Upgrade to 2.2.4 - Firewall alias not working
After the upgrade to 2.2.4 my one and only firewall alias fetched from a URL stopped working for some reason.
Checked the URL and it looks just fine. It's basically a textfile with ip's listed in it just like before.
But now I am getting this error:
php-fpm: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address found for
Tried removing it and recreating it. I find no
Is this a bug introduced in 2.2.4 ?
can what does cat of /var/db/aliastables/BadSitesList.txt look like?
I had a firewall URL alias issue yesterday too. But different symptom.
In my case the alias was being used on the LAN interface to block bogons destinations.
( with private address space removed - IPv4: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 )
src: any : any
dst: Bogons_IPv4 : any
action: Block & Log
Had been working fine for months. Then suddenly yesterday it started blocking src: 192.168.2.9 dst: 255.255.255.255.
Was fine again after pfSense reboot.
That file is giving me the contents of a html file.
Basically saying: <title>Error 400 (Bad request!)</title>
Also tried rebooting. Didn't help.
Bad request 400
The request had bad syntax or was inherently impossible to be satisfied.
What is the URL?
Seems that there is no validation of the download success, and the website error message is being parsed into the aliastable 'as is'… This is why your getting:
The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address found for contains bad data'
You can also use pfBlockerNG to download these URLs and create the appropriate Rules/Tables…
The URL is to an internal webserver.
"In my case the alias was being used on the LAN interface to block bogons destinations."
For what possible freaking reason?? Got to be one of the stupidest things I have ever heard anyone use a bogon list for!!
Tried pfBlockerNG now and that way i can create an alias from an url without any problems.
So i'll be using that then for a while.
Good to know that for now the internal function is broken.
This is caused by pfsense trying to send his UUID with User-Agent on GET command
If you UNCHECK the "Do NOT send HOST UUID with user agent", it will work