Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Not rules blocking all traffic?

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    13 Posts 4 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sazv
      last edited by

      Just upgraded my second box to 2.2, now running 2.2-BETA (amd64) built on Mon Sep 29 09:59:31 CDT 2014

      My rules permitting traffic to other than a specific network now appear to block all traffic.  For example, (where LAN and Trusted_LAN are 2 /24 networks on two separate interfaces):

      allow ipv4 icmp from LAN to !Trusted_LAN

      blocked icmp to anywhere, where it worked as expected in 2.1.5.

      Breaking that into

      deny ipv4 icmp from LAN to Trusted_LAN
      allow ipv4 icmp from LAN to any

      works, its just uglier.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Look at the rules in /tmp/rules.debug

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          thetallkid
          last edited by

          /tmp/rules.debug rules section. Mine isn't blocking traffic like I want it to

          #–-------------------------------------------------------------------------

          default deny rules

          #---------------------------------------------------------------------------
          block in log inet all tracker 1000000101 label "Default deny rule IPv4"
          block out log inet all tracker 1000000102 label "Default deny rule IPv4"
          block in log inet6 all tracker 1000000103 label "Default deny rule IPv6"
          block out log inet6 all tracker 1000000104 label "Default deny rule IPv6"

          IPv6 ICMP is not auxilary, it is required for operation

          See man icmp6(4)

          1    unreach        Destination unreachable

          2    toobig          Packet too big

          128  echoreq        Echo service request

          129  echorep        Echo service reply

          133  routersol      Router solicitation

          134  routeradv      Router advertisement

          135  neighbrsol      Neighbor solicitation

          136  neighbradv      Neighbor advertisement

          pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000000105 keep state

          Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)

          pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000000106 keep state
          pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000000107 keep state
          pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000108 keep state
          pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000109 keep state
          pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000110 keep state

          We use the mighty pf, we cannot be fooled.

          block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000111
          block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000112
          block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000113
          block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000114

          Snort package

          block log quick from <snort2c>to any tracker 1000000115 label "Block snort2c hosts"
          block log quick from any to <snort2c>tracker 1000000116 label "Block snort2c hosts"

          SSH lockout

          block in log quick proto tcp from <sshlockout>to (self) port 22 tracker 1000000301 label "sshlockout"

          webConfigurator lockout

          block in log quick proto tcp from <webconfiguratorlockout>to (self) port 443 tracker 1000000351 label "webConfiguratorlockout"
          block in log quick from <virusprot>to any tracker 1000000400 label "virusprot overload table"

          block bogon networks (IPv4)

          http://www.cymru.com/Documents/bogon-bn-nonagg.txt

          block in log quick on $WAN from <bogons>to any tracker 1000001551 label "block bogon IPv4 networks from WAN"

          block bogon networks (IPv6)

          http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

          block in log quick on $WAN from <bogonsv6>to any tracker 1000001552 label "block bogon IPv6 networks from WAN"
          antispoof log for $LAN tracker 1000002620

          allow access to DHCP server on LAN

          pass in  quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000002641 label "allow access to DHCP server"
          pass in  quick on $LAN proto udp from any port = 68 to 10.0.35.1 port = 67 tracker 1000002642 label "allow access to DHCP server"
          pass out  quick on $LAN proto udp from 10.0.35.1 port = 67 to any port = 68 tracker 1000002643 label "allow access to DHCP server"
          antispoof log for $SWITCH tracker 1000003670

          allow access to DHCP server on SWITCH

          pass in  quick on $SWITCH proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000003691 label "allow access to DHCP server"
          pass in  quick on $SWITCH proto udp from any port = 68 to 10.0.36.1 port = 67 tracker 1000003692 label "allow access to DHCP server"
          pass out  quick on $SWITCH proto udp from 10.0.36.1 port = 67 to any port = 68 tracker 1000003693 label "allow access to DHCP server"
          antispoof log for $VLAN10 tracker 1000004720

          allow access to DHCP server on VLAN10

          pass in  quick on $VLAN10 proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000004741 label "allow access to DHCP server"
          pass in  quick on $VLAN10 proto udp from any port = 68 to 10.0.37.1 port = 67 tracker 1000004742 label "allow access to DHCP server"
          pass out  quick on $VLAN10 proto udp from 10.0.37.1 port = 67 to any port = 68 tracker 1000004743 label "allow access to DHCP server"

          loopback

          pass in  on $loopback inet all tracker 1000006861 label "pass IPv4 loopback"
          pass out  on $loopback inet all tracker 1000006862 label "pass IPv4 loopback"
          pass in  on $loopback inet6 all tracker 1000006863 label "pass IPv6 loopback"
          pass out  on $loopback inet6 all tracker 1000006864 label "pass IPv6 loopback"

          let out anything from the firewall host itself and decrypted IPsec traffic

          pass out  inet all keep state allow-opts tracker 1000006865 label "let out anything IPv4 from firewall host itself"
          pass out  inet6 all keep state allow-opts tracker 1000006866 label "let out anything IPv6 from firewall host itself"
          pass out  route-to ( em3 Gateway ) from Router IP to !70.57.61.16/29 tracker 1000006961 keep state allow-opts label "let out anything from firewall host itself"

          make sure the user cannot lock himself out of the webConfigurator or SSH

          pass in  quick on em2 proto tcp from any to (em2) port { 443 80 } tracker 1000007271 keep state label "anti-lockout rule"

          NAT Reflection rules

          pass in  inet tagged PFREFLECT tracker 1000007291 keep state label "NAT REFLECT: Allow traffic to localhost"

          User-defined rules follow

          anchor "userrules/*"
          pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN  wizard"
          pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN To Public IP vlan wizard"
          pass  in  quick  on $WAN reply-to ( em3 Gateway )  proto udp  from any to Router IP port 1194 keep state  label "USER_RULE: OpenVPN  wizard"
          pass  in  quick  on $WAN reply-to ( em3 Gateway ) inet proto tcp  from any to Static IP port 80 tracker 1409700904 flags S/SA keep state  label "USER_RULE: static ip - port 80"
          pass  in  quick  on $WAN reply-to ( em3 Gateway ) inet proto tcp  from any to Static IP port 443 tracker 1409705236 flags S/SA keep state  label "USER_RULE: static ip - port 443"
          pass  in  quick  on $WAN reply-to ( em3 Gateway )  proto udp  from any to Router IP port 1195 keep state  label "USER_RULE: OpenVPN To Public IP vlan wizard"
          pass  in  quick  on $LAN inet from 10.0.35.0/24 to any tracker 0100000101 keep state  label "USER_RULE: Default allow LAN to any rule"

          at the break! label "USER_RULE: Default allow LAN IPv6 to any rule"

          pass  in  quick  on $LAN inet from 10.0.35.0/24 to 10.0.37.1/24 tracker 1412478575 keep state  label "USER_RULE: block vlan10"
          pass  in  quick  on $LAN inet from 10.0.35.0/24 to 70.57.61.16/29 tracker 1412482204 keep state  label "USER_RULE: To static"
          pass  in  quick  on $LAN inet from 10.0.35.0/24 to Static IP tracker 1412483404 keep state  label "USER_RULE: To static"
          pass  in  quick  on $LAN inet from 10.0.35.0/24 to ! $Block_VLAN10 tracker 1412486451 keep state  label "USER_RULE: Block_VLAN10"
          pass  in  quick  on $SWITCH inet from 10.0.36.1/24 to any tracker 1409279741 keep state  label "USER_RULE: Default all out"
          pass  in  quick  on $VLAN10 inet from 10.0.37.1/24 to any tracker 1409962216 keep state  label "USER_RULE: Any out"
          pass  in  quick  on $VLAN10 inet from 10.0.37.1/24 to 10.0.35.0/24 tracker 1412479159 keep state  label "USER_RULE: no lan"
          block  in  quick  on $VLAN10 inet from 10.0.37.1/24 to 10.0.35.0/24 tracker 1412484062  label "USER_RULE: no lan"

          at the break! label "USER_RULE: Any out"

          pass  in  quick  on $PUBLICIP inet from Static IP to any tracker 1409962576 keep state  label "USER_RULE: Static IP out"
          pass  in  quick  on $PUBLICIP inet from Static IP to 10.0.35.0/24 tracker 1412484005 keep state  label "USER_RULE: Static IP to lan"

          VPN Rules

          anchor "tftp-proxy/*"
          anchor "miniupnpd"</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Can you post the firewall rules section of your config.xml to go with that?

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • T
              thetallkid
              last edited by

              <nat><outbound><mode>advanced</mode>
              <rule><interface>wan</interface>
              <source>
              <network>127.0.0.0/8</network>

              <dstport>500</dstport>
              <target>pfsense_ip</target>
              <destination><any></any></destination>
              <staticnatport><created><time>1409705427</time>
              <username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>127.0.0.0/8</network>

              <sourceport><target>pfsense_ip</target>
              <destination><any></any></destination>
              <natport><created><time>1409705427</time>
              <username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.0.35.0/24</network>

              <dstport>500</dstport>
              <target>pfsense_ip</target>
              <destination><any></any></destination>
              <staticnatport><created><time>1409705427</time>
              <username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.0.35.0/24</network>

              <sourceport><target>pfsense_ip</target>
              <destination><any></any></destination>
              <natport><created><time>1409705427</time>
              <username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
              <rule><source>
              <network>10.0.35.0/24</network>

              <sourceport><target>other-subnet</target>
              <targetip>static_ip</targetip>
              <targetip_subnet>32</targetip_subnet>
              <interface>wan</interface>
              <poolopts><destination><any></any></destination>
              <created><time>1412481217</time>
              <username>admin@10.0.35.34</username></created>
              <updated><time>1412481365</time>
              <username>admin@10.0.35.34</username></updated></poolopts></sourceport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.0.36.0/24</network>

              <dstport>500</dstport>
              <target>pfsense_ip</target>
              <destination><any></any></destination>
              <staticnatport><created><time>1409705427</time>
              <username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.0.36.0/24</network>

              <sourceport><target>pfsense_ip</target>
              <destination><any></any></destination>
              <natport><created><time>1409705427</time>
              <username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
              <rule><source>
              <network>10.0.37.0/24</network>

              <sourceport><target><targetip><targetip_subnet>0</targetip_subnet>
              <interface>wan</interface>
              <poolopts><destination><any></any></destination>
              <updated><time>1412448328</time>
              <username>admin@10.0.35.46</username></updated>
              <created><time>1412448328</time>
              <username>admin@10.0.35.46</username></created></poolopts></targetip></target></sourceport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.6.16.0/24</network>

              <dstport>500</dstport>
              <target>pfsense_ip</target>
              <destination><any></any></destination>
              <staticnatport><created><time>1409705427</time>
              <username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.6.16.0/24</network>

              <sourceport><target>pfsense_ip</target>
              <destination><any></any></destination>
              <natport><created><time>1409705427</time>
              <username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.0.37.0/24</network>

              <dstport>500</dstport>
              <target>pfsense_ip</target>
              <destination><any></any></destination>
              <staticnatport><created><time>1412449058</time>
              <username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.0.37.0/24</network>

              <sourceport><target>pfsense_ip</target>
              <destination><any></any></destination>
              <natport><created><time>1412449058</time>
              <username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.8.17.0/24</network>

              <dstport>500</dstport>
              <target>pfsense_ip</target>
              <destination><any></any></destination>
              <staticnatport><created><time>1412449058</time>
              <username>Manual Outbound NAT Switch</username></created></staticnatport></rule>
              <rule><interface>wan</interface>
              <source>
              <network>10.8.17.0/24</network>

              <sourceport><target>pfsense_ip</target>
              <destination><any></any></destination>
              <natport><created><time>1412449058</time>
              <username>Manual Outbound NAT Switch</username></created></natport></sourceport></rule></outbound>
              <rule><source>
              <any><destination><network>wanip</network>
              <port>52746</port></destination>
              <protocol>tcp</protocol>
              <target>10.0.35.2</target>
              <local-port>52746</local-port>
              <interface>wan</interface>

              <associated-rule-id><updated><time>1409244077</time>
              <username>admin@10.0.35.46</username></updated>
              <created><time>1409244077</time>
              <username>admin@10.0.35.46</username></created></associated-rule-id></any></rule></nat>
              <filter><rule><direction>in</direction>
              <source>
              <any><destination><network>wanip</network>
              <port>1194</port></destination>
              <interface>wan</interface>
              <protocol>udp</protocol>
              <type>pass</type>
              <enabled>on</enabled>
              <created><time>1409244432</time>
              <username>OpenVPN Wizard</username></created></any></rule>
              <rule><id><tracker>1409700904</tracker>
              <type>pass</type>
              <interface>wan</interface>
              <ipprotocol>inet</ipprotocol>
              <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
              <os><protocol>tcp</protocol>
              <source>
              <any><destination><address>static_ip</address>

              <port>80</port></destination>

              <created><time>1409700904</time>
              <username>admin@10.0.35.34</username></created>
              <updated><time>1409705218</time>
              <username>admin@10.0.35.34</username></updated></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule></filter>

              1 Reply Last reply Reply Quote 0
              • T
                thetallkid
                last edited by

                <rule><id><tracker>1409705236</tracker>
                <type>pass</type>
                <interface>wan</interface>
                <ipprotocol>inet</ipprotocol>
                <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                <os><protocol>tcp</protocol>
                <source>
                <any><destination><address>static_ip</address>

                <port>443</port></destination>

                <updated><time>1409705236</time>
                <username>admin@10.0.35.34</username></updated>
                <created><time>1409705236</time>
                <username>admin@10.0.35.34</username></created></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                <rule><direction>in</direction>
                <source>
                <any><destination><network>wanip</network>
                <port>1195</port></destination>
                <interface>wan</interface>
                <protocol>udp</protocol>
                <type>pass</type>
                <enabled>on</enabled>
                <created><time>1412434807</time>
                <username>OpenVPN Wizard</username></created></any></rule>
                <rule><type>pass</type>
                <ipprotocol>inet</ipprotocol>

                <interface>lan</interface>
                <tracker>0100000101</tracker>
                <source>
                <network>lan</network>

                <destination><any></any></destination></rule>
                <rule><type>pass</type>
                <ipprotocol>inet6</ipprotocol>

                <interface>lan</interface>
                <tracker>0100000102</tracker>
                <source>
                <network>lan</network>

                <destination><any></any></destination></rule>
                <rule><id><tracker>1412478575</tracker>
                <type>pass</type>
                <interface>lan</interface>
                <ipprotocol>inet</ipprotocol>
                <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                <os><source>
                <network>lan</network>

                <destination><network>opt3</network></destination>

                <created><time>1412478575</time>
                <username>admin@10.0.35.34</username></created>
                <updated><time>1412479745</time>
                <username>admin@10.0.35.34</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                <rule><id><tracker>1412482204</tracker>
                <type>pass</type>
                <interface>lan</interface>
                <ipprotocol>inet</ipprotocol>
                <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                <os><source>
                <network>lan</network>

                <destination><network>wan</network></destination>

                <created><time>1412482204</time>
                <username>admin@10.0.35.34</username></created>
                <updated><time>1412482975</time>
                <username>admin@10.0.35.34</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                <rule><id><tracker>1412483404</tracker>
                <type>pass</type>
                <interface>lan</interface>
                <ipprotocol>inet</ipprotocol>
                <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                <os><source>
                <network>lan</network>

                <destination><address>static_ip</address></destination>

                <updated><time>1412483404</time>
                <username>admin@10.0.35.34</username></updated>
                <created><time>1412483404</time>
                <username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                <rule><id><tracker>1412486451</tracker>
                <type>pass</type>
                <interface>lan</interface>
                <ipprotocol>inet</ipprotocol>
                <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                <os><source>
                <network>lan</network>

                <destination><address>Block_VLAN10</address></destination>

                <updated><time>1412486451</time>
                <username>admin@10.0.35.34</username></updated>
                <created><time>1412486451</time>
                <username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                <rule><source>
                <any><destination><any></any></destination>
                <interface>openvpn</interface>
                <type>pass</type>
                <enabled>on</enabled>
                <created><time>1409244432</time>
                <username>OpenVPN Wizard</username></created></any></rule>
                <rule><source>
                <any><destination><any></any></destination>
                <interface>openvpn</interface>
                <type>pass</type>
                <enabled>on</enabled>
                <created><time>1412434807</time>
                <username>OpenVPN Wizard</username></created></any></rule>
                <rule><id><tracker>1409279741</tracker>
                <type>pass</type>
                <interface>opt1</interface>
                <ipprotocol>inet</ipprotocol>
                <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                <os><source>
                <network>opt1</network>

                <destination><any></any></destination>

                <updated><time>1409279741</time>
                <username>admin@10.0.35.34</username></updated>
                <created><time>1409279741</time>
                <username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>

                1 Reply Last reply Reply Quote 0
                • T
                  thetallkid
                  last edited by

                  <rule><id><tracker>1409962216</tracker>
                  <type>pass</type>
                  <interface>opt3</interface>
                  <ipprotocol>inet</ipprotocol>
                  <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                  <os><source>
                  <network>opt3</network>

                  <destination><any></any></destination>

                  <created><time>1409962216</time>
                  <username>admin@10.0.35.57</username></created>
                  <updated><time>1412447330</time>
                  <username>admin@10.0.35.46</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                  <rule><id><tracker>1412479159</tracker>
                  <type>pass</type>
                  <interface>opt3</interface>
                  <ipprotocol>inet</ipprotocol>
                  <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                  <os><source>
                  <network>opt3</network>

                  <destination><network>lan</network></destination>

                  <created><time>1412479159</time>
                  <username>admin@10.0.35.34</username></created>
                  <updated><time>1412487427</time>
                  <username>admin@10.0.35.34</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                  <rule><id><tracker>1412484062</tracker>
                  <type>block</type>
                  <interface>opt3</interface>
                  <ipprotocol>inet</ipprotocol>
                  <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                  <os><source>
                  <network>opt3</network>

                  <destination><network>lan</network></destination>

                  <updated><time>1412484062</time>
                  <username>admin@10.0.35.34</username></updated>
                  <created><time>1412484062</time>
                  <username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                  <rule><id><tracker>1409962254</tracker>
                  <type>pass</type>
                  <interface>opt4</interface>
                  <ipprotocol>inet</ipprotocol>
                  <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                  <os><source>
                  <network>opt4</network>

                  <destination><any></any></destination>

                  <updated><time>1409962254</time>
                  <username>admin@10.0.35.57</username></updated>
                  <created><time>1409962254</time>
                  <username>admin@10.0.35.57</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                  <rule><id><tracker>1409962576</tracker>
                  <type>pass</type>
                  <interface>opt4</interface>
                  <ipprotocol>inet</ipprotocol>
                  <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                  <os><source>

                  <address>static_ip</address>

                  <destination><any></any></destination>

                  <created><time>1409962576</time>
                  <username>admin@10.0.35.57</username></created>
                  <updated><time>1409968567</time>
                  <username>admin@10.0.35.34</username></updated></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                  <rule><id><tracker>1412484005</tracker>
                  <type>pass</type>
                  <interface>opt4</interface>
                  <ipprotocol>inet</ipprotocol>
                  <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                  <os><source>

                  <address>static_ip</address>

                  <destination><network>lan</network></destination>

                  <updated><time>1412484005</time>
                  <username>admin@10.0.35.34</username></updated>
                  <created><time>1412484005</time>
                  <username>admin@10.0.35.34</username></created></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
                  <rule><id><tracker>1412436234</tracker>
                  <type>pass</type>
                  <interface>opt4</interface>
                  <ipprotocol>inet</ipprotocol>
                  <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
                  <os><protocol>tcp/udp</protocol>
                  <source>
                  <any><destination><network>opt4ip</network>
                  <port>1195</port></destination>
                  <disabled><created><time>1412436234</time>
                  <username>admin@10.6.16.6</username></created>
                  <updated><time>1412437006</time>
                  <username>admin@10.6.16.6</username></updated></disabled></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by

                    This pull request should fix it: https://github.com/pfsense/pfsense/pull/1305
                    and I expect also fix some cases when doing !WANnet !LANnet etc when the interface does not have any VIPs.
                    Tested on:
                    2.2-BETA (amd64)
                    built on Sat Oct 04 19:25:31 CDT 2014
                    FreeBSD 10.1-PRERELEASE

                    with these edits to filter.inc

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • T
                      thetallkid
                      last edited by

                      The Saturday version is the one I'm running with the problem.

                      1 Reply Last reply Reply Quote 0
                      • P
                        phil.davis
                        last edited by

                        You can change /etc/inc/filter.inc and test that it fixes the problem if you like.
                        The raw text of the fixed filter.inc is:
                        https://raw.githubusercontent.com/phil-davis/pfsense/patch-2/etc/inc/filter.inc

                        Copy all the text from the browser link above (ctrl-A, ctrl-C)
                        Use Diagnostics->Edit File
                        Load /etc/inc/filter.inc
                        Select all the text and paste the new text over (ctrl-A, ctrl-V)
                        Save

                        Then make a rule edit/save to force it to reload the rules.

                        Hopefully the "not" rules start to work correctly.

                        Disclaimer: only do this sort of thing on test systems where you are happy to spend time recovering if you accidentally paste bad/invalid code into a critical file.

                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                        1 Reply Last reply Reply Quote 0
                        • T
                          thetallkid
                          last edited by

                          For whatever reason it didn't work either. Later today I will wipe, start from scratch and report back.

                          1 Reply Last reply Reply Quote 0
                          • T
                            thetallkid
                            last edited by

                            All working now after a clean reinstall. Also cleared up a few other problems i was having.

                            1 Reply Last reply Reply Quote 0
                            • P
                              phil.davis
                              last edited by

                              @thetallkid:

                              All working now after a clean reinstall. Also cleared up a few other problems i was having.

                              Great to know it is working - I was wondering if there was going to be some other obscure edge case that the code did not handle.

                              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.