TCP Options set in web interface not created in the raw pf rules



  • Running 2.0.3-RELEASE (amd64)

    I was trying to cut down on some of the non-important rule logging and in trying to do so I found out that rules are not getting generated with the TCP Options set even when setup to do so in the GUI.

    I am trying to not log FA packets from clients on the LAN when expired connections timeout on the firewall before the client.

    I setup the rule as follows in the gui:
    Action: Block
    Interface: LAN
    Protocol: TCP
    Source: LAN subnet
    Destination: any
    Log: Drop harmless FA packets from logging on LAN  (The idea is not to set this because I want to filter this out but I set it to see that the rule is indeed blocking SYN only packets)
    TCP Flags: SET:FIN,ACK  OUTOF:FIN,SYN,RST,ACK,URG
    State Type: none   (none because I don't want these already expired packets from and old connection creating another state in the firewall)

    The rule blocks SYN only packets:
    BLOCK Jun 14 18:01:04 LAN   192.168.x.x:38168   178.33.x.x:80 TCP:S

    The rule that triggered this action is:
    @69 block drop in log quick on em1 inet proto tcp from 192.168.250.0/24 to any port = 8080 label "USER_RULE: Drop harmless FA and FPA packets from logging on LAN"

    After looking at the generated rule in /tmp/rules.debug I see why…
    block  in log  quick  on $LAN  proto tcp  from 192.168.250.0/24 to any port 8080   label "USER_RULE: Drop harmless FA and FPA packets from logging on LAN"

    The rule didn't get the TCP Options restrictions added to the rule.

    Is this a known bug?



  • They were only being added on pass rules. They are valid on block or reject. I just fixed that, tomorrow's 2.1 snapshot will work with that.



  • Any chance on the next maintenance release of 2.0.x getting that in there?  I realize that could be a very long time.

    I am really surprised that nobody has used such rules… Well it might be more accurate to say nobody noticed it doesn't work anyway :).

    Thanks for the fix in 2.1.  Your time looking into it is appreciated.



  • There almost certainly won't be any more 2.0.x releases since 2.1 is near release, and it's not as simple as cherry picking it over to RELENG_2_0 so it's not fixed there.



  • Understood.  I didnt realize that 2.0.x would be EOL (no updates including security i assume) so soon after 2.1 is released.  Thanks again.



  • I just tested this on todays 2.1 snapshot and it is working.

    The rule that triggered this action is:

    @99 block drop in log quick on em1 inet proto tcp from 192.168.x.0/24 to any flags FA/FSRPAU label "USER_RULE: Drop harmless FA and FPA packets from logging"

    I can now disable logging of that rule to happily never see them again.



  • Removed comment.  Not related.  The fix worked for this.


Log in to reply