Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall allow rule(s) having no effect

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      solarfl4re
      last edited by

      Hi,
      For a couple computers and devices on my network, I have them running in a whitelist mode - everything but a few sites are blocked.

      The problem is that the 'allow' rules on the firewall seem to have no effect; things that are explicitly allowed are blocked. However, if I edit & save one of the allow rules, sometimes it seems to work for about 10 minutes. A clean install of 2.2 Release was just installed on the machine, which has previously worked fine with 2.0.1.

      The rules look like this:

      |
        Action
        |
        Proto
        |
        Source
        |
        Port
        |
        Dest.
        |
        Port
        |
        Gateway
        |
      |
        Pass
        |
        IPv4 TCP
        |
        Alias
        'UserName_all_devices'
        |
        *
        |
        Alias
        'AllowedUserName_HTTPS'
        |
        *
        |
        *
        |
      |
        Block
        |
        IPv4 TCP
        |
        Alias
        'InternetBlocked'
        |
        *
        |
        ! LAN net
        |
        1 - 1024
        |
        *
        |

      The alias 'UserName_all_devices' is a list of aliases of the user's IPs.

      AllowedUserName_HTTPS is a list of aliases - for example, one entry is 'site_amazon_ec2', which has a list of Amazon EC2's netblocks - e.g. 174.129.0.0/16.

      InternetBlocked includes all devices that are in this whitelist mode.

      This setup worked fined under 2.0.1, and I can't figure out why it won't work here. Are there any known issues like this, or am I doing something wrong? When something is blocked, it shows that it was blocked by the block rule, even though the exact IP was explicitly allowed by the allow rule.

      Thanks in advance for any help or advice.

      1 Reply Last reply Reply Quote 0
      • marcellocM Offline
        marcelloc
        last edited by

        Does system logs shows any alert or rule update error?

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • S Offline
          solarfl4re
          last edited by

          Not that I can see; just 'syncing/reloading firewall'.

          I don't know if it's important, but under the resolver tab I see:
          Jan 27 21:26:00 filterdns: adding entry 107.22.219.156 to table AllowedUser_HTTPS on host dl.dropboxusercontent.com
          Jan 27 21:26:00 filterdns: adding entry 107.21.215.82 to table AllowedUser_HTTPS on host dl.dropboxusercontent.com
          … (more)
          These are immediately followed by:
          Jan 27 21:26:00 filterdns: clearing entry 107.20.165.93 from table AllowedUser_HTTPS on host dl.dropboxusercontent.com
          Jan 27 21:26:00 filterdns: clearing entry 54.235.194.118 from table AllowedUser_HTTPS on host dl.dropboxusercontent.com

          Also, under Diagnostics -> Tables, the tables for these aliases only have a few of the entries that are in the alias.

          Edit:
          I also see this entry, don't know if it's important:
          filterdns: COULD NOT clear entry 54.231.17.250 from table InternetAllowedUser2 on host s3-external-1.amazonaws.com will retry later

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            Afraid you're hitting this: https://redmine.pfsense.org/issues/4296

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.