Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1
Finally found https://redmine.pfsense.org/issues/8518 which is this bug (the extra incomplete gateway line). Fix seems to be to delete/comment out three lines in /etc/inc/filter.inc: https://redmine.pfsense.org/projects/pfsense/repository/revisions/c9159949e06cc91f6931bf2326672df7cad706f4/diff/src/etc/inc/filter.inc?utf8=%E2%9C%93=inline A poster on that report says "When I try and add an IPv6 IP Alias VIP the error seems to appear" which would explain why we didn't see it on other 2.4.3_1 updates that have only IPv4 VIPs. I did try changing off the LAGG to just the one interface on WAN and that had the same symptom with the interface in the message. -- Steve Yates ITS, Inc. -Original Message- From: Steve Yates Sent: Wednesday, May 23, 2018 10:34 PM To: 'pfSense Support and Discussion Mailing List'Subject: Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1 After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they are logging: There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The line in question reads [242]: pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" 64.79.96.145 is our WAN gateway. We have the WAN configured to use a one-interface LAGG to allow sharing CARP states if we ever use a different router with a different interface name. Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the output: pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 tracker 105911 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 tracker 105912 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" .149 is the WAN IP, .150 the CARP shared IP. Given the first two are there, I'm not sure what the third is supposed to be? Re-applying the firewall rules does not clear it, though does appear to trigger it (presumably due to the rules reload). Suggestions? Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1
I found Suricata won't start, and I'm guessing the error Suricata is logging when it terminates (leaving its .pid file behind), "23/5/2018 -- 22:42:18 - -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - alert-pf: Could not validate pf table: snort2c, module init failed." ...is related to this...? -- Steve Yates ITS, Inc. -Original Message- From: Steve Yates Sent: Wednesday, May 23, 2018 10:34 PM To: 'pfSense Support and Discussion Mailing List'Subject: Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1 After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they are logging: There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The line in question reads [242]: pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" 64.79.96.145 is our WAN gateway. We have the WAN configured to use a one-interface LAGG to allow sharing CARP states if we ever use a different router with a different interface name. Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the output: pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 tracker 105911 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 tracker 105912 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" .149 is the WAN IP, .150 the CARP shared IP. Given the first two are there, I'm not sure what the third is supposed to be? Re-applying the firewall rules does not clear it, though does appear to trigger it (presumably due to the rules reload). Suggestions? Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold