Netgate m1n1wall

Author Topic: Duplicate EasyRule  (Read 1128 times)

0 Members and 1 Guest are viewing this topic.

Offline ballerh3

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Duplicate EasyRule
« on: March 08, 2011, 11:45:12 am »
2.0-RC1 (i386)
built on Mon Mar 7 12:03:17 EST 2011

Minor annoyance:
When clicking Easy Rule: Add to Block list in the Firewall, the address gets added into the EasyRuleBlockHostsWAN like it should and then adds the Alias to the WAN interface. But when I click on another address to add, EasyRuleBlockHostsWAN alias gets added in again on the WAN interface.

Minor annoyance:
One can also click multiple times on Easy Rule: Pass this traffic and add the same address too.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14998
  • Karma: +4/-0
    • View Profile
Re: Duplicate EasyRule
« Reply #1 on: March 09, 2011, 11:25:36 am »
I can't reproduce any kind of duplication of the block alias or addresses inside the block alias. No matter how many times I click various addresses to block, there is only one rule with the alias.

Also, multiple pass rules isn't something that is checked for. It's just doing what it's told there. If it were using aliases or some other means it might have to check for duplication, but as it is, it just adds the rule you requested.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Duplicate EasyRule
« Reply #2 on: March 09, 2011, 12:36:20 pm »
I had a similar issue for a while but because of how I want it to work I just dealt with it. The Alias record itself isn't be duplicated on my box.. Every IP I block via EasyRule goes into the same Alias record.

When I first used EasyRule, it created a rule and an alias. This rule was placed at the bottom of my firewall rule table. I moved the rule to the first position on my firewall rule table. So when the rules are be applied to packets(Top to bottom), it would stop IPs that are trying to hack into my a box I have open for remote access. I have NAT/FW rules opening up certain ports for different things.

Now when I add a new host using the EasyRule on the firewall log, it would create another rule in the firewall rules table. This rule is placed last on the table.. Now I can't duplicate this all the time but it will create another rule as for every host I want to block. Its like its not checking the rules table to see if one if already create...I think it should be place first in the list like the 'Block bogon networks', 'Block private networks' Rules are...


Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14998
  • Karma: +4/-0
    • View Profile
Re: Duplicate EasyRule
« Reply #3 on: March 09, 2011, 01:37:47 pm »
Unless you changed the name of the alias, or the interface on the rule, it should be detected properly:

Code: [Select]
function easyrule_block_rule_exists($int = 'wan') {
global $blockaliasname, $config;
/* No rules, we we know it doesn't exist */
if (!is_array($config['filter']['rule'])) {
return false;
}

/* Search through the rules for one referencing our alias */
foreach ($config['filter']['rule'] as $rule)
if (!is_array($rule) || !is_array($rule['source']))
continue;
if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int))
return true;
return false;
}

I'll see what I can do about making it add the rule at the top.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14998
  • Karma: +4/-0
    • View Profile
Re: Duplicate EasyRule
« Reply #4 on: March 09, 2011, 01:51:15 pm »
Ah, I found it. That foreach is missing some {}'s.

Should be OK once the commit makes it into snapshots.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Duplicate EasyRule
« Reply #5 on: March 09, 2011, 02:43:59 pm »
As always Jim, thank you!!

I manually added the changes into my box and its working correctly....
sidenote:  After March 3rd snapshots , I'm a little scared to update to them, packages didn't auto re-install, lcdproc would hang on startup until I manually restarted that service.. May do gitsync later tonight and see what happens to the RC1 IPv6 snapshot I'm currently using...

Stephen

Offline ballerh3

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Duplicate EasyRule
« Reply #6 on: March 10, 2011, 03:57:51 pm »
Thank You jimp