Rules and port forwads go missing



  • After Applying a change some times firewall rules disappear from the Gui and are no longer active.
    On further inspection they are however in the config.xml
    Logs show unknown changes in configuration from configurator

    I end use has complained that this has occurred on several occasions
    I witnessed it after enabling Ntop a port forward vanished

    Version is 2.2.2-RELEASE Mon Apr 13 20:10:22 CDT 2015

    The site is complicated with
    5 vlans on the lan
    3 Wan Connections with dozens of port forwards on each link

    plenty of CPU and RAM


  • Banned

    Perhaps start by upgrading to an uptodate pfSense version.



  • Do you have uPnP enabled?



  • @doktornotor:

    Perhaps start by upgrading to an uptodate pfSense version.

    Rebuild would be a safer option, Not comfortable about updating until I know what is going on as updates could exacerbate the problem, especially if the problem is not a known one.

    My one suspicion is it is the result of multiple unsaved changes caused by a browser tab hopping user, being applied at once.



  • @jvodan:

    @KOM:

    Do you have uPnP enabled?

    No

    I can supply a  config file stripped on passwords and certs, with the ip address anonymised

    If that helps



  • @KOM:

    Do you have uPnP enabled?

    nope



  • Do you have pfblocker installed? That's the only thing I can think of that does anything with rules, but you mentioned they're still in the config file so that probably shouldn't be related.

    Upgrading is a good idea and won't make things any worse.

    Most changes in the config history will be noted as "unknown change" and the page name. Do a diff between the revisions, what changed? I'm guessing maybe the instance of adding a ntop port forward, you were actually editing an existing port forward rather than duplicating it or creating a new one. In which case it'd replace the "missing" one by design.



  • @cmb:

    Do you have pfblocker installed? That's the only thing I can think of that does anything with rules, but you mentioned they're still in the config file so that probably shouldn't be related.

    Upgrading is a good idea and won't make things any worse.

    Most changes in the config history will be noted as "unknown change" and the page name. Do a diff between the revisions, what changed? I'm guessing maybe the instance of adding a ntop port forward, you were actually editing an existing port forward rather than duplicating it or creating a new one. In which case it'd replace the "missing" one by design.

    The rule that went missing was totally unrelated to ntop
    it was rule associated wait a port 80 forward to an internal server



  • What does the config diff look like between those revisions?



  • @cmb:

    What does the config diff look like between those revisions?

    when I enabled ntop the difference in the config was the addition of ntop
    the rule that was missing in the gui list (and not in effect)  was still in the config.
    In the past when the end user had the problem they tried rebooting and the rule still didn't appear

    I re added it manually when it happened to me, live site with un happy people


Log in to reply