core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

Disabling port forward doesn't close firewall rule

Open Jerroder opened this issue 4 years ago • 9 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

When adding a port forward rule, a new firewall entry allows traffic to pass. However, when disabling the port forward, the firewall entry isn't disabled, it has to be done separately manually. When re-enabling the port forward, the firewall must be re-opened separately manually.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert) -> It wasn't working on previous versions

To Reproduce

Steps to reproduce the behavior:

  1. Go to NAT -> Port Forward
  2. Add a rule
  3. Go to Firewall -> rules -> WAN
  4. Associated port opened correctly
  5. Go back to NAT -> Port Forward
  6. Disable previously added rule
  7. Go to Firewall -> rules -> WAN
  8. WAN rule still opened

Expected behavior

The firewall rule must be disabled when disabling the port forward.

Describe alternatives you considered

Doing it manually every time.

Screenshots

None

Relevant log files

None

Additional context

None

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 22.1 (amd64, LibreSSL). AMD Ryzen 5 3600 6-Core Processor Network Intel® I210

Jerroder avatar Feb 06 '22 09:02 Jerroder

https://github.com/opnsense/core/commit/f56a224aab1f061e441a715696e164835aed3438 updates the "disabled" flag, although ideally we might consider removing the toggle events from the rules as well as it's still possible to enable/disable the firewall rule from the rules view now. (same is the case for the log flag). Let's keep this for now, making sure the disabled flag cascades is a good idea anyway.

AdSchellevis avatar Feb 06 '22 10:02 AdSchellevis

@AdSchellevis your commit didn't go to master but likely should have? :)

fichtner avatar Feb 07 '22 06:02 fichtner

@fichtner thanks! seems I was indeed on the wrong branch

AdSchellevis avatar Feb 07 '22 08:02 AdSchellevis

Hey, Are you sure this is fixed and released? I have just encountered this exact issue in 22.1.8. I am using few 1to1 nats but still use port forwarding page as a convenient shortcut relaying on it to create firewall rules for me. After disabling nat rule I had to do some debugging to find out why the port is still open and sure enough - firewall rule was still enabled.

olewales avatar Jun 17 '22 22:06 olewales

Still a problem for me too.

Jerroder avatar Jun 17 '22 22:06 Jerroder

@AdSchellevis can we re-open this issue?

olewales avatar Jun 20 '22 01:06 olewales

Best check the source file on disk first to see if the change is actually there (I’m not around a pc). If the rule in question is linked and this change is in, we might need to reopen (although I’m quite sure I tested this with a new rule)

AdSchellevis avatar Jun 20 '22 07:06 AdSchellevis

The lines from https://github.com/opnsense/core/commit/f56a224aab1f061e441a715696e164835aed3438 are present on my system, and the rules are linked. I just tried again, added a new one and disabling from the "Port Forward" doesn't disable the WAN rule, even with this change there.

Jerroder avatar Jun 20 '22 08:06 Jerroder

Let’s reopen for now then

AdSchellevis avatar Jun 20 '22 08:06 AdSchellevis