Firewall allow rule(s) having no effect
-
Hi,
For a couple computers and devices on my network, I have them running in a whitelist mode - everything but a few sites are blocked.The problem is that the 'allow' rules on the firewall seem to have no effect; things that are explicitly allowed are blocked. However, if I edit & save one of the allow rules, sometimes it seems to work for about 10 minutes. A clean install of 2.2 Release was just installed on the machine, which has previously worked fine with 2.0.1.
The rules look like this:
|
Action
|
Proto
|
Source
|
Port
|
Dest.
|
Port
|
Gateway
|
|
Pass
|
IPv4 TCP
|
Alias
'UserName_all_devices'
|
*
|
Alias
'AllowedUserName_HTTPS'
|
*
|
*
|
|
Block
|
IPv4 TCP
|
Alias
'InternetBlocked'
|
*
|
! LAN net
|
1 - 1024
|
*
|The alias 'UserName_all_devices' is a list of aliases of the user's IPs.
AllowedUserName_HTTPS is a list of aliases - for example, one entry is 'site_amazon_ec2', which has a list of Amazon EC2's netblocks - e.g. 174.129.0.0/16.
InternetBlocked includes all devices that are in this whitelist mode.
This setup worked fined under 2.0.1, and I can't figure out why it won't work here. Are there any known issues like this, or am I doing something wrong? When something is blocked, it shows that it was blocked by the block rule, even though the exact IP was explicitly allowed by the allow rule.
Thanks in advance for any help or advice.
-
Does system logs shows any alert or rule update error?
-
Not that I can see; just 'syncing/reloading firewall'.
I don't know if it's important, but under the resolver tab I see:
Jan 27 21:26:00 filterdns: adding entry 107.22.219.156 to table AllowedUser_HTTPS on host dl.dropboxusercontent.com
Jan 27 21:26:00 filterdns: adding entry 107.21.215.82 to table AllowedUser_HTTPS on host dl.dropboxusercontent.com
… (more)
These are immediately followed by:
Jan 27 21:26:00 filterdns: clearing entry 107.20.165.93 from table AllowedUser_HTTPS on host dl.dropboxusercontent.com
Jan 27 21:26:00 filterdns: clearing entry 54.235.194.118 from table AllowedUser_HTTPS on host dl.dropboxusercontent.comAlso, under Diagnostics -> Tables, the tables for these aliases only have a few of the entries that are in the alias.
Edit:
I also see this entry, don't know if it's important:
filterdns: COULD NOT clear entry 54.231.17.250 from table InternetAllowedUser2 on host s3-external-1.amazonaws.com will retry later -
Afraid you're hitting this: https://redmine.pfsense.org/issues/4296