Upgrade to 2.2.4 - Firewall alias not working



  • Hello.

    After the upgrade to 2.2.4 my one and only firewall alias fetched from a URL stopped working for some reason.

    Checked the URL and it looks just fine. It's basically a textfile with ip's listed in it just like before.

    But now I am getting this error:

    php-fpm[32459]: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address found for
    Tried removing it and recreating it. I find no
    Is this a bug introduced in 2.2.4 ?

    Thanks.


  • LAYER 8 Global Moderator

    can what does cat of /var/db/aliastables/BadSitesList.txt look like?



  • I had a firewall URL alias issue yesterday too.  But different symptom.

    In my case the alias was being used on the LAN interface to block bogons destinations.

    https://www.Team-CYMRU.org/Services/Bogons/fullbogons-ipv4.txt
    ( with private address space removed - IPv4: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 )

    LAN Rule
    src: any : any
    dst: Bogons_IPv4 : any
    action: Block & Log

    Had been working fine for months.  Then suddenly yesterday it started blocking src: 192.168.2.9 dst: 255.255.255.255.

    Was fine again after pfSense reboot.



  • That file is giving me the contents of a html file.

    Basically saying: <title>Error 400 (Bad request!)</title>

    Also tried rebooting. Didn't help.


  • Moderator

    Bad request 400
    The request had bad syntax or was inherently impossible to be satisfied.

    What is the URL?

    Seems that there is no validation of the download success, and the website error message is being parsed into the aliastable 'as is'… This is why your getting:

    The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address found for contains bad data'

    You can also use pfBlockerNG to download these URLs and create the appropriate Rules/Tables…



  • The URL is to an internal webserver.

    http://192.168.10.1/temp/iplist.txt


  • LAYER 8 Global Moderator

    "In my case the alias was being used on the LAN interface to block bogons destinations."

    For what possible freaking reason??  Got to be one of the stupidest things I have ever heard anyone use a bogon list for!!



  • Tried pfBlockerNG now and that way i can create an alias from an url without any problems.

    So i'll be using that then for a while.

    Good to know that for now the internal function is broken.

    Thanks =)



  • This is caused by pfsense trying to send his UUID with User-Agent on GET command

    If you UNCHECK the "Do NOT send HOST UUID with user agent", it will work


Log in to reply