That is interesting to know. Can you please file a ticket about the extra ! ! on optional interfaces and provide a test case of how to recreate the issue?
http://cvstrac.pfsense.com/tktnew Thanks! On 9/12/05, mOjO <[EMAIL PROTECTED]> wrote: > thanks. it seems to work okay when its applied to my LAN subnet > (192.168.x.x) but not for opt1 or opt2 subnets (both 10.x.x.x.) so it may > have something to do with the routine that looks up the subnets for those > interfaces themselves or the nature of the subnets (i.e. it doesn't like 10. > subs or maybe the fact that the first octet is only 2 digits), or a third > possibility that it has something to do with the fact that i've renamed > those interfaces... just trying to be helpful... i'll try to take a peek at > the code later tonight. > > i also get a php error when trying to add ipsec certs... i'll post about it > later (assuming its not fixed in sundays new build), havent tried yet). > > > Scott Ullrich wrote: > Seth mentioned that not currently is not working and he planned on > digging in soon. > > Scott > > > On 9/11/05, mOjO <[EMAIL PROTECTED]> wrote: > > > oh... just noticed the new release.. will try that and get back to you guys > on this... > > > mOjO wrote: > I've got an interesting bug to report... i'm not sure if my rules logic is > smart from a best-practices standpoint (suggestions welcome) but i have 4 > NICs in my pfSense box: LAN (rl2), WAN (rl1), DMZ0 (rl0 = opt1), and VOIP > (ep0 = opt2). All are realtek chips except VOIP which is an old ISA 3com > 10baseT. I just a few moments ago realized a fatal flaw in my plan to give > my vonage router its own interface in that pfSense just now informed me that > the old 3com nic's driver doesnt support AltQ (doh!) but that has no bearing > on this issue. > > my strategy was to make rules that would allow the DMZ and VOIP interfaces > full access out to the internet but no access to each other or the LAN > interface (pretty standard setup really) but LAN int can go anywhere. So I > made some rules stating the following on the DMZ0 interface: > -Allow all outbound ports/protocols on DMZ0 that is not destined for > the LAN subnet. (this one works fine) > -Allow all outbound ports/protocols on DMZ0 that is not destined for > the VOIP subnet. (this one generates an error) > > then i got a parsing error from pfsense in the system log, reason for which > is obvious below. (email me direct if you want the uncensored version of the > subnets or any other somewhat security sensitive debug info). > > notice the extra '!' in the rules below (from /tmp/rules.debug): > > pass in quick on $VOIP from 10.x.x.x/30 to !192.168.x.x/24 keep state > label "USER_RULE: Allow ALL outbound traffic except to LAN subnet" > > pass in quick on $VOIP from 10.x.x.x/30 to ! !10.y.y.y/24 keep state > label "USER_RULE: Allow ALL outbound traffic except to LAN subnet" > pass in quick on $DMZ0 from any to !192.168.x.x/24 keep state label > "USER_RULE: Allow ALL outbound traffic except to LAN subnet" > pass in quick on $DMZ0 from any to ! !10.x.x.x/30 keep state label > "USER_RULE: Allow ALL outbound traffic except to OPT2 subnet" > pass in quick on $lan proto tcp from 192.168.x.x/24 to any flags S/SA > synproxy state queue (qLANdef, qLANacks) label "USER_RULE: Default LAN -> > any" > i hope thats enough info for you to debug... let me know if you are unable > to reproduce. btw, i installed with 80.2 and updated to 82.4 if that makes a > difference. > > oh and also i have the same bug i noticed someone else mention where my WAN > interface always shows DHCP to be down even though its not. Hitting "renew" > works fine and shows it properly for a little while but it always goes back > to being down... This is strictly cosmetic as I have no issues on that > interface and although its DHCP my ISP (comcast) does some kind of MAC > registration so as to stop us from pulling multiple real IP addies, so my > WAN IP will never change really unless I swap NICs or change the MAC. > > TIA, > mOjO > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
