My home 2.1.5 stopped passing rule changes to pf


  • Netgate

    [SOLVED - posting in case it helps others]

    I had left some HFSC queues in an error state while I was working on them a few days ago so pf couldn't load the rules any more.

    I found this with: pfctl -f /tmp/rules.debug -n -g
    bandwidth for qInternet higher than interface
    /tmp/rules.debug:137: errors in queue definition
    parent qInternet not found for qDNS
    /tmp/rules.debug:138: errors in queue definition
    parent qInternet not found for qACK
    /tmp/rules.debug:139: errors in queue definition
    parent qInternet not found for qVPN
    /tmp/rules.debug:140: errors in queue definition
    parent qInternet not found for qBulk
    /tmp/rules.debug:141: errors in queue definition
    parent qInternet not found for qOpenWireless
    /tmp/rules.debug:142: errors in queue definition
    parent qInternet not found for qLowPrio
    /tmp/rules.debug:143: errors in queue definition

    Fixed those and everything started functioning normally.  There was no indication that pf was having trouble parsing the rules file except in the traffic shaper config which triggers the alert up to the right of the menu bar.

    So if you're working on your queues and get an error, don't walk away and do something else and forget about it.  Fix it.  :/

    –---

    I was attempting to give a vendor access to my webconfigurator login a few days ago and it didn't open.  Finally investigating.

    I have my webconfigurator on TCP 8883 with the port 80 redirector disabled.

    I had a pass rule to allow traffic from the admin_ip_ranges to an admin ports alias (80, 443, 22, 8883).  I modified this rule to allow traffic from any for the testing I needed to have done.  Traffic from them is still being blocked by the default deny rule.

    pfctl -vvs rules | grep 8883
    @39 block drop in log quick proto tcp from webconfiguratorlockout:0to (self:21) port = 8883 label "webConfiguratorlockout"
    @132 pass in quick on em0_vlan223 proto tcp from any to (em0_vlan223:3) port = 8883 flags S/SA keep state label "anti-lockout rule"
    @153 pass in quick on em2 reply-to (em2 69.221.23.1) inet proto tcp from <admin_ip_ranges:1>to 69.221.23.142 port = 8883 flags S/SA keep state label "USER_RULE: Allow Admin from select networks" queue(qBulk, qACK)
    @182 block return in quick on em0_vlan1003 inet proto tcp from 172.29.224.0/24 to 172.29.224.1 port = 8883 flags S/SA label "USER_RULE: Reject Guest access to Admin Interface"
    @198 block return in quick on em0_vlan1004 inet proto tcp from 172.25.128.0/24 to 172.25.128.1 port = 8883 flags S/SA label "USER_RULE: Reject access to Admin"
    @202 block return in quick on em0_vlan1004 inet proto tcp from 172.25.128.0/24 to 75.23.24.125 port = 8883 flags S/SA label "USER_RULE: Reject access to DSL WAN"
    @206 block return in quick on em0_vlan1004 inet proto tcp from 172.25.128.0/24 to 69.221.23.142 port = 8883 flags S/SA label "USER_RULE: Reject access to COX WAN"

    It's still using the admin_ip_ranges alias, not any.

    It's like the webConfig is taking my rule changes but nothing is making it into pf.  system.log isn't complaining:

    Oct 26 08:11:59 fw-223 check_reload_status: Syncing firewall
    Oct 26 08:12:02 fw-223 check_reload_status: Reloading filter

    Interestingly, /tmp/rules.debug has the correct rule:

    grep 8883 /tmp/rules.debug

    admin_ports = "{  22  443  8883  80 }"
    block in log quick proto tcp from <webconfiguratorlockout>to (self) port 8883 label "webConfiguratorlockout"
    pass in quick on em0_vlan223 proto tcp from any to (em0_vlan223) port { 8883 22 } keep state label "anti-lockout rule"
    pass  in  quick  on $WAN reply-to ( em2 69.221.23.1 ) inet proto tcp  from any to 69.221.23.142 port 8883 flags S/SA keep state  queue (qBulk,qACK)  label "USER_RULE: Allow Admin from select networks"

    I have reloaded the filters, cleared states (it was worth a shot) and done everything I can think of except reboot.</webconfiguratorlockout></admin_ip_ranges:1></webconfiguratorlockout:0>