Error in system logs after enabling ipsec

st4t1c · Feb 23, 2013, 12:12 PM

hello,

i'm kinda newbie on pfsense and working my way on configuring to a state that protects my internal LAN…

after a few day of leaving it to the default working state, i decided i should enable IPSec VPN so i could access my LAN remotely in a secure way. All worked brilliantly and i could access my LAN from my iPhone...
After a few days i decided to restart the firewall and there way a yellow error message on my WebConfigurator...:

_Feb 23 14:02:37 php: : There were error(s) loading the rules: /tmp/rules.debug:101: macro '' not defined /tmp/rules.debug:101: syntax error /tmp/rules.debug:102: macro '' not defined /tmp/rules.debug:103: macro '' not defined /tmp/rules.debug:104: macro '' not defined /tmp/rules.debug:105: macro '' not defined /tmp/rules.debug:106: macro '' not defined pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [101]: pass out on $ proto udp from any to any port = 500 keep state label "IPsec: RemoteAccess - outbound isakmp"

Feb 23 14:02:37 php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:101: macro '' not defined /tmp/rules.debug:101: syntax error /tmp/rules.debug:102: macro '' not defined /tmp/rules.debug:103: macro '' not defined /tmp/rules.debug:104: macro '' not defined /tmp/rules.debug:105: macro '' not defined /tmp/rules.debug:106: macro '' not defined pfctl: Syntax error in config file: pf rules not loaded The line in question reads [101]: pass out on $ proto udp from any to any port = 500 keep state label "IPsec: RemoteAccess - outbound isakmp"

Feb 23 14:02:37 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:101: macro '' not defined /tmp/rules.debug:101: syntax error /tmp/rules.debug:102: macro '' not defined /tmp/rules.debug:103: macro '' not defined /tmp/rules.debug:104: macro '' not defined /tmp/rules.debug:105: macro '' not defined /tmp/rules.debug:106: macro '' not defined pfctl: Syntax error in config file: pf rules not loaded'_

it definitely came up after configuring IPsec, since i tried reverting back to default and re configuring it again. came up after a restart again…(although i think i noticed a few restarts where the error doesn't occur...)
everything seems to work fine, though i'd like to fix this issue but don't know how...:-(

anyone have any ideas?

Edit: i definitely doesn't come up on every restart...i did one after i finished this post and the logs were clear...

ChristianVirtual · Mar 6, 2013, 1:52 PM

I have similar error, different line. Around line 118ff.

I'm on 2.0.2; didn't see that under 2.0.1.

First I had snort installed and thought its linked to it. But actually even after snort is gone the error remains. I'm also a newbie on pfsense (6 month); like it a lot. But not yet understand that error. Any help would be much appreciated.

jimp · Mar 11, 2013, 1:47 PM

Without seeing a copy of /tmp/rules.debug when it's broken, it's impossible to speculate about the cause of the problem.

ChristianVirtual · Mar 11, 2013, 2:23 PM

Fair enough :-[ (classical newbie error on my side)

here a copy from my file

[code]
113: # User-defined rules follow
114:
115: anchor "userrules/*"
116: block in quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) from $EasyRuleBlockHostsWAN to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
117: block in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto tcp from any to PPP.PPP.PPP.PPP port 445 label "USER_RULE: Easy Rule: Block but not log MS ds"
118: pass in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any port 500 to any keep state label "USER_RULE: VPN Traffic"
119: pass in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto udp from any port 4500 to any keep state label "USER_RULE: VPN traffic"
120: pass in log quick on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG ) proto { tcp udp } from 17.0.0.0/8 to PPP.PPP.PPP.PPP/32 keep state label "USER_RULE: We trust Apple"
121: pass in quick on $LAN proto tcp from LLL.LLL.LLL.LLL/24 to MMM.MMM.MMM.MMM port 993 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
122: pass in quick on $LAN proto tcp from LLL.LLL.LLL.LLL/24 to 184.24.0.0/13 port 80 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View Akamai Tech"
123: pass in quick on $LAN from LLL.LLL.LLL.LLL/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
124: pass in quick on $LAN proto tcp from HHH.HHH.HHH.HHH to LLL.LLL.LLL.LLL/24 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
125: # returning at dst == "/" label "USER_RULE: Management Network"
126: pass in quick on $LAN inet proto icmp from LLL.LLL.LLL.LLL/24 to LLL.LLL.LLL.LLL/24 keep state label "USER_RULE"
127: pass in quick on $IPsec from any to LLL.LLL.LLL.LLL/24 keep state label "USER_RULE: VPN full access"
128: pass in quick on $IPsec proto tcp from VVV.VVV.VVV.VVV/24 to any flags S/SA keep state label "USER_RULE: VPN Full support"

I masked the valid IP adresses in the file
GGG.GGG.GGG.GGG for my external gateway to WAN (from ISP)
PPP.PPP.PPP.PPP my fixed external IP address (from ISP)

LLL.LLL.LLL.LLL my local LAN
HHH.HHH.HHH.HHH my pfSense host IP in local LAN

VVV.VVV.VVV.VVV my IPsec Virtual Lan

Thanks in advance for your help …

jimp · Mar 11, 2013, 2:40 PM

are you sure that is when it was broken?

And we need the full file, not just that section. Masking is OK, just include the entire file when doing so, along with the exact error/notice you received at the time.

ChristianVirtual · Mar 11, 2013, 3:41 PM

Now I really need to ask a rookie question: in which log file the error message from the front page will be stored. I would like to get you the exact text. The number in the error message don't fit with the /tmp/rules.debug file; funny enough.

Seems I can easy reproduce by just restart my pfSense VM to get the message back.


set limit tables 3000
set optimization conservative
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
set limit states 195000
set limit src-nodes 195000

#System aliases

loopback = "{ lo0 }"
WAN = "{ pppoe0 }"
LAN = "{ em1 }"
IPsec = "{ enc0 }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot># User Aliases 
table <easyruleblockhostswan>{   118.96.244.163/32 } 
EasyRuleBlockHostsWAN = "<easyruleblockhostswan>"

# Gateways
GWManagement = " route-to ( em0 HHH.HHH.HHH.HHH ) "
GWGW_WAN = " route-to ( pppoe0 GGG.GGG.GGG.GGG ) "

set loginterface em1

set skip on pfsync0

scrub on $WAN all    fragment reassemble
scrub on $LAN all    fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules

# Subnets to NAT 
tonatsubnets	= "{ QQQ.QQQ.QQQ.QQQ/24 LLL.LLL.LLL.LLL/24 AAA.AAA.AAA.AAA/24 127.0.0.0/8  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> PPP.PPP.PPP.PPP/32 port 500  
nat on $WAN  from $tonatsubnets to any -> PPP.PPP.PPP.PPP/32 port 1024:65535  

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <negate_networks>{ PPP.PPP.PPP.PPP/32 LLL.LLL.LLL.LLL/24 QQQ.QQQ.QQQ.QQQ/24 }
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# Block all IPv6
block in quick inet6 all
block out quick inet6 all

# Snort package
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
antispoof for pppoe0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for em1
# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to HHH.HHH.HHH.HHH port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from HHH.HHH.HHH.HHH port = 67 to any port = 68 label "allow access to DHCP server"

# loopback
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( pppoe0 GGG.GGG.GGG.GGG ) from PPP.PPP.PPP.PPP to !PPP.PPP.PPP.PPP/32 keep state allow-opts label "let out anything from firewall host itself"
pass out on $IPsec all keep state label "IPsec internal host to host"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on em1 proto tcp from any to (em1) port { 443 80 22 } keep state label "anti-lockout rule"

# User-defined rules follow

anchor "userrules/*"
block  in  quick  on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG )  from   $EasyRuleBlockHostsWAN to any  label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
block  in log  quick  on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG )  proto tcp  from any to PPP.PPP.PPP.PPP port 445   label "USER_RULE: Easy Rule: Block but not log MS ds"
pass  in log  quick  on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG )  proto udp  from any port 500  to any keep state  label "USER_RULE: VPN Traffic"
pass  in log  quick  on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG )  proto udp  from any port 4500  to any keep state  label "USER_RULE: VPN traffic"
pass  in log  quick  on $WAN reply-to ( pppoe0 GGG.GGG.GGG.GGG )  proto { tcp udp }  from   17.0.0.0/8 to PPP.PPP.PPP.PPP/32 keep state  label "USER_RULE: We trust Apple"
pass  in  quick  on $LAN  proto tcp  from LLL.LLL.LLL.LLL/24 to   MMM.MMM.MMM.MMM port 993  flags S/SA keep state  label "USER_RULE: Easy Rule: Passed from Firewall Log View"
pass  in  quick  on $LAN  proto tcp  from LLL.LLL.LLL.LLL/24 to   184.24.0.0/13 port 80  flags S/SA keep state  label "USER_RULE: Easy Rule: Passed from Firewall Log View Akamai Tech"
pass  in  quick  on $LAN  from LLL.LLL.LLL.LLL/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
pass  in  quick  on $LAN  proto tcp  from   HHH.HHH.HHH.HHH to LLL.LLL.LLL.LLL/24 flags S/SA keep state  label "USER_RULE: Easy Rule: Passed from Firewall Log View"
# returning at dst  == "/" label "USER_RULE: Management Network"
pass  in  quick  on $LAN  inet proto icmp  from LLL.LLL.LLL.LLL/24 to LLL.LLL.LLL.LLL/24 keep state  label "USER_RULE"
pass  in  quick  on $IPsec  from any to LLL.LLL.LLL.LLL/24 keep state  label "USER_RULE: VPN full access"
pass  in  quick  on $IPsec  proto tcp  from   VVV.VVV.VVV.VVV/24 to any flags S/SA keep state  label "USER_RULE: VPN Full support"

# VPN Rules
pass out on $WAN  route-to ( pppoe0 GGG.GGG.GGG.GGG )  proto udp from any to  any  port = 500 keep state label "IPsec: iDevice - outbound isakmp"
pass in on $WAN  reply-to ( pppoe0 GGG.GGG.GGG.GGG )  proto udp from  any  to any port = 500 keep state label "IPsec: iDevice - inbound isakmp"
pass out on $WAN  route-to ( pppoe0 GGG.GGG.GGG.GGG )  proto udp from any to  any  port = 4500 keep state label "IPsec: iDevice - outbound nat-t"
pass in on $WAN  reply-to ( pppoe0 GGG.GGG.GGG.GGG )  proto udp from  any  to any port = 4500 keep state label "IPsec: iDevice - inbound nat-t"
pass out on $WAN  route-to ( pppoe0 GGG.GGG.GGG.GGG )  proto esp from any to  any  keep state label "IPsec: iDevice - outbound esp proto"
pass in on $WAN  reply-to ( pppoe0 GGG.GGG.GGG.GGG )  proto esp from  any  to any keep state label "IPsec: iDevice - inbound esp proto"
anchor "tftp-proxy/*"</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></easyruleblockhostswan></easyruleblockhostswan></virusprot></snort2c></webconfiguratorlockout></sshlockout>

Thanks for your patience !

jimp · Mar 11, 2013, 3:47 PM

It's in the system log (Status > System Logs, or clog /var/log/system.log)

If the line numbers do not match up, then it is likely an old error that hasn't been cleared.