New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OPNsense 23.7.8_1 Aliases for type Port(s) not working #7017
Comments
that's to be expected, port aliases are macros ( |
I can check the cmd @AdSchellevis shared. But way is the Port(s) alias not picked by the firewall rules? I checked with an extreme simple example. |
I checked /tmp/rules.debug on a fresh install with some extreme simpel tests. Then checking the /tmp/rules.debug file:
This looks good. I still don't get why my rules are not working. I honestly think the aliases of type Port(s) are somehow ignored in rules since. MMmmmm I have some studying/debugging to do. Any hints which could help me? |
Roy is not the only one affected, I'm seeing the issue on multiple firewalls where long standing aliases in all forms are simply "ignored" in rules. There's a screenshot in this thread that shows the alias with 3 IPs, the ICMP rule at the top allowing the ping towards two IP in the alias and the pings failing in two cmd windows as the first rule in the chain is ignored and failing on the second one. https://forum.opnsense.org/index.php?topic=37035.0 As a workaround I had to clone the affected rules with aliases and make it into individual IPs since some of these aliases are used in policy routing. Roy seems to be using only Ports, while here I also have floating rules with URL Table IPs aliases, Networks and Hostnames as well. |
Usually these are configuration issues, best start with a simple ruleset and map assumptions to the ruleset. Your ticket doesn't explain which part doesn't work, but it's highly unlikely both aliases and macro's don't work..... |
HI Ad, In my case we're talking about long running configurations that are pretty much untouched other than regular patching. The screenshot above shows the simplest alias not working on a physical FW. I've added the two ICMP rules yesterday to verify the issue in a different environment than mine - and you can see the result. :) Otherwise that location is fine and ping works in IPv4 and IPv6 without issue. While I moved all FWs to snapshots/openssl branch as I was chatting with Franco online about how things work on 3.0.12, what was working fine in the alias world on 23.7.8/3.0.12 stopped on Monday morning going to 23.7.8_1/3.0.12 Please let me know if there's any other info I can provide to help finding what caused this. |
The only thing I could really think of is a bad base patch, downgrading to 23.7.7 may help in that case. I don’t see how ports OpenSSL version could affect basic operations in the kernel and the kernel didn’t change in that area.
and reboot for full effect… |
Yeah clearly not an ssl issue, what workked on 1.1.1 would have to work on 3.x, and ICMP would no teb affected. Give me a few minutes to get out of snapshots and then on .7 |
I don't understand what's happening anymore... Went back to base 23.7.7, then reverted opnsense too - with reboots in between, and no change. Added an explicit rule for 9.9.9.9 - which is in the alias - and gets ignored in the alias but matches on the explicit. So...if we exclude base as an issue, and I'm 99% confident this issue appeared in 23.7.8_1 - where there was no new base iirc - where is this coming from ? |
@ronin3510 and just to be sure, you did check if the alias contains the configured data using diagnostics? the rules underneath are quite easy to inspect (/tmp/rules.debug), I don't think there have been changes in the latest core package on this topic. |
This is how things look like in rules.debug
|
again, Roy's question (missing port alias) was a clear one... these aren't aliases... So the question is, why are yours empty. does anything change when applying the aliases? any errors in the logs? You can trigger this process manually from the console as well, using:
|
Ha, so things broke on the snapshot branch for me then on _1, the other issue was ddclient that had a similar message and had to go from native to ddclient backend - I think Franco opened a ticket for it. Still...I'm not on OpenSSL 3.0.12 anymore, the machine is back on 1.1.1.w
Unsure where this export is supposed to happen...clearly not a one liner
|
reinstall? this is clearly not something broken in any production release. |
Yeah...this turned out in a very unexpected way, and I managed to hijack Roy's thread in the process - apologies Roy. For now Ad - I just moved everything back to 23.7.8_20/3.0.12. Clearly the move back and forth wasn't the cleanest and that's can happen with non-prod, no issues there. Other than ddclient and now the aliases things are running fine and I can wait a while for a fix to be available. Since it's been a while from my last bootstrap, can you please let me know if it wipes the config or is it preserved ? |
Don't worry, I'll test again this weekend with a clean install, simple config (configuration issues must be root cause as suggested by @AdSchellevis ) and the hints given. To be continued... |
I made a clumsy mistake that I kept looking over (I even feel a bit stupid to be honest). Me apologies! This item can be closed. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I think there is a seriously issue with OPNsense 23.7.8_1-amd64 and Alias and Port(s). If I would like to add a Alias Port(s) in Firewall: Aliases. The web interface is working. The alias with the name is nicely added. But in Firewall: Diagnostics: Aliases it is not shown. Also the firewall rule where I would like to use the alias is also not working.
By checking:
pfctl -t $ALIAS -T show
returns an error
pfctl: Unknown error: -1.
If a use the same cmd with a existing Network(s) alias. It works and shows the IPs.
Am I doing something wrong? Or have I indeed found a bug in this version?
To Reproduce
Steps to reproduce the behavior:
Extra view to check the alias:
Expected behavior
I need all the alias types to work, either standalone or nested.
Describe alternatives you considered
There is no alternative available if you would like to use aliases for Port(s).
Screenshots
n.a.
Relevant log files
n.a.
Additional context
n.a.
Environment
Software version used:
OPNsense 23.7.8_1-amd6
The text was updated successfully, but these errors were encountered: