Re: [pfSense Support] extra '!' in NOT rules

[mOjO]

thanks.  it seems to work okay when its applied to my LAN subnet (192.168.x.x) but not for opt1 or opt2 subnets (both 10.x.x.x.) so it may have something to do with the routine that looks up the subnets for those interfaces themselves or the nature of the subnets (i.e. it doesn't like 10. subs or maybe the fact that the first octet is only 2 digits), or a third possibility that it has something to do with the fact that i've renamed those interfaces...  just trying to be helpful... i'll try to take a peek at the code later tonight. i also get a php error when trying to add ipsec certs... i'll post about it later (assuming its not fixed in sundays new build), havent tried yet). Scott Ullrich wrote: Seth mentioned that not currently is not working and he planned on digging in soon. Scott On 9/11/05, mOjO <[EMAIL PROTECTED]> wrote: oh... just noticed the new release.. will try that and get back to you guys on this... mOjO wrote: I've got an interesting bug to report... i'm not sure if my rules logic is smart from a best-practices standpoint (suggestions welcome) but i have 4 NICs in my pfSense box: LAN (rl2), WAN (rl1), DMZ0 (rl0 = opt1), and VOIP (ep0 = opt2). All are realtek chips except VOIP which is an old ISA 3com 10baseT. I just a few moments ago realized a fatal flaw in my plan to give my vonage router its own interface in that pfSense just now informed me that the old 3com nic's driver doesnt support AltQ (doh!) but that has no bearing on this issue. my strategy was to make rules that would allow the DMZ and VOIP interfaces full access out to the internet but no access to each other or the LAN interface (pretty standard setup really) but LAN int can go anywhere. So I made some rules stating the following on the DMZ0 interface: -Allow all outbound ports/protocols on DMZ0 that is not destined for the LAN subnet. (this one works fine) -Allow all outbound ports/protocols on DMZ0 that is not destined for the VOIP subnet. (this one generates an error) then i got a parsing error from pfsense in the system log, reason for which is obvious below. (email me direct if you want the uncensored version of the subnets or any other somewhat security sensitive debug info). notice the extra '!' in the rules below (from /tmp/rules.debug): pass in quick on $VOIP from 10.x.x.x/30 to !192.168.x.x/24 keep state label "USER_RULE: Allow ALL outbound traffic except to LAN subnet" pass in quick on $VOIP from 10.x.x.x/30 to ! !10.y.y.y/24 keep state label "USER_RULE: Allow ALL outbound traffic except to LAN subnet" pass in quick on $DMZ0 from any to !192.168.x.x/24 keep state label "USER_RULE: Allow ALL outbound traffic except to LAN subnet" pass in quick on $DMZ0 from any to ! !10.x.x.x/30 keep state label "USER_RULE: Allow ALL outbound traffic except to OPT2 subnet" pass in quick on $lan proto tcp from 192.168.x.x/24 to any flags S/SA synproxy state queue (qLANdef, qLANacks) label "USER_RULE: Default LAN -> any" i hope thats enough info for you to debug... let me know if you are unable to reproduce. btw, i installed with 80.2 and updated to 82.4 if that makes a difference. oh and also i have the same bug i noticed someone else mention where my WAN interface always shows DHCP to be down even though its not. Hitting "renew" works fine and shows it properly for a little while but it always goes back to being down... This is strictly cosmetic as I have no issues on that interface and although its DHCP my ISP (comcast) does some kind of MAC registration so as to stop us from pulling multiple real IP addies, so my WAN IP will never change really unless I swap NICs or change the MAC. TIA, mOjO --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]