Rename WAN to WAN1\. WAN remains on: Firewall | Rules



  • I renamed WAN to WAN1.  WAN remains on the following page: Firewall l Rules.  Please see image.

    2.3-BETA (amd64)
    built on Sun Jan 17 21:12:27 CST 2016
    FreeBSD 10.3-PRERELEASE


  • Rebel Alliance Developer Netgate

    Hmm, I can't reproduce that here on a snap from yesterday. The one you're on it a bit out of date, update and check it again.



  • After update 'WAN' still present in WI.

    Thanks


  • Rebel Alliance Developer Netgate

    Are you certain you renamed WAN? And not another interface?

    Can you share the contents of the config.xml section for interfaces? (you can remove or mask any IP addresses)



  • This should be what your looking for.  Internal IP redacted.

    
    	 <interfaces><wan><enable><if>fxp1</if>
    			 <blockpriv><blockbogons><alias-address><alias-subnet>32</alias-subnet>
    			 <spoofmac><ipaddr>dhcp</ipaddr>
    			 <dhcphostname><dhcprejectfrom><adv_dhcp_pt_timeout><adv_dhcp_pt_retry><adv_dhcp_pt_select_timeout><adv_dhcp_pt_reboot><adv_dhcp_pt_backoff_cutoff><adv_dhcp_pt_initial_interval><adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
    			 <adv_dhcp_send_options><adv_dhcp_request_options><adv_dhcp_required_options><adv_dhcp_option_modifiers><adv_dhcp_config_advanced><adv_dhcp_config_file_override><adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path></adv_dhcp_config_file_override></adv_dhcp_config_advanced></adv_dhcp_option_modifiers></adv_dhcp_required_options></adv_dhcp_request_options></adv_dhcp_send_options></adv_dhcp_pt_initial_interval></adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_reboot></adv_dhcp_pt_select_timeout></adv_dhcp_pt_retry></adv_dhcp_pt_timeout></dhcprejectfrom></dhcphostname></spoofmac></alias-address></blockbogons></blockpriv></enable></wan> 
    		 <lan><enable><if>em0</if>
    
    			 <spoofmac><ipaddr>192.168.x.254</ipaddr>
    			<subnet>24</subnet></spoofmac></enable></lan> 
    		 <opt1><if>fxp2</if>
    			 <enable><ipaddr>dhcp</ipaddr>
    			 <dhcphostname><alias-address><alias-subnet>32</alias-subnet>
    			 <dhcprejectfrom><adv_dhcp_pt_timeout><adv_dhcp_pt_retry><adv_dhcp_pt_select_timeout><adv_dhcp_pt_reboot><adv_dhcp_pt_backoff_cutoff><adv_dhcp_pt_initial_interval><adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
    			 <adv_dhcp_send_options><adv_dhcp_request_options><adv_dhcp_required_options><adv_dhcp_option_modifiers><adv_dhcp_config_advanced><adv_dhcp_config_file_override><adv_dhcp_config_file_override_path><blockpriv><blockbogons><spoofmac></spoofmac></blockbogons></blockpriv></adv_dhcp_config_file_override_path></adv_dhcp_config_file_override></adv_dhcp_config_advanced></adv_dhcp_option_modifiers></adv_dhcp_required_options></adv_dhcp_request_options></adv_dhcp_send_options></adv_dhcp_pt_initial_interval></adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_reboot></adv_dhcp_pt_select_timeout></adv_dhcp_pt_retry></adv_dhcp_pt_timeout></dhcprejectfrom></alias-address></dhcphostname></enable></opt1> 
    		 <opt2><if>fxp0</if>
    			 <spoofmac></spoofmac></opt2></interfaces> 
    
    

    Thanks




  • Guessing you must have an interface group named WAN?



  • @cmb:

    Guessing you must have an interface group named WAN?

    I just tried that, and you can name an interface group the same as an ordinary interface/description. I made and interface group called WAN and put the WAN interface in it. That makes for confusion!
    I added a rule on the "WAN" interface group. It all seems to apply and there is no "error loading rules". But I suspect that PF is not going to sort out the difference between the WAN interface and the WAN interface group when parsing through the rules. Search for "confusion in the generated ruleset below - that is the rule that I added to the WAN interface group.

    Perhaps there should be validation checks to make sure that every interface and interface group has a unique name?

    set optimization normal
    set limit states 198000
    set limit src-nodes 198000
    
    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ re1 }"
    ZLAN = "{ re2 }"
    WAN = "{ WAN }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons"
    table <bogonsv6>persist file "/etc/bogonsv6"
    table <negate_networks># User Aliases 
    table <hostalias>{   1.2.3.4 } 
    HostAlias = "<hostalias>"
    MyPorts = "{   4567  8901 }"
    table <secure_inf_org>{   64.22.81.44/32 } 
    secure_inf_org = "<secure_inf_org>"
    table <zzlan>{   3.4.5.6 } 
    ZZLAN = "<zzlan>"
    
    # Gateways
    GWWAN_DHCP = " route-to ( re1 10.49.208.250 ) "
    GWWAN_DHCP6 = " route-to ( re1 10.49.208.250 ) "
    
    set loginterface re2
    
    set skip on pfsync0
    
    scrub on $WAN all    fragment reassemble
    scrub on $ZLAN all    fragment reassemble
    
    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    binat on re1 from 4.5.6.7 to any -> 9.8.7.6
    binat on re1 from 4.42.22.1 to any -> 6.7.8.9
    binat on re1 from 192.168.1.2 to any -> 1.2.3.5
    binat on re1 from 192.168.1.3 to any -> 5.6.7.8
    binat on re1 from 6.6.5.5 to any -> 8.8.7.7
    binat on $WAN from 3:5::/64 to any -> 6:a::/64
    binat on $WAN from any to 6:a::/64 -> 3:5::/64
    binat on $WAN from 3:5::/64 to any -> 6:8::/64
    binat on $WAN from any to 6:8::/64 -> 3:5::/64
    binat on $WAN from 3:5::/64 to any -> 6:a::/64
    binat on $WAN from any to 6:a::/64 -> 3:5::/64
    binat on $WAN from 6:2::/64 to any -> 1:3::/64
    binat on $WAN from any to 1:3::/64 -> 6:2::/64
    
    # Outbound NAT rules (manual)
    nat on $WAN  from 192.168.42.0/24 to any -> 10.49.209.3/32 port 1024:65535  
    nat on $WAN  from 10.11.14.0/24 to any -> 10.49.209.3/32 port 1024:65535  
    nat on $WAN  from 10.11.12.0/24 to any -> 10.49.209.3/32 port 1024:65535  
    nat on $WAN  from 10.11.13.0/24 to any -> 10.49.209.3/32 port 1024:65535  
    nat on $WAN  from 10.11.3.0/24 to any -> 10.49.209.3/32 port 1024:65535  
    
    # Outbound NAT rules (automatic)
    
    # Subnets to NAT 
    tonatsubnets	= "{ 127.0.0.0/8 192.168.1.0/24 }"
    nat on $WAN  from $tonatsubnets to any port 500 -> 10.49.209.3/32  static-port
    nat on $WAN  from $tonatsubnets to any -> 10.49.209.3/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    # NAT Inbound Redirects
    rdr on re1 proto tcp from any to 10.49.209.3 port 53 -> 192.168.1.13
    rdr on re1 proto tcp from any to 10.49.209.3 port $MyPorts -> 192.168.1.12
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    anchor "openvpn/*"
    anchor "ipsec/*"
    # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
    # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
    # route-to can override that, causing problems such as in redmine #2073
    block in log quick from 169.254.0.0/16 to any tracker 1000000101 label "Block IPv4 link-local"
    block in log quick from any to 169.254.0.0/16 tracker 1000000102 label "Block IPv4 link-local"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log inet all tracker 1000000103 label "Default deny rule IPv4"
    block out log inet all tracker 1000000104 label "Default deny rule IPv4"
    block in log inet6 all tracker 1000000105 label "Default deny rule IPv6"
    block out log inet6 all tracker 1000000106 label "Default deny rule IPv6"
    
    # IPv6 ICMP is not auxilary, it is required for operation
    # See man icmp6(4)
    # 1    unreach         Destination unreachable
    # 2    toobig          Packet too big
    # 128  echoreq         Echo service request
    # 129  echorep         Echo service reply
    # 133  routersol       Router solicitation
    # 134  routeradv       Router advertisement
    # 135  neighbrsol      Neighbor solicitation
    # 136  neighbradv      Neighbor advertisement
    pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000000107 keep state
    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000000108 keep state
    pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000000109 keep state
    pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000110 keep state
    pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000111 keep state
    pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000112 keep state
    
    # We use the mighty pf, we cannot be fooled.
    block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113 label "Block traffic from port 0"
    block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114 label "Block traffic to port 0"
    block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115 label "Block traffic from port 0"
    block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116 label "Block traffic to port 0"
    
    # Snort package
    block log quick from <snort2c>to any tracker 1000000117 label "Block snort2c hosts"
    block log quick from any to <snort2c>tracker 1000000118 label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to (self) port 22 tracker 1000000301 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to (self) port 443 tracker 1000000351 label "webConfiguratorlockout"
    block in log quick from <virusprot>to any tracker 1000000400 label "virusprot overload table"
    # allow our DHCPv6 client out to the WAN
    pass in  quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker 1000000561 label "allow dhcpv6 client in WAN"
    pass in  quick on $WAN proto udp from any port = 547 to any port = 546 tracker 1000000562 label "allow dhcpv6 client in WAN"
    pass out  quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000000563 label "allow dhcpv6 client out WAN"
    # block bogon networks (IPv4)
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    block in log quick on $WAN from <bogons>to any tracker 1000001561 label "block bogon IPv4 networks from WAN"
    # block bogon networks (IPv6)
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $WAN from <bogonsv6>to any tracker 1000001562 label "block bogon IPv6 networks from WAN"
    antispoof log for $WAN tracker 1000001570
    # block anything from private networks on interfaces with the option set
    block in log quick on $WAN from 10.0.0.0/8 to any tracker 1000001581 label "Block private networks from WAN block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any tracker 1000001582 label "Block private networks from WAN block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any tracker 1000001583 label "Block private networks from WAN block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any tracker 1000001584 label "Block private networks from WAN block 192.168/16"
    block in log quick on $WAN from fc00::/7 to any tracker 1000001585 label "Block ULA networks from WAN block fc00::/7"
    # allow our DHCP client out to the WAN
    pass in  on $WAN proto udp from any port = 67 to any port = 68 tracker 1000001591 label "allow dhcp client out WAN"
    pass out  on $WAN proto udp from any port = 68 to any port = 67 tracker 1000001592 label "allow dhcp client out WAN"
    # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
    antispoof log for $ZLAN tracker 1000002620
    # allow access to DHCP server on ZLAN
    pass in  quick on $ZLAN proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000002641 label "allow access to DHCP server"
    pass in  quick on $ZLAN proto udp from any port = 68 to 192.168.1.1 port = 67 tracker 1000002642 label "allow access to DHCP server"
    pass out  quick on $ZLAN proto udp from 192.168.1.1 port = 67 to any port = 68 tracker 1000002643 label "allow access to DHCP server"
    
    # loopback
    pass in  on $loopback inet all tracker 1000003711 label "pass IPv4 loopback"
    pass out  on $loopback inet all tracker 1000003712 label "pass IPv4 loopback"
    pass in  on $loopback inet6 all tracker 1000003713 label "pass IPv6 loopback"
    pass out  on $loopback inet6 all tracker 1000003714 label "pass IPv6 loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out  inet all keep state allow-opts tracker 1000003715 label "let out anything IPv4 from firewall host itself"
    pass out  inet6 all keep state allow-opts tracker 1000003716 label "let out anything IPv6 from firewall host itself"
    pass out  route-to ( re1 10.49.208.250 ) from 10.49.209.3 to !10.49.208.0/22 tracker 1000003811 keep state allow-opts label "let out anything from firewall host itself"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in  quick on re2 proto tcp from any to (re2) port { 443 80 22 } tracker 1000004121 keep state label "anti-lockout rule"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    pass  in  quick  on $WAN inet proto tcp  from any to any tracker 1453444427 flags S/SA keep state  label "USER_RULE: Rule on WAN interface group confusion"
    pass  in  quick  on $WAN reply-to ( re1 10.49.208.250 )  proto tcp  from any to 192.168.1.13 port 53 flags S/SA keep state  label "USER_RULE: NAT A DNS port forward"
    pass  in  quick  on $WAN reply-to ( re1 10.49.208.250 ) inet proto tcp  from any to any tracker 1453201096 flags S/SA keep state  schedule "569e16abaa2af"  label "USER_RULE: Afternoon rule"
    block  in  quick  on $WAN reply-to ( re1 10.49.208.250 ) inet proto tcp  from any to any tracker 1453201333 flags S/SA  schedule "569e16abaa2af"  label "USER_RULE: Afternoon block"
    pass  in  quick  on $ZLAN inet from 192.168.1.0/24 to any tracker 0100000101 keep state  label "USER_RULE: Default allow LAN to any rule"
    # at the break! label "USER_RULE: Default allow LAN IPv6 to any rule"
    # schedule finished - Late night pass rule label "USER_RULE: Late night pass rule"
    # schedule finished - Late night block label "USER_RULE: Late night block"
    pass  in  quick  on $ZLAN inet proto tcp  from $ZZLAN to $ZZLAN tracker 1453202141 flags S/SA keep state  label "USER_RULE: Rule with alias"
    pass  in  quick  on $ZLAN inet proto icmp  from any to any icmp-type echoreq tracker 1453202455 keep state  label "USER_RULE: Pass echo request"
    pass  in  quick  on $ZLAN inet proto tcp  from 1.2.3.4 to any tracker 1453214541 flags S/SA keep state  label "USER_RULE: Stuff"
    
    # VPN Rules
    
    anchor "tftp-proxy/*"</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></zzlan></zzlan></secure_inf_org></secure_inf_org></hostalias></hostalias></negate_networks></bogonsv6></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    


  • Yeah there should be input validation preventing interfaces from having the same name as any interface group, and groups from having the same name as any interface.



  • @cmb:

    Yeah there should be input validation preventing interfaces from having the same name as any interface group, and groups from having the same name as any interface.

    I created issue https://redmine.pfsense.org/issues/5795



  • I owe CMB a bear.  Yes I did create an interface group called WAN, and I forgot :-[.

    In general I try to put a prefix on any alias, but was prevented from doing so.  I would have liked to have named it something like IG_WAN.  The WI through an error for illegal character for non alpha entries.  I use this naming convention on all such items when allowed.

    Could/should the WI prefix all aliases with a designated 2-3 characters appropriate for entry delimited by an underscore.
    Help with parsing.
    Help with admin confusion.
    Help locate in WI.

    Good catch and thanks for the help.  I'm glad that some good will come from my error.
    –Seth



  • Thanks for the ticket Phil, and Renato for fixing.

    @Seth:

    I owe CMB a bear.

    Wow, you can keep the bear. Thought I was being helpful, not inviting a deadly animal upon myself. ;D



  • I'd like to say English is my second language, but alas I can not.  I can say that I'm atrocious speller.  So here is your beer. [%]>



  • @cmb:

    Thanks for the ticket Phil, and Renato for fixing.

    @Seth:

    I owe CMB a bear.

    Wow, you can keep the bear. Thought I was being helpful, not inviting a deadly animal upon myself. ;D

    LOL


Log in to reply