Today I encountered a Netgate pfSense firewall that had firewall rules set, but the rules were not actually applying to passing traffic. The device was a Netgate 6100 running pfSense 22.01. The situation occurred after an unexpected reboot (the UPS ran out of power during a larger power outage). The appliance powered back up when power was returned. By luck, a SysAdmin tried to log in from a location where he shouldn’t be permitted (by firewall rules), but it worked. By that, I mean it shouldn’t have worked, but did.
We logged this strangeness with Netgate, because either:
- The firewall has a bug. It should solve the issue on reboot but doesn’t, or
- There’s a zero-day security vulnerability. I suspect not in this case.
I flushed states and rules, but it didn’t resolve the issue. I confirmed the firewall rules were “supposed” to be applied (advanced settings, and pfctl -e). There were services running (pfBlocker, snort, etc) that interact with the firewall so I checked there. I stopped and started services. It was after restarting pfBlocker that things started working. I suspect it wasn’t that, so much as something clearing the block in the process of restarting that service. My theory is/was that there was a lock file preventing firewall rules from being (re-)applied. Restarting pfBlocker seems to have removed that block. Again, just a theory.
I was able to confirm if the firewall rules were effective by watching the packet/hit count in the left column of the firewall rules editor (in the pfSense web interface).
For the record, the device details were/are: Netgate 6100, pfSense 22.01.
