All HowTo's pfSense & Netgate

pfSense Firewall Not Enforcing Rules

EDIT: I have seen this more recently where the total number of pfBlockerNG records exceeded the amount of rules accepted by pfSense (in Advanced-Firewall). I believe the issue relates to that limitation which can easily be overcome by increasing the acceptable maximum. 

Today I encountered a Netgate pfSense firewall that had firewall rules set, but the rules were not actually applying to passing traffic. The device was a Netgate 6100 running pfSense 22.01. The situation occurred after an unexpected reboot (the UPS ran out of power during a larger power outage). The appliance powered back up when power was returned. By luck, a SysAdmin tried to log in from a location where he shouldn’t be permitted (by firewall rules), but it worked. By that, I mean it shouldn’t have worked, but did.

We logged this strangeness with Netgate, because either:

  1. The firewall has a bug. It should solve the issue on reboot but doesn’t, or
  2. There’s a zero-day security vulnerability. I suspect not in this case.

I flushed states and rules, but it didn’t resolve the issue. I confirmed the firewall rules were “supposed” to be applied (advanced settings, and pfctl -e). There were services running (pfBlocker, snort, etc) that interact with the firewall so I checked there. I stopped and started services. It was after restarting pfBlocker that things started working. I suspect it wasn’t that, so much as something clearing the block in the process of restarting that service. My theory is/was that there was a lock file preventing firewall rules from being (re-)applied. Restarting pfBlocker seems to have removed that block. Again, just a theory.

I was able to confirm if the firewall rules were effective by watching the packet/hit count in the left column of the firewall rules editor (in the pfSense web interface).

For the record, the device details were/are: Netgate 6100, pfSense 22.01.

Leave a Reply

Your email address will not be published. Required fields are marked *