Block LAN out: SECOND rule fires, instead of first?
-
"Things that make you go 'hmmm'" ;D
G'day fine peoples :P
I have a Synology phoning home for updates etc, which I blocked in LAN as rule 1 via an alias, which contains 4 IP's and 1 FQDN (dec.quickconnect.to).
To my surprise, however, dec.quickconnect.to is blocked by a SECOND LAN rule, that blocks ALL Synology out (as a test).
This is not correct; the first rule should block it.
???
EDIT: more weirdness.
In a bright moment I thought 'perhaps the IP for dec.quickconnect to has changed in the last 60 seconds or so (alias table update is set to 60 secs).
The firewall log shows indeed there are TWO Ip's for dec.quickconnect.to, however they are not sequential in time (pic 3).
I'm lost, would anybody be willing to shed a light?
EDIT2: can't attach pics; get a 500 internal error (pics are 3 o,7MB together).
-
Mixing FQDNs and IPs in an alias has been broken for quite a while. Do not do this.
https://redmine.pfsense.org/issues/4296
-
Mixing FQDNs and IPs in an alias has been broken for quite a while. Do not do this.
Thanks Doc :-*
The description next to the alias says it is allowed, but I assume that is the wrong description then?
So, what should I do: a nested aliasTOTAL containing Alias1 that has only IP's, and Alias2 that has only FQDN's?
Or a firewall rule per Alias-type? (That would make it messy :-[ ).