Rules not applying/loading



  • Strange issue, that I noticed on RC4.

    I setup a test bed on VMWare.  Loaded pfsense 1.2-RC4.  I also setup a Windows Server VM behind it.  The basic rules after installation are allow everything outbound, great.  Now when I'm trying to disallow certain networks, it won't.

    WAN: xxx.xxx.xxx.199
    VIP: xxx.xxx.xxx.198 –> Server
    LAN: 192.168.1.1

    Server: 192.168.1.200

    Firewall rules:

    LAN: (BLOCK) P:all | S:LAN | * | D: xxx.xxx.226.0/24 | * | *
    LAN: (ALLOW) S:LAN | D:ALL
    WAN: (BLOCK) RFC 1918
    WAN: (ALLOW) ALL

    If I insert that rule (LAN: (BLOCK) P:all | S:LAN | * | D: xxx.xxx.226.0/24 | * | *), it doesn't work.  I'll have a constant PING running on the WIndows VM Host behind the PFSENSE VM.  If I reboot the PFSENSE VM, it will work after it comes up.

    If I insert an exception rule ABOVE the BLOCK ALL network rule, like allow 1 host in that BLOCK, it won't work.  I have to reboot the PFSENSE HOST.

    LAN: (BLOCK) P:tcp/udp | S:LAN | P:ANY | D: xxx.xxx.226.2 | P:80 | *

    Some rules just don't seem to apply until after a reboot, and Yes, I am applying it and giving ample time to take place....




  • Existing connections won't be blocked unteil they time out or are reset. This has always been that way since the very first alpha release of pfSense. If you want to make sure existing connections are dropped reset states at diagnostics>states, reset states tab. A block rule only blocks creating new states but doesn't drop existing ones.



  • @hoba:

    Existing connections won't be blocked unteil they time out or are reset. This has always been that way since the very first alpha release of pfSense. If you want to make sure existing connections are dropped reset states at diagnostics>states, reset states tab. A block rule only blocks creating new states but doesn't drop existing ones.

    Interesting.  Thank you for clarifying.  I will test this.


Locked