Re: [pfSense] [Bulk] Re: [Bulk] Invalid IP range allowed in firewall alias, breaks ruleset

Mon, 20 Apr 2015 11:49:27 -0700

Yes the test could probably be edited to catch such probably unintended ip like names.. If you can supply a patch for it on github it will probably get pulled (eventually), but i think there are other issues that might be more important to have than avoiding all kind of user errors.. If a host-name cannot be resolved it cannot be used by pf.. Sofar no discussion i think. As for the other entries in the alias, they should still function as before i would imagine.. Are you saying thats not the case? 

Steve Yates schreef op 20-4-2015 om 19:51:

        I hear you, but until there are valid TLDs for ".(number)-(number)" perhaps that 
test could be edited?  Or possibly print "WARNING: what you entered was detected as a hostname 
but might have been intended as an IP block, and if we can't resolve the hostname, rules will not 
pass traffic for any other listed IPs in this alias" or similar?

        Reading what I just wrote, what happens if a valid hostname ever can't 
be resolved in the future?  The rule stops working then also?

--

Steve Yates
ITS, Inc.


PiBa wrote on Mon, Apr 20 2015 at 12:27 pm:


Problem is that what you typed validates as a valid 'hostname'..

Steve Yates schreef op 20-4-2015 om 17:52:

I had a situation this weekend where I wanted to add another IP range to an

existing alias.  I entered x.x.x.75-99 which the eagle eyed among you will 
notice
is invalid syntax (should be x.x.x.x75-x.x.x.99).  pfSense 2.2.1 didn't complain
about that when adding it or applying the rules, but traffic stopped and I 
finally
found an error logged in the System/Resolver log of all places:

filterdns: failed to resolve host x.x.x.75-99 will retry later again.

There were no other errors logged that I can find.  I would like to suggest

pfSense validate alias input to catch that invalid entry format and make it a 
tad
more idiot-proof.  :)

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to