Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block rule show as pass #8104

Open
filipdot opened this issue Dec 2, 2024 · 1 comment
Open

Block rule show as pass #8104

filipdot opened this issue Dec 2, 2024 · 1 comment
Labels
support Community support

Comments

@filipdot
Copy link

filipdot commented Dec 2, 2024

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

Versions
OPNsense 24.7.9_1-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

Block rule make pass for idk why reason. Block rule block "bad" ip, no mater of port right? That weird.

obraz

Blocked rule:
obraz

Passed rule:
obraz

If is it true pass but it's blocked and it's wrong in gui or its pass.

Float?
obraz

disabled it on float but it come back on another rule...

obraz

err...
obraz

ok look at rule "Nie Polska" with should filter out everything outside Poland IPs using GEOIP
and ip 179.60.147.138 (Venezuela (VE)) looks like outside but it pass...

obraz

obraz

maybe roule? lets go to rid
obraz

looks good, we looking for invert of "Polska"
Alias "Polska":
obraz
obraz

in csv geolite2 i see match
obraz

TL DR

why it pass but it should block? Block rule on top. Label and ruleid is from BLOCK rule but it make PASS.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
Can't do it.

To Reproduce

Steps to reproduce the behavior:

  1. use float rules or wan rules
  2. wait for bad connection
  3. check live firewall on wan and label block as in rules
  4. See error

Expected behavior

all traffic is blocked from "bad" ip

need more?

@AdSchellevis AdSchellevis added the support Community support label Dec 3, 2024
@fichtner
Copy link
Member

fichtner commented Dec 3, 2024

There seems to be a bit of NAT being involved so I'd like to ask you to recheck with the 24.7.10 kernel. A number of pflog related bugs surfaced recently.

Cheers,
Franco

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
support Community support
Development

No branches or pull requests

3 participants