Why do "Applying" new rules not actually apply?



  • Hi all,

    Just spent a few hours going around and around trying to configure remote SSH on my shiney new pfsense install. Then I stumbled upon this guide/doc. Went all through it. No help.

    I shouldn't have skipped over the top Google result, though… read down, doesn't apply, doesn't apply, then BAM on Reply #6: Just remember to reset current states after you change a rule on quick tests.

    I was confused in thinking "APPLY" would apply the rules and restart the firewall.

    Maybe we could please take the "Reset" button buried under Diagnostics->States->Reset States tab and copy it to the Firewall->Rules page?
    (see attachments)

    … I'll probably be editing the php to do it for myself, or at least put in a link to diag_resetstate.php there.

    BTW, great firewall… the only thing I could make work after having been spoiled by typical wireless/firewall/gateway routers.

    :D Chris





  • I opened up /usr/local/www/firewall_rules.php and around line 799 made these changes:

    
    			After you hit "Apply" above, new rules don't work until [you go here](diag_resetstate.php) and hit Reset button.
    

    Hope this helps the next pfsense newb to google pfsense firewall rules not applying …



  • The new rules do apply to new connections that make new states (or are blocked from making a new state). Traffic for clients with existing states will continue to flow according to the state. That minimises or eliminates interruption of service to clients when rules are being added. But yes, it does mean that if you are blocking extra things or testing or… then the changes may not seem to be applied because your test system (or the 'naughty' user you just blocked) already had a state in existence which persists across the rule changes.
    If you are opening up the rules, then I don't expect a problem - a new connection should be allowed a few seconds after "Apply" is pressed.



  • What? Be nice to the users?  :o

    Ok, so maybe a "apply nice" and "slam `em" option next to it?  8)


Log in to reply