Error on filter reload



  • I am not sure how to go about clearing this, as I've never seen it before. I don't have the 75.131.xxx.xxx address in any of the floating, WAN or LAN rule sets.

    Can someone point me in the right direction for troubleshooting this please.

    There were error(s) loading the rules: /tmp/rules.debug:98: unknown port 75.131.176.160 - The line in question reads [98]: no nat on em0 proto { tcp udp } from em0 to 192.168.0.18 port 75.131.176.160/29…



  • running pfctl -s rules, in the list I found this:

    block drop in log on ! bce1 inet from 75.131.176.160/29 to any

    It is the only reference to the above error I can find.



  • What do you have in your outbound NAT to result in that "nat on" rule? That's what is triggering the issue.



  • This is what I have in outbound NAT.

    • WAN 192.168.0.0/24 tcp/udp/* * tcp/udp/* WAN address * PBX Outbound Port Preservation  
      WAN 192.168.0.0/24 * * 500 WAN address * Auto created rule for ISAKMP - LAN to WAN  
      WAN 192.168.0.0/24 * * * WAN address * Auto created rule for LAN to WAN  
      WAN 127.0.0.0/8      * * 500 WAN address * Auto created rule for ISAKMP - localhost to WAN  
      WAN 127.0.0.0/8         * * * WAN address * Auto created rule - localhost to WAN

    I did find out that the IP address in question (75.*) was part of an old block of IP's that was assigned to the client by their ISP. Thy no longer use that ISP.



  • running  pfctl -f /tmp/rules.debug gives:

    /tmp/rules.debug:98: unknown port 75.131.176.160
    /tmp/rules.debug:99: unknown port 75.131.176.160
    /tmp/rules.debug:104: unknown port 75.131.176.160
    /tmp/rules.debug:105: unknown port 75.131.176.160
    /tmp/rules.debug:110: unknown port 75.131.176.160
    /tmp/rules.debug:111: unknown port 75.131.176.160
    pfctl: Syntax error in config file: pf rules not loaded

    those lines read:

    Line 98    no nat on em0 proto { tcp udp } from em0 to 192.168.0.18 port 75.131.176.160/29
    Line 99    nat on em0 proto { tcp udp } from 192.168.0.0/24 to 192.168.0.18 port 75.131.176.160/29 -> 192.168.0.1 port 1024:65535
    Line 104  no nat on em0 proto { tcp udp } from em0 to 192.168.0.18 port 75.131.176.160/29
    Line 105  nat on em0 proto { tcp udp } from 192.168.0.0/24 to 192.168.0.18 port 75.131.176.160/29 -> 192.168.0.1 port 1024:65535
    Line 110  no nat on em0 proto tcp from em0 to 192.168.0.126 port 75.131.176.160/29
    Line 111  nat on em0 proto tcp from 192.168.0.0/24 to 192.168.0.126 port 75.131.176.160/29 -> 192.168.0.1 port 1024:65535

    Is is safe to remove those lines from /tmp/rules.debug ? 
    As it is in the /tmp/folder I assume it does not matter or would not help.



  • That means you have an outbound NAT configuration that is really messed up somehow. Not sure how you could end up with that, check Firewall>NAT, Outbound tab, and see what you have configured there.



  • WAN  192.168.0.0/24  tcp/udp/*  *  tcp/udp/*  WAN address  *      PBX Outbound Port Preservation   
          WAN  192.168.0.0/24  *  *  500  WAN address  *      Auto created rule for ISAKMP - LAN to WAN   
          WAN  192.168.0.0/24  *  *  *  WAN address  *      Auto created rule for LAN to WAN   
          WAN  127.0.0.0/8          *  *  500  WAN address  *      Auto created rule for ISAKMP - localhost to WAN   
          WAN  127.0.0.0/8          *  *  *  WAN address  *      Auto created rule - localhost to WAN

    That is all that is listed under outbound NAT



  • Is there a way to remove those rules? They do not show up in the web interface that I can find.



  • That outbound NAT config would not generate the rules you pasted. Nothing in our code would put "from em0 to …". You also wouldn't have that many lines in between outbound NAT rules with the config shown. I'm guessing you have modified filter.inc on there that's putting invalid things in the config.

    I'd upgrade it to latest stock version, and suspect your issues will go away from that. If the config was manually modified in some weird, broken way that gives you those results, but it's stock filter.inc code, then that probably wouldn't change anything.

    First I'd recommend switching to automatic outbound NAT under Firewall>NAT, Outbound. If the same errors persist, then your source code is modified, upgrade to get back to something sane.



  • I'm guessing you have modified filter.inc on there that's putting invalid things in the config.

    This is a possibility. I have just recently started caring for this box, so I do not know what has been done to it, just what I have been gathering
    from the very sparse notes available.

    I will see what else I can find out.

    Thanks for your help!


Log in to reply