Re: [pfSense Support] OpenBGPD package: excessive } if if neighbor does not belong to a group
On Sun, Aug 16, 2009 at 1:18 AM, Evgeny Yurchenko wrote:
> Again me -(((
> found one more bug in OpenBGPD. When you add/modify neighbor which does not
> belong to any group you get excessive } in bgpd.conf after neighbor{} block.
>
> # diff -rub openbgpd.inc.20090816.bak openbgpd.inc
> --- openbgpd.inc.20090816.bak 2009-08-16 05:09:38.0 +
> +++ openbgpd.inc 2009-08-16 05:10:33.0 +
> @@ -113,8 +113,6 @@
> $conffile .= " }\n";
> }
> }
> - if($used_this_item)
> - $conffile .= "}\n";
> }
>
> // OpenBGPD filters
Thanks, this one is commited.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense Blocking some traffic
Jim Pingle wrote: Joseph Hardeman wrote: However I am seeing entries captured in my firewall logs where visitors are being denied per the Default deny rule at the very bottom of the pf rules. My question is why are my explicit rules not capturing the entries before it gets to the last rule? And also, how can I disable those two rules or can they be disabled? My guess is that you're really seeing this: http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F And no traffic is actually being dropped. Jim Very interesting, but definitely makes sense, specially since I can't seem to get a blocked session to my systems. Thanks Jim for the link. Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense Blocking some traffic
Joseph Hardeman wrote: > However I am seeing entries captured in my firewall logs where visitors > are being denied per the Default deny rule at the very bottom of the pf > rules. > My question is why are my explicit rules not capturing the entries > before it gets to the last rule? And also, how can I disable those two > rules or can they be disabled? My guess is that you're really seeing this: http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F And no traffic is actually being dropped. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense Blocking some traffic
Greetings everyone, I have noticed some strange behavior, I have setup a Bridge and setup specific blocking rules for access to systems behind our firewall, I also have explicit access rules for port 80: pass in quick on $wan reply-to (em0 GATEWAYIP) proto tcp from any to any port = 80 keep state label "USER_RULE: HTTP Port Allow Access" at the bottom of the firewall rules I have this entry to allow everything that I am not specifically blocking: pass in quick on $wan reply-to (em0 GATEWAYIP) from any to any keep state label "USER_RULE: Allow Everything Else" On my internal interface of the bridge I have the following entry: pass in quick on $InternalNetwork from any to any keep state label "USER_RULE" However I am seeing entries captured in my firewall logs where visitors are being denied per the Default deny rule at the very bottom of the pf rules. My question is why are my explicit rules not capturing the entries before it gets to the last rule? And also, how can I disable those two rules or can they be disabled? Thanks Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPD package: impossible to edit group in use but it can easily be deleted
On Sat, Aug 15, 2009 at 7:32 PM, Evgeny Yurchenko wrote:
> 1) When a BGP group is in use it is impossible to modify group's parameters.
> Click 'Save' gives you "Sorry this group is in use... and can not be
> deleted"
> Probably it is intended behavior but then we have to change the error
> message to "... can not be edited" which is not very logical as the idea
> behind using groups is to have some parameters common for all peers
> belonging to this group. If you agree with me please delete this check:
>
> # diff -rub openbgpd_groups.xml.20090815.bak openbgpd_groups.xml
> --- openbgpd_groups.xml.20090815.bak 2009-08-15 22:07:13.0 +
> +++ openbgpd_groups.xml 2009-08-15 22:41:28.0 +
> @@ -111,9 +111,4 @@
>
> openbgpd_install_conf();
>
> -
> - $status = check_group_usage($_POST['groupname']);
> - if($status != "")
> - $input_errors[] = "Sorry this group is in use by
> {$status} and cannot be deleted.";
> -
>
>
> 2) The group can be easily deleted even if it is in use without any impact
> on /usr/local/etc/bgpd.conf which leads to little mess. After that if you
> will edit your neighbor then this neighbor will be excluded from this group
> and thus probably will loose AS number. I could not find a way how to
> prevent this.
> Probably we could create some tag in openbgpd_groups.xml like:
>
> $status = check_group_usage($_POST['groupname']);
> if($status != "")
> $input_errors[] = "Sorry this group is in use by
> {$status} and cannot be deleted.";
>
>
> ... and use it in /usr/local/www/pkg.php before it actually deletes
> parameter:
>
> line 66 if ($a_pkg[$_GET['id']]) {
> + if($pkg['custom_php_del_validation'] <> "") {
> + $status =
> eval($pkg['custom_php_del_validation'] );
> + if ($status != ""){
> + header("Location: pkg.php?xml=" .
> $xml);
> + exit;
> + }
> + }
> unset($a_pkg[$_GET['id']]);
> write_config();
>
> ... and it works (it's not deleted) but I can't find a way to tell user
> about the error.
>
> Thanks,
> Eugene
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
Please sign up for a rcs.pfsense.org account and email me the info
off-list. It is time for you to have a commit bit to be able to push
these changes since you are showing an interest in the BGPD package.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
