Netgate SG-1000 microFirewall

Author Topic: Notification of tmp/rules.debug syntax error  (Read 610 times)

marcoscosac and 1 Guest are viewing this topic.

Offline jrv

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Notification of tmp/rules.debug syntax error
« on: March 06, 2018, 03:02:47 pm »
I am getting a syntax error every time the firewall rules are reloaded.  /tmp/rules.debug has "to !1.2.3.32/29" whereas the notice only says "to !/".  How do I tell if rules.debug is valid, or why the notification is mangled?

The IP addresses below have been edited.  1.2.3.34 is the IP address of the WAN port.  1.2.3.33 is the upstream gateway to the Internet.  1.2.3.32/29 is the net the WAN port is on.

[2.4.2-RELEASE]# find / -type f -print0 | xargs -0 fgrep -n 'tracker 1000004861'
/tmp/rules.debug:152:pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
/tmp/notices:1:a:19:{i:1517588425;a:5:{s:2:"id";s:11:"filter_load";s:6:"notice";s:275:"There were error(s) loading the rules: /tmp/rules.debug:147: syntax error - The line in question reads [147]: pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !/ tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
... 19 more lines like that ...
/tmp/rules.debug.old:152:pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
/var/db/notices_lastmsg.txt:1:There were error(s) loading the rules: /tmp/rules.debug:150: syntax error - The line in question reads [150]: pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !/ tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
[2.4.2-RELEASE]#

Online Gertjan

  • Hero Member
  • *****
  • Posts: 2587
  • Karma: +208/-9
    • View Profile
Re: Notification of tmp/rules.debug syntax error
« Reply #1 on: March 06, 2018, 05:43:10 pm »
Hi,

I'm surely not an "ip" firewall expert, but this "!" looks strange to me ...
Try ditching the rules that inserted this "!".

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: Notification of tmp/rules.debug syntax error
« Reply #2 on: March 06, 2018, 06:52:19 pm »
Are you running Suricata?

What is the configuration of the WAN interface? (static, DHCP, PPPoE, etc)?

Is there a WAN down or up event happening at the time those are logged?

Is there an interruption in traffic or is there just that log entry / alert?

If you look at the rule set after the fact, does the rule look normal? (grep 1000004861 /tmp/rules.debug) (or even better, pfctl -vvsr | grep '^@152')

What version of pfSense?
« Last Edit: March 06, 2018, 07:02:02 pm by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline jrv

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Notification of tmp/rules.debug syntax error
« Reply #3 on: March 07, 2018, 01:35:19 am »
The ! seems OK  - it probably means "all addresses except this CIDR block" and it probably make sense in the context "all addresses not on the connected net must be routed to the gateway".

No rule I have added has a ! - this is something pfSense generated.

I am not running Suricata.

The WAN port is configured as types "Static IPv4" & "DHCP6", IPv4 address 1.2.3.34/29 gateway "WANGW 1.2.3.33".  The DHCPv6 Prefix Delegation size is set to "64".

There do not appear to have been any up or down events on the interface, nor any traffic interruption, just the log alert.

The only functional problem I am having is that only one of my global IP addresses is working.  The ISP (Time Warner / Spectrum in Austin Texas USA) provides five globally visible addresses (1.2.3.34 through 1.2.3.38) but packets sent to 1.2.3.35-1.2.3.38 don't appear in Diagnostics->Packet Capture in promiscuous mode.  I don't know if my pfSense configuration is incorrect or if the ISP isn't routing correctly.

This is pfSense version:

2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:14:55 CST 2017
FreeBSD 11.1-RELEASE-p6

[2.4.2-RELEASE]# fgrep -n .33 /tmp/rules.debug | fgrep .34
152:pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
169:pass  in  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto udp  from any to 1.2.3.34 port 1194 keep state  label "USER_RULE: OpenVPN remote client UDP wizard"
170:pass  in log  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto esp  from any to 1.2.3.34 tracker 1505464764 keep state  label "USER_RULE"
171:pass  in log  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto ah  from any to 1.2.3.34 tracker 1505464848 keep state  label "USER_RULE"
172:pass  in log  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto gre  from any to 1.2.3.34 tracker 1505464889 keep state  label "USER_RULE"
173:pass  in  quick  on $WAN reply-to ( igb4 1.2.3.33 ) inet proto udp  from any to 1.2.3.34 port 1194 keep state  label "USER_RULE: OpenVPN routed client wizard"
[2.4.2-RELEASE]#

[2.4.2-RELEASE]# pfctl -vvsr | fgrep .33 | fgrep .34
@83(1000004861) pass out route-to (igb4 1.2.3.33) inet from 1.2.3.34 to ! 1.2.3.32/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
@98(0) pass in quick on igb4 reply-to (igb4 1.2.3.33) inet proto udp from any to 1.2.3.34 port = openvpn keep state label "USER_RULE: OpenVPN remote client UDP wizard"
@99(1505464764) pass in log quick on igb4 reply-to (igb4 1.2.3.33) inet proto esp from any to 1.2.3.34 keep state label "USER_RULE"
@100(1505464848) pass in log quick on igb4 reply-to (igb4 1.2.3.33) inet proto ah from any to 1.2.3.34 keep state label "USER_RULE"
@101(1505464889) pass in log quick on igb4 reply-to (igb4 1.2.3.33) inet proto gre from any to 1.2.3.34 keep state label "USER_RULE"
@102(0) pass in quick on igb4 reply-to (igb4 1.2.3.33) inet proto udp from any to 1.2.3.34 port = openvpn keep state label "USER_RULE: OpenVPN routed client wizard"
[2.4.2-RELEASE]#

[2.4.2-RELEASE]# pfctl -vvsr | fgrep '"let out anything from firewall host itself"' /tmp/rules.debug
pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
pass out  route-to ( igb4 fe80::xxxx:xxxx:xxxx:xxxx ) inet6 from 2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy to !2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy/64 tracker 1000004862 keep state allow-opts label "let out anything from firewall host itself"
[2.4.2-RELEASE]#

[2.4.2-RELEASE]#  fgrep '"let out anything from firewall host itself"' /tmp/rules.debug
pass out  route-to ( igb4 1.2.3.33 ) from 1.2.3.34 to !1.2.3.32/29 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
pass out  route-to ( igb4 fe80::xxxx:xxxx:xxxx:xxxx ) inet6 from 2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy to !2605:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy/64 tracker 1000004862 keep state allow-opts label "let out anything from firewall host itself"
[2.4.2-RELEASE]#

[2.4.2-RELEASE]# pfctl -vvsr | grep "^@152"
[2.4.2-RELEASE]#

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: Notification of tmp/rules.debug syntax error
« Reply #4 on: March 07, 2018, 01:37:08 am »
If the packets aren't appearing in a packet capture it means the ISP isn't sending them to you.

Thanks for the other answers.

Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: Notification of tmp/rules.debug syntax error
« Reply #5 on: March 07, 2018, 12:38:15 pm »
Bug submitted at https://redmine.pfsense.org/issues/8360

There is a patch available at https://redmine.pfsense.org/attachments/download/2355/8360.diff

If you want to test it you can install it using the System Patches package

Install the System Patches package. It will be at System > Patches when you are done.
Add a new patch
Enter a description
Enter https://redmine.pfsense.org/attachments/download/2355/8360.diff as the URL
Set the path strip count to 2
Set Base Directory to /
Check Ignore Whitespace.
Save

That should retrieve the patch.

Then Fetch it then test it. It should say it CAN be applied cleanly and CANNOT be reverted (those test results will flip after it is applied)
Then you can apply it

Please let us know if that clears it up and if you see any adverse effects.

If you wish to have this run on boot, edit the patch and check Auto Apply and Save.

You can simply revert the patch if it causes issues.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline sbreit

  • Newbie
  • *
  • Posts: 13
  • Karma: +2/-0
    • View Profile
Re: Notification of tmp/rules.debug syntax error
« Reply #6 on: March 10, 2018, 09:19:16 am »
I just applied the patch in my 2.4.2-RELEASE-p1 and it seems to do the trick. I'll post here again if not.
Thanks for providing the patch  :)

Offline jrv

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Notification of tmp/rules.debug syntax error
« Reply #7 on: March 11, 2018, 12:04:15 am »
Agreed: it resolves the issue in my case and does not seem to cause any other issue or change.  Thanks.

Offline Modesty

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: Notification of tmp/rules.debug syntax error
« Reply #8 on: April 17, 2018, 01:55:02 am »
Good morning,

Can you help me explain how i install the patch?

In my pfsens (latest update) i dont have a patch under system menu so it must be something i dont get.

Thanks!
Everything can be rebuilt!

Offline jrv

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Notification of tmp/rules.debug syntax error
« Reply #9 on: April 17, 2018, 03:01:42 am »
You need to install a package called "System Patches" to see the menu item.