Fresh install 2.2.3 firewall alias question [solved]



  • Hi,

    installed 2.2.3 - have problems with transparent squid too, i am comparing with upgrade version on other hardware

    what i noticed:

    if i select "WAN net" built in alias in a Firewall Rule - pfctl shows me two rule-lines for that rule:

    first line is the "WAN address"
    second line is the "WAN net"

    f.e.
    block drop in quick on re0 reply-to (re0 192.168.111.1) inet proto udp from 192.168.111.254 port = ntp to <broadcast>port = ntp label "USER_RULE: Block NTP Broadcasts"
    block drop in quick on re0 reply-to (re0 192.168.111.1) inet proto udp from 192.168.111.0/24 port = ntp to <broadcast>port = ntp label "USER_RULE: Block NTP Broadcasts"

    is that intended…?</broadcast></broadcast>



  • AFAIK it is not intended, and it is not happening on my 2.2.3 system when I put it a similar rule.
    Post a screenshot of the rules on that interface. There must be some rational reason it happened.



  • Screenshots…

    ![Screenshot console.jpg_thumb](/public/imported_attachments/1/Screenshot console.jpg_thumb)
    ![Screenshot console.jpg](/public/imported_attachments/1/Screenshot console.jpg)
    ![Screenshot Rules.jpg_thumb](/public/imported_attachments/1/Screenshot Rules.jpg_thumb)
    ![Screenshot Rules.jpg](/public/imported_attachments/1/Screenshot Rules.jpg)



  • Where are you getting the output for that console screen shot? I guess from some pf command to show the rules?

    In /tmp/rules.debug do you also see both rules?

    I can't replicate that here on 2.2.3 - I tried on my WAN that is in private address space also, happens to be in 192.168.100.0/24. I made an alias to use for the destination… - but I get just 1 rule in /tmp/rules.debug as expected.



  • i used

    pfctl -s rules

    in putty ssh console.

    I will try to reproduce it in a VM.

    Screenshot /tmp/rules.debug attached

    ![Screenshot console rules.debug.jpg](/public/imported_attachments/1/Screenshot console rules.debug.jpg)
    ![Screenshot console rules.debug.jpg_thumb](/public/imported_attachments/1/Screenshot console rules.debug.jpg_thumb)



  • My

    pfctl -s rules
    output has just 1 line with the whole /24 network. Its form is identical to yours - just differences in the actually device name and subnet numbers.
    Now to think. Anyone else with a good idea why "pfctl -s rules" would produce the extra line of output?



  • i'm such a fool….sorry...

    it was MY failure - used a wrong netmask on wan interface...

    thx for your attention phil...


Log in to reply