TCP Options set in web interface not created in the raw pf rules

adam65535

Running 2.0.3-RELEASE (amd64)

I was trying to cut down on some of the non-important rule logging and in trying to do so I found out that rules are not getting generated with the TCP Options set even when setup to do so in the GUI.

I am trying to not log FA packets from clients on the LAN when expired connections timeout on the firewall before the client.

I setup the rule as follows in the gui:
Action: Block
Interface: LAN
Protocol: TCP
Source: LAN subnet
Destination: any
Log: Drop harmless FA packets from logging on LAN  (The idea is not to set this because I want to filter this out but I set it to see that the rule is indeed blocking SYN only packets)
TCP Flags: SET:FIN,ACK  OUTOF:FIN,SYN,RST,ACK,URG
State Type: none   (none because I don't want these already expired packets from and old connection creating another state in the firewall)

The rule blocks SYN only packets:
BLOCK Jun 14 18:01:04 LAN   192.168.x.x:38168   178.33.x.x:80 TCP:S

The rule that triggered this action is:
@69 block drop in log quick on em1 inet proto tcp from 192.168.250.0/24 to any port = 8080 label "USER_RULE: Drop harmless FA and FPA packets from logging on LAN"

After looking at the generated rule in /tmp/rules.debug I see why…
block  in log  quick  on $LAN  proto tcp  from 192.168.250.0/24 to any port 8080   label "USER_RULE: Drop harmless FA and FPA packets from logging on LAN"

The rule didn't get the TCP Options restrictions added to the rule.

Is this a known bug?

cmb

They were only being added on pass rules. They are valid on block or reject. I just fixed that, tomorrow's 2.1 snapshot will work with that.

adam65535

Any chance on the next maintenance release of 2.0.x getting that in there?  I realize that could be a very long time.

I am really surprised that nobody has used such rules… Well it might be more accurate to say nobody noticed it doesn't work anyway :).

Thanks for the fix in 2.1.  Your time looking into it is appreciated.

cmb

There almost certainly won't be any more 2.0.x releases since 2.1 is near release, and it's not as simple as cherry picking it over to RELENG_2_0 so it's not fixed there.

adam65535

Understood.  I didnt realize that 2.0.x would be EOL (no updates including security i assume) so soon after 2.1 is released.  Thanks again.

adam65535

I just tested this on todays 2.1 snapshot and it is working.

The rule that triggered this action is:

@99 block drop in log quick on em1 inet proto tcp from 192.168.x.0/24 to any flags FA/FSRPAU label "USER_RULE: Drop harmless FA and FPA packets from logging"

I can now disable logging of that rule to happily never see them again.

adam65535

Removed comment.  Not related.  The fix worked for this.