Egress rule changes not applying
-
Hello,
I have a Netgate Alix 2D3 running 2.1.3. I tried to add a firewall rule today on the LAN interface to allow additional traffic out, but the new rule is not being applied and the outgoing traffic is till being blocked. I even added an 'any any' rule on the LAN interface, but outgoing traffic is still being blocked as though I hadn't changed anything.
I've tried reloading the filter and 'pfctl -f /tmp/rules.debug' without success.
I'm also afraid to upgrade to 2.1.5 as my last two upgrades from a version 2.1.x corrupted the filesystem.
Is there a way to be able to apply changes to pf again?
-
Do you have any warnings displaying in the top right? I was messing around with my traffic shaper in the past and I had something misconfigured, which meant the traffic shaping values caused a logic error, which meant my firewall rules weren't getting updated. PFSense continued to run on the last know working firewall config
A screenshot of your interface rules could help.
-
I found that 'System Logs' was configured to display 900 entries, which must have been too much for this little box as the webgui was crashing:
Jan 6 15:10:23 kernel: pid 72994 (php), uid 0, was killed: out of swap space
Jan 6 15:00:05 kernel: pid 71774 (php), uid 0, was killed: out of swap space
Jan 6 15:00:01 kernel: pid 55061 (php), uid 0, was killed: out of swap spaceI changed 'System logs' to display 45 entries, then a notification immediately appeared:
01-06-15 15:35:57 [ There were error(s) loading the rules: /tmp/rules.debug:220: macro MplayServers not defined - The line in question reads [220]: pass in quick on $LAN $GWLoadBalance inet proto tcp from 192.168.xx.0/24 to $MplayServers flags S/SA keep state label USER_RULE: For Mplaybox] 01-06-15 15:36:01 [ There were error(s) loading the rules: /tmp/rules.debug:220: macro MediplayServers not defined - The line in question reads [220]: pass in quick on $LAN $GWLoadBalance inet proto tcp from 192.168.xx.0/24 to $MediplayServers flags S/SA keep state label USER_RULE: For Mplaybox]I checked the MplayServers alias and found it had an entry 'y.y.y.1/24', instead of 'y.y.y.0/24'.
I corrected this, and then firewall changes started working again. -
I found that 'System Logs' was configured to display 900 entries, which must have been too much for this little box as the webgui was crashing:
Jan 6 15:10:23 kernel: pid 72994 (php), uid 0, was killed: out of swap space
Jan 6 15:00:05 kernel: pid 71774 (php), uid 0, was killed: out of swap space
Jan 6 15:00:01 kernel: pid 55061 (php), uid 0, was killed: out of swap spaceThat's the source of your issue, some of those aren't just for the web interface but also run some of the back end things.
I checked the MplayServers alias and found it had an entry 'y.y.y.1/24', instead of 'y.y.y.0/24'.
I corrected this, and then firewall changes started working again.While that is technically correct where it wasn't previously, things actually work the same way whether you use the appropriate network address or not, pf will ignore the last octet in that case where it's x.x.x.1/24 and just adds it as x.x.x.0/24. What seems to have happened there is after you changed what was causing you to run out of RAM, touching something that triggered a filter reload worked and fixed the issue there. So just an edit and save of the alias without changing anything, or going to Status>Filter Reload and triggering a reload, would have done the same.
-
I'm also afraid to upgrade to 2.1.5 as my last two upgrades from a version 2.1.x corrupted the filesystem.
Maybe you have a dodgy CF card in the Alix?
On the memory side. pfSense 2.2 is MUCH better at using a consistent amount of memory and not having nasty peaks when a bunch of external events happen. I am running about 10 Alix systems on 2.2-RC now, and it is so much better than with 2.1.x
If you are struggling for memory with the config you have on a 256MB Alix, then upgrading to 2.2 is "a good thing"
