tcp from any to 192.168.124.97 port = https flags S/SA keep state label "USER_RULE: Allow OpenVPN IN"
          pass in quick on em4 inet from 192.168.125.128/25 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
          pass in quick on openvpn all flags S/SA keep state label "USER_RULE: Allow all VPN traffic for now "
          pass in quick on em2 proto tcp from <internal_networks>to <dns_servers>port = domain flags S/SA keep state label "USER_RULE: Allow DNS Traffic"
          pass in quick on em2 proto udp from <internal_networks>to <dns_servers>port = domain keep state label "USER_RULE: Allow DNS Traffic"
          pass in quick on em2 proto tcp from <internal_networks>to <cen_mgr>port = 8140 flags S/SA keep state label "USER_RULE: Allow Puppet"
          pass in quick on em2 proto tcp from <internal_networks>to <dns_servers>port = https flags S/SA keep state label "USER_RULE: Allow HTTPS"
          pass in quick on em2 proto tcp from <internal_networks>to <cen_mgr>port = https flags S/SA keep state label "USER_RULE: Allow HTTPS"
          pass in log quick on em2 proto tcp from <dns_servers>to any port = domain flags S/SA keep state label "USER_RULE: Allow DNS outbound"
          pass in log quick on em2 proto udp from <dns_servers>to any port = domain keep state label "USER_RULE: Allow DNS outbound"
          pass in log quick on em2 inet from 192.168.126.0/24 to any flags S/SA keep state label "USER_RULE"
          pass in log quick on em2 inet proto icmp from 192.168.126.0/24 to any keep state label "USER_RULE"
          anchor "tftp-proxy/*" all</dns_servers></dns_servers></cen_mgr></internal_networks></dns_servers></internal_networks></cen_mgr></internal_networks></dns_servers></internal_networks></dns_servers></internal_networks></sia01_ips></internal_networks></sia01_ips></internal_networks></sia01_ips></internal_networks></sia01_ips></internal_networks></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

          1 Reply Last reply Reply Quote 0
          • S
            sjcjonker last edited by

            Just did a re-install from ISO instead of OVA now the rules apply.

            Not sure what the issue is but resolved.

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              Usually it's a package that causes that, but if it happens again, watch Status > Filter Reload and see where it's getting stuck.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • S
                sjcjonker last edited by

                Hi Jlmp,

                I read that in an other post, but the strange thing was it showed the reload was successful. However on the console "pfctl -sr" didn't reflect that and old rules were still present.

                Stijn

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post