Skip to content
This repository has been archived by the owner on Jan 6, 2023. It is now read-only.

Separators not creating on LAN interface #28

Closed
robindbe opened this issue Nov 7, 2019 · 8 comments
Closed

Separators not creating on LAN interface #28

robindbe opened this issue Nov 7, 2019 · 8 comments

Comments

@robindbe
Copy link

robindbe commented Nov 7, 2019

Hi,

We use some of these modules to deploy firewalls with a default rulebase and use the 'pfsense_rule_separator' to add some separators. This works perfectly fine on the WAN interface, but once we try to add the separators on the LAN interface, they don't show up. Diving into the config.xml, it seems they are added, but the 'row' is incorrect.

                                <sep0>    
                                        <color>bg-info</color>
                                        <text><![CDATA[Management and Monitoring]]></text>
                                        <row>fr6</row>
                                        <if>lan</if>
                                </sep0>

It adds it on fr6, but if I add the same separator correctly, it should be fr0.

               <separator>
                        <lan>
                                <sep0>
                                        <row>fr0</row>
                                        <text><![CDATA[Management and Monitoring]]></text>
                                        <color>bg-info</color>
                                        <if>lan</if>
                                </sep0>
                        </lan>
                </separator>

I can reproduce this if you need more output. I ran it with -vv but it doesn't give much output apart from telling me it added the separators.
@f-bor
Copy link
Collaborator

f-bor commented Nov 7, 2019

Hi,

could you please give me the parameters for the call to pfsense_rule_separator that is failing ?

I also need your rules and separators definition on the lan interface before that call. I mean something like this:

  • 1 sep
  • 3 rules
  • 1 sep
  • 2 rules
    ...

If you use the after or before parameter, I need to know the position of the target.

@robindbe
Copy link
Author

robindbe commented Nov 8, 2019

Hi,

So the actual task is this:

    - name: Add rule separators on LAN
      pfsense_rule_separator:
        name: "{{ item.name }}"
        state: present
        interface: lan
        before: "{{ item.before }}"
        color: "{{ item.color }}"
      loop:
        - name: "Management and Monitoring"
          before: "Firewall monitoring over TCP"
          color: "info"
        - name: "Cleanup"
          before: "Cleanup"
          color: "danger"

This is the output from that task:

TASK [Add rule separators on LAN] **************************************************************************************
task path: /Gitlab/ansible-pfsense/tasks_pfsense_config.yml:603
changed: [127.0.0.1 -> 172.29.126.16] => (item={u'color': u'info', u'name': u'Management and Monitoring', u'before': u'Firewall monitoring over TCP'}) => changed=true
  ansible_loop_var: item
  commands:
  - create rule_separator 'Management and Monitoring', interface='lan', color='info', before='Firewall monitoring over TCP'
  item:
    before: Firewall monitoring over TCP
    color: info
    name: Management and Monitoring
  stderr: ''
  stderr_lines: <omitted>
  stdout: |-
    pfSense shell: global $debug;
    pfSense shell: $debug = 1;
    pfSense shell: require_once("filter.inc");
    pfSense shell: if (filter_configure() == 0) { clear_subsystem_dirty('filter'); } [ApfSense shell: if (filter_configure() == 0) { clear_subsystem_dirty('filter'); [K}
    pfSense shell: exec
    pfSense shell: exit
  stdout_lines: <omitted>
changed: [127.0.0.1 -> 172.29.126.16] => (item={u'color': u'danger', u'name': u'Cleanup', u'before': u'Cleanup'}) => changed=true
  ansible_loop_var: item
  commands:
  - create rule_separator 'Cleanup', interface='lan', color='danger', before='Cleanup'
  item:
    before: Cleanup
    color: danger
    name: Cleanup
  stderr: ''
  stderr_lines: <omitted>
  stdout: |-
    pfSense shell: global $debug;
    pfSense shell: $debug = 1;
    pfSense shell: require_once("filter.inc");
    pfSense shell: if (filter_configure() == 0) { clear_subsystem_dirty('filter'); } [ApfSense shell: if (filter_configure() == 0) { clear_subsystem_dirty('filter'); [K}
    pfSense shell: exec
    pfSense shell: exit
  stdout_lines: <omitted>

This is the XML for the rules:

                <rule>
                        <type>pass</type>
                        <tracker>1567429839</tracker>
                        <ipprotocol>inet</ipprotocol>
                        <interface>lan</interface>
                        <direction>any</direction>
                        <statetype><![CDATA[keep state]]></statetype>
                        <descr><![CDATA[Firewall monitoring over TCP]]></descr>
                        <log></log>
                        <protocol>tcp</protocol>
                        <source>
                                <address>NET_EXT_MON</address>
                        </source>
                        <destination>
                                <network>lanip</network>
                                <port>SVC_MON_TCP</port>
                        </destination>
                </rule>
                <rule>
                        <type>pass</type>
                        <tracker>1567429840</tracker>
                        <ipprotocol>inet</ipprotocol>
                        <interface>lan</interface>
                        <direction>any</direction>
                        <statetype><![CDATA[keep state]]></statetype>
                        <descr><![CDATA[Firewall monitoring over UDP]]></descr>
                        <log></log>
                        <protocol>udp</protocol>
                        <source>
                                <address>NET_EXT_MON</address>
                        </source>
                        <destination>
                                <network>lanip</network>
                                <port>SVC_MON_UDP</port>
                        </destination>
                </rule>
                <rule>
                        <type>pass</type>
                        <tracker>1567429841</tracker>
                        <ipprotocol>inet</ipprotocol>
                        <interface>lan</interface>
                        <direction>any</direction>
                        <statetype><![CDATA[keep state]]></statetype>
                        <descr><![CDATA[Firewall mgmt]]></descr>
                        <log></log>
                        <protocol>tcp</protocol>
                        <source>
                                <address>GRP_EXT_OFFICE</address>
                        </source>
                        <destination>
                                <network>lanip</network>
                                <port>SVC_MGMT_FW</port>
                        </destination>
                </rule>
                <rule>
                        <type>block</type>
                        <tracker>1567429842</tracker>
                        <ipprotocol>inet46</ipprotocol>
                        <interface>lan</interface>
                        <direction>any</direction>
                        <statetype><![CDATA[keep state]]></statetype>
                        <descr><![CDATA[Cleanup]]></descr>
                        <log></log>
                        <protocol>tcp/udp</protocol>
                        <source>
                                <any></any>
                        </source>
                        <destination>
                                <any></any>
                        </destination>
                </rule>

This is the XML of the separators added by the Ansible module (the one's not showing up):

                <separator>
                        <lan>
                                <sep0>
                                        <color>bg-info</color>
                                        <text><![CDATA[Management and Monitoring]]></text>
                                        <row>fr8</row>
                                        <if>lan</if>
                                </sep0>
                                <sep1>
                                        <color>bg-danger</color>
                                        <text><![CDATA[Cleanup]]></text>
                                        <row>fr11</row>
                                        <if>lan</if>
                                </sep1>
                        </lan>
                </separator>

And this is the XML for the separators if I manually add them in the correct place. The order should be sep1, r1, r2, r3, sep2, r4:

                <separator>
                        <lan>
                                <sep0>    
                                        <row>fr0</row>
                                        <text><![CDATA[Management and Monitoring]]></text>
                                        <color>bg-info</color>
                                        <if>lan</if>
                                </sep0>
                                <sep1>
                                        <row>fr3</row>   
                                        <text><![CDATA[Cleanup]]></text>
                                        <color>bg-danger</color>
                                        <if>lan</if>
                                </sep1>
                        </lan>
                </separator>

If it helps, this is how the correct version looks in the GUI:
2019-11-08 10_17_59-PF-TEST cegeka com - Firewall_ Rules_ LAN

@f-bor
Copy link
Collaborator

f-bor commented Nov 8, 2019
edited
Loading

Thank you. Unfortunatly, I haven't been able to reproduce, it's working as expected when I'm trying.

The fr8 and fr11 values shows that the module thinks there is 8 other rules before.

Would it be possible to see the entire filter section of your config.xml ? (I dont care about the sources and destinations if you mind and want to remove them)

@robindbe
Copy link
Author

robindbe commented Nov 8, 2019

I think I start to understand. I do have a couple of floating rules, but those had only the LAN interface selected; that is an issue on my end (none should be selected or multiple, but not just LAN) but I believe that is causing the separators to be offset. This is one of them:

<filter>
	<rule>
		<type>block</type>
		<tracker>1567429830</tracker>
		<ipprotocol>inet46</ipprotocol>
		**<interface>lan</interface>**
		<direction>any</direction>
		<statetype><![CDATA[keep state]]></statetype>
		<descr><![CDATA[No log HSRP]]></descr>
		<quick>yes</quick>
		<protocol>udp</protocol>
		<floating></floating>
		<source>
			<any></any>
		</source>
		<destination>
			<any></any>
			<port>SVC_HSRP</port>
		</destination>
	</rule>

Once I deselected the LAN interface (removing the 'interface' section completely in the above output) or selected an extra interface (like OPT1, resulting in lan,opt1) the issue disappears and the separators show up correctly.

@f-bor
Copy link
Collaborator

f-bor commented Nov 8, 2019

Ok. I thought it may be this situation and I did the same configuration in my tests. It worked on my side because the GUI generated the following XML for floating rules:
<floating>yes</floating>

But in your case, it's just:
<floating></floating>

I will push a fix to handle that but how did you create those rules ? And if it's with GUI with which version of pfSense ?

@robindbe
Copy link
Author

robindbe commented Nov 8, 2019

Thanks.

I used another module from a different repository, I'll log an issue there as well about the 'yes' thing.

@robindbe robindbe mentioned this issue Nov 8, 2019
Closed
f-bor added a commit that referenced this issue Nov 9, 2019
@f-bor
fix for #28
df888d9
@f-bor
Copy link
Collaborator

f-bor commented Nov 9, 2019

it should be ok now. Can you please confirm ?

@robindbe
Copy link
Author

It is indeed solved, thanks a lot.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@f-bor @robindbe