Core: Standard port ignored in alias (openvpn)
I had an alias "openvpn_ports" defined, over port 1194,1195,1196,1197 and 1198. However, the order was changed in the GUI, with 1194 appearing at the end of the list, and the resulting firewall rules looked like this:
root@gate1:~ # pfctl -sr | grep 119
pass in quick on igb0_vlan101 reply-to (igb0_vlan101 203.0.113.113) inet proto udp from any to 203.0.113.0/29 port = 1195 keep state label "USER_RULE"
pass in quick on igb0_vlan101 reply-to (igb0_vlan101 203.0.113.113) inet proto udp from any to 203.0.113.0/29 port = 1196 keep state label "USER_RULE"
pass in quick on igb0_vlan101 reply-to (igb0_vlan101 203.0.113.113) inet proto udp from any to 203.0.113.0/29 port = 1197 keep state label "USER_RULE"
pass in quick on igb0_vlan101 reply-to (igb0_vlan101 203.0.113.113) inet proto udp from any to 203.0.113.0/29 port = 1198 keep state label "USER_RULE"
root@gate1:~ # pfctl -sr | grep -i vpn
pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN"
Yes, there is no hint of 1194 in there. Only after specifying another rule using the "OpenVPN"-port alone, I got this here:
root@gate1:~ # pfctl -sr | grep -i open
pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN"
pass in quick on igb0_vlan101 reply-to (igb0_vlan101 203.0.113.113) inet proto udp from any to 203.0.113.0/29 port = openvpn keep state label "USER_RULE"
Seegras
All 10 comments
As you can see in second grep the port is named as "openvpn", that's why your first grep wont find it ...
mimugmail
on 5 Feb 2019
and the output of?
grep openvpn_ports /tmp/rules.debug
AdSchellevis
on 5 Feb 2019
As you can see in second grep the port is named as "openvpn", that's why your first grep wont find it ...
The second grep ("grep -i vpn") is part of the first set, before I put in separate rules. It would find it if it existed.
Seegras
on 5 Feb 2019
I can not reproduce this with latest 19.1. Can you post the output of https://github.com/opnsense/core/issues/3189#issuecomment-460631378
Mine is:
openvpn_ports = "{ 1194 1195 1196 1197 1198 }"
pass in quick on em1 inet proto udp from $testtest to {any} port $openvpn_ports keep state label "USER_RULE" # 38ad3d7bd645bbfbdfdea2a256f45077
and the output of?
grep openvpn_ports /tmp/rules.debug
root@gate1:~ # grep openvpn_ports /tmp/rules.debug
openvpn_ports = "{ 1195 1196 1197 1198 }"
pass in quick on igb0_vlan101 reply-to ( igb0_vlan101 203.0.113.113 ) inet proto udp from {any} to {203.0.113.0/29} port $openvpn_ports keep state label "USER_RULE" # 19dad6bdcf3c406880cc946e28847ec2
But that's not what the GUI says, the GUI says:
https://temp.discordia.ch/2019-02-05_15-36.png
Seegras
on 5 Feb 2019
can't reproduce on OPNsense 19.1
AdSchellevis
on 5 Feb 2019
@AdSchellevis I can reproduce when pasting an additional space after last port.
Gui accepts but it isn't in rules.debug.
mimugmail
on 5 Feb 2019
@mimugmail it's actually a validation issue in the gui in that case. Let me check
AdSchellevis
on 5 Feb 2019
This is 19.1. And it doesn't notice the alias has changed after I try to remove any spaces. The space was not at the end of all the ports, but just after or before 1194 (the first one); which also lead to it being sorted to the back of the list. I had to delete the alias and re-do it, now it's
openvpn_ports = "{ 1194 1195 1196 1197 1198 }"
Seegras
on 5 Feb 2019
port validation issue, it should give an error when there a whitespace. https://github.com/opnsense/core/commit/5ad905c89729d8540f7056e8ea2f94988d35f8ff should fix the validation.
AdSchellevis
on 5 Feb 2019
Related issues
BPtLNfxZWo
路
3Comments
StrikerTwo
路
8Comments
TransLunarInjection
路
7Comments
paride
路
4Comments
maurice-w
路
4Comments