This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[8.01] Possible Bug in Network Definitions ?

I have encountered a strange bug today. I wanted to define a simple network service (tcp port) for a packet filter rule.

The PF Rule:

Desktop => Allowed_SVC_Group => Any

The Allowed_SVC_Group contains all allowed services and groups for my computer. The total count of the allowed service definitons was 50. After adding the new service definition to the Allowed_SVC_Group i noticed, that packets to that service still were dropped by the PF. At first i thought this was some sort of strange error and tried to reboot the ASG. After successfully rebooting my ASG ALL outgoing packets were dropped by the PF. I restored the last configuration backup, and all was working again. Then i tried again to add the new rule, with the same negative result. This misbehavior is reproducable.
After reducing the amount of service definitions in the group everything worked again, with and without restoring the configuration.

Short: 50+ service definitions in a group seems to brick the ASG's packet filter.

This thread was automatically locked due to age.

Parents

0 ulmi over 15 years ago

this sounds very much like a issue which was fixed in 8.002 (mantis ID 14706): http://www.astaro.com/lists/Known_Issues-ASG-V8.txt
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ulmi over 15 years ago

this sounds very much like a issue which was fixed in 8.002 (mantis ID 14706): http://www.astaro.com/lists/Known_Issues-ASG-V8.txt
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Jack Daniel over 15 years ago in reply to ulmi

Argh- missed that. Thanks ulmi.

Chris, 8.002 is available from our download sites, it is currently in soft-release.
Cancel
Vote Up 0 Vote Down

Cancel
0 ChrisW28 over 15 years ago in reply to Jack Daniel
Hello,

i have not opened a support case, because i was not sure if that is a bug.
The failed service group for WAN Access contains 50+ definitions, a mixture of single ports, port ranges and groups.

I'll list it here:

Group: Allowed_LAN_Svc

=== single ports ===
34 single tcp ports
6 single udp ports
2 both tcp/udp ports

=== protocols ===
1 protocol (icmp-ping)

=== port ranges ===
1 port range with 80 tcp ports
1 port range with 2 tcp ports
1 port range with 10000 udp ports  (for traceroute)
1 port range with 5 tcp ports
1 port range with 75 tcp/udp ports

=== groups ===
1  group, containing 4 single port definitions
1  group, containing 1 port range (2ports tcp/udp) and 1 single port (tcp/udp)

The group Allowed_LAN_Svc is used for two PF rules:

user1 (user network) => this group => Any (using ipsec-l2tp to access the web over a secure connection)
MyGroup (containing my workstation and laptop => this group => Any (WAN)

Total 50 group members for that service group. adding another one causes PF to fail, first still dropping packets for the new member, after reboot dropping ANY outgoing packet. After deleting 10 single port definitions from the failed group and summarizing them to a new group, which i added to the failed service group everything is okay again.

I think it is not the same bug. The PF rule was enabled already, i only added a new member to the service group used for that PF rule.

8.02 is not available atm, my ASG reports (translated from german):

Firmware-Version: 8.001
Patternversion: 20135
Last Check: 10 Minutes ago

I hope you understand what i want to say, my english is not very good [:(]
Cancel
Vote Up 0 Vote Down

Cancel