Can't delete an alias



  • G'day  ;D

    Is there a way to find out where an alias might be used? I am trying to delete one, but pfSense says, although not completely useable (screenshot) that it can't be deleted because it is used 'somewhere'. I tried renaming it first, but that also doesn't help.

    I looked at all my firewall rules, I am sure it is no longer used there. I went through all the aliases to see if it was nested in somewhere, but to my knowledge it is not.

    Is there a way to find it somewhere?

    Thank you  ;D



  • Maybe take a backup of your config, and search through the config file?



  • @vindenesen:

    Maybe take a backup of your config, and search through the config file?

    Smart thinking  :P

    Thank you, I will try that  :D


  • Moderator

    @Hollander:

    Is there a way to find out where an alias might be used? I am trying to delete one, but pfSense says, although not completely useable (screenshot) that it can't be deleted because it is used 'somewhere'. I tried renaming it first, but that also doesn't help.

    The alias has to be referenced somewhere in the Firewall Rules and that is stopping from it being deleted.

    Check each TAB carefully. You can also run

    pfctl -sa

    And see if that helps shed some light on where it is



  • Little bugger is biting me again on 2.1.5  :P

    I was cleaning up my aliases, but it won't let me. I tried to delete:
    EasyRuleBlockHostsOPT1

    It says it's used. But according to pfctl -sa it is not.

    In another thread I read it was possible to rename and then delete. That doesn't work for me; same error.

    Also, first removing the IP's from the alias, then renaming, then deleting doesn't work either.

    I attached the pics:
    1. = try to delete it;
    2. = pfctl.





  • Moderator

    There is a firewall rule that has this alias as a reference… You need to delete this Firewall rule before you can delete the alias.



  • @BBcan177:

    There is a firewall rule that has this alias as a reference… You need to delete this Firewall rule before you can delete the alias.

    Thanks BB  ;D

    (How is pfBlockerNG going?)

    I can assure you I a azillion times checked: there is no firewall rule using that alias. Nowhere.

    Hence the pfctl -sa | grep, which shows the same I would suspect.



  • Backup config. It will be an xml file which you can open.
    Hopefully it will show where the alias is hiding  ;)
    Let's continue from there….



  • @bennyc:

    Backup config. It will be an xml file which you can open.
    Hopefully it will show where the alias is hiding  ;)
    Let's continue from there….

    Thanks Benny  ;D

    Export firewall rules:

    
    <address>EasyRuleBlockHostsOPT1</address>
    
            <destination><any></any></destination> 
    
    

    Export aliases:

    
     <alias><name>EasyRuleBlockHostsOPT1</name>
    
    <address>
    
            <type>network</type>
            <detail>
    
    Nothing more whatsoever in these files.
    
    No port forwards, no NAT other than the defaults auto-generated and the manually added ones for OpenVPN (thanks J, for pointing there  ;D ).</detail></address></alias> 
    

  • Moderator

    Mr Jingles… Didn't we do a little crash course in the "grep" command?  ;D

    grep -A10 -B10 "EasyRule" /conf/config.xml

    Did you check all of the Firewall Interface Tabs.. One of them should have it referenced?


  • Moderator

    Looks like its in the OPT1 Firewall Interface TAB…



  • @BBcan177:

    Mr Jingles… Didn't we do a little crash course in the "grep" command?  ;D

    grep -A10 -B10 "EasyRule" /conf/config.xml

    Did you check all of the Firewall Interface Tabs.. One of them should have it referenced?

    You know that I respect - and - like you dearly, Mr. BB, for all your great help and friendship  :-*

    The -A10 - B10 I must have lost  :-[

    [quote]
    Looks like its in the OPT1 Firewall Interface TAB…

    :o

    But there is nothing there in the GUI(?)

    ('m still struggling to find out which interface is OPT1, my interfaces are named LAN, VLAN, WAN, WAN2, Ifconfig doesn't seem to want to tell me, pfctl neither  :-[ ).


  • Moderator

    @Mr.:

    I'm still struggling to find out which interface is OPT1

    Goto  Interfaces:Assign

    You can manually delete it from the config… But you have to be careful with that or it could corrupt the file.



  • Hmm, seems you have a leftover from older configuration?
    If you have another spare nic in your system, you could try to assing another interface and name it OPT1.
    After saving, there should be a new tab in the rules, named OPT1.
    With some luck, this ghost rule should be present, using the alias you can't delete…

    Sounds like an intersting experiment  :D



  • @BBcan177:

    @Mr.:

    I'm still struggling to find out which interface is OPT1

    Goto  Interfaces:Assign

    I think you think I am retarded  ;D

    (you are mostly right  :P ).

    Of course I was there already, BB; it doesn't show there screenshot  :-*

    But (there's always a but): I've shocked myself thinking of a bright thing: mailreport. In there it does show which one is OPT1; it's WAN2. Which does not have that alias; only the attached screenshot (these are non-nested aliases, containing only a couple of LAN-IP's.








  • So your grep gave this, BB (edited out the other nonsense in there to keep it readable):

    [2.1.5-RELEASE][root@pfsense.workgroup]/root(1): grep -A10 -B10 "EasyRule" /conf/config.xml
                           
                            <destination><address>EasyRuleBlockHostsWAN</address></destination>
                            <log><source>

    <address>EasyRuleBlockHostsWAN</address>

    <address>EasyRuleBlockHostsLAN</address>

    <address>zEasyRuleBlockHostsOPT1</address>
                            <source>

    <address>EasyRuleBlockHostsOPT3</address>

    <source>

    <address>EasyRuleBlockHostsWAN</address>

    <rule>–                       <detail></detail>
                    <alias><name>EasyRuleBlockHostsLAN</name>
                    <alias><name>EasyRuleBlockHostsOPT3</name>
                            <type>network</type>
                    <alias><name>EasyRuleBlockHostsWAN</name>
                        <alias>**  <name>zEasyRuleBlockHostsOPT1</name>**

    <address>
                           
                            <type>network</type>
                            <detail><alias><type>host</type>
    [2.1.5-RELEASE][root@pfsense.workgroup]/root(2):</alias></detail></address></alias></alias></alias></alias></rule></log>

    So there is something in here, but not in the GUI.

    Let me guess: if I edit the XML, being the me that I am, the box will be ruined  :P ;D



  • @bennyc:

    Hmm, seems you have a leftover from older configuration?

    I just set up this box completely fresh next week  :-[

    [quote]
    If you have another spare nic in your system, you could try to assing another interface and name it OPT1.
    After saving, there should be a new tab in the rules, named OPT1.
    With some luck, this ghost rule should be present, using the alias you can't delete…

    Sounds like an intersting experiment  :D

    Yes, interesting experiment indeed  ;D

    I don't have a VM to try that first, and OPT1 exists, and is WAN2. So I think I will blow up the box if I name another interface WAN2 too ( :-X ).


  • Moderator

    Its strange that it has a "z" in the alias name?

    <name>zEasyRuleBlockHostsOPT1</name>

    BTW… with the grep command...
        -A10 means when it finds a match, show the next 10 lines.
        -B10 means when it finds a match, show the previous 10 lines.

    so you can remove those or change the numbers to what ever you wish...

    You can try the following (This is a minimalistic approach... A better approach is to delete the complete <alias></alias>for this particular zEasyRuleBlockHostsOPT1 but there is a little more editing... And it depends how comfortable you are in editing this IMPORTANT file!  So please be careful with it...

    1. Backup pfSense Box config
    2. From the Shell -

    cp /conf/config.xml /conf/config.xml.bk

    1. edit  the  /conf/config.xml in your favorite editor
    2. remove the "z" in the name
    3. Change OPT1  to  WAN

    FROM :

    <address>zEasyRuleBlockHostsOPT1</address>

    TO    :

    <address>EasyRuleBlockHostsWAN</address>

    Maybe it will show up in the WAN Tab? Its hard to tell without seeing the complete snipet of the

    **<alias></alias>**for this Easyrule…

    1. save the file
    2. rm /tmp/config.cache
      8 ) Leave the SSH Window still open.. and from your browser reload the pfSense GUI.
          This will reload the config.xml file without needing to reboot.
    3. check to see if the alias shows up?
    4. if it Fails… or god forbid crashes.....

    (Only run the following two commands if you want to revert Back to the previous config)

    cp /conf/config.xml.bk /conf/config.xml
        rm /tmp/config.cache

    This will revert back to the previous config.xml file.

    But as always  ;D ;D ;D –>


  • Moderator

    And after a few minutes of sleep, I wake with what the hell was I thinking!! LOL. Unfortunately the whole Alias needs to be manually removed from the config file.

    I think the "z" in the name had something to do with it not being removed properly in the first place.

    If you wish, I could Teamviewer in and help you clean it.



  • @BBcan177:

    I think the "z" in the name had something to do with it not being removed properly in the first place.

    I doubt it; originally it didn't have a 'Z' in it. I changed the alias name to that per a thread by another member here who managed to get it away by doing that. 'tWorked for him, it didn't work for me.
    _(If you want to know why the 'z' btw, I do that with most of my names in pfSense (and other systems). It's an old habit from my SAP time, where this was mandatory. The 'Y' and 'Z' were so called 'custom name spaces', only (ABAP) programs starting with that letter were allowed to be created by customers in the (huge) SAP system (and hence, these YZ-programs where only allowed certain types of access to the databases, to API's, etc. Smart engineers, over at SAP. You have to, if you want to give the management tools to the IT-departments that need to run these systems that all of the Fortune500 run).

    So, the Y and Z, that way:_

    • It is easy to distinguish standard SAP programs from custom built modifications;

    • Which helps tremendously when you have to do upgrades and fixes, as the SAP upgrade will not touch these programs, but has all kinds of built in pre-upgrade analysis tools to see what custom development will be touched by what upgrade process.

    (Yes, I'm the eternal noob on pfSense, but it seems I'm long past the noob-status in SAP-land  ;D )).

    If you wish, I could Teamviewer in and help you clean it.

    You are too kind, BB  :-*

    Thank you  ;D

    I wouldn't want to take this precious time for you, especially since it's a different time zone thing. But mostly, because I do not want to take any time away from the development of pfBlockerNG  :P

    I think, in the end, when 2.2. is out, I will do again a completely fresh install, with your pfBlockerNG. As the old saying goes: 'it isn't eating bread' (the alias), 'so lets leave it there than.

    Thanks again BB  :-*


Log in to reply