Core 169 Breaks Blue Access

Not the first core update to break it, but usually just disabling and re-enabling blue->green rules will fix it. Devices will now connect to green from blue after doing this but something else is wrong this time. IPF is blocking samba connections between the two. Four devices and all now fail to connect to samba shares when connected to blue network. All still connect fine to same shares via ssh/sftp and connect via samba when connected through VPN. So, the issues is definitely only with samaba and from blue to green. Any ideas on this?

Also lost the ability to loop back when accessing the WUI from within the network. No problem if by IP, but by domain name it fails.

Have a look at Web User Interface, Firewall/Firewall options/ Firewall options for BLUE interface/Drop all Microsoft ports 135,137,138,139,445,1025. Is it ON?

I do not understand this sentence.

Block Microsoft ports was enabled. I checked and disabled before but no change.

The second part is, if I try to access the WUI by my domain name from within my network it fails. Connecting by green IP it succeeds. This was not the case before.

Did you reboot the machine?

Try to make an allow rule in the firewall. Maybe the defaults have changed to a more restricting policy.

EDIT: the second problem, is still confined to the blue network?

1 Like

On the first issue no, I did not reboot after changing the rule. Seems silly to have to reboot after a minor rule change, but I will give it a try later today.

For the second issue, this is from any zone inside the network, blue or green. Blue is fine, that’s the way it should be, but not green. Also not working on select devices that allow blue to green communication.

If you notice, a red warning is written on the top of the page after you save the setting.

3 Likes

Is it a DNS resolving issue? can you write from the console:

ping ipfire.localdomain

and see the ping working?

1 Like

DNS works fine. This is the only issue accessing anything by domain name.

Well…I just tried to connect to the firewall from outside my network and it fails to connect as well by domain name. I can ping my domain and get an IP return so DNS is working, just something with IPFIRE.

Finally home to test internal.

Ping to the IPfire machine by hostname is successful from the IPFIRE console via SSH and a laptop on blue.

DNS is working, the appliance simply is not responding. I can probably reinstall then restore from backup. Not much of a solution though.

EDIT 17August22

I finally lost all DNS resolution to the firewall and even external IP access, which may have been lost after upgrade but I just never noticed it. This all forced me to look into these issues.

First thought was to re-install and restore from back, which I did, to no avail. Interesting. Now, at this point I could have restored a different backup. I store at least one backup per upgrade, but that’s really a last resort. Better to understand what happened and how it broke.

Made sure the external access firewall rule is still present and enabled. Removed the rule and added again but still no access, even by known good WAN IP. Started looking over my firewall rules which there are more than 40. Some of the rules now showed the right interface and internal IP target, but the port was gone!! IPFIRE had several rules set to forward ALL TCP traffic to one of my servers. That’s just dangerous. IPFIRE opened up ALL ports to this server. All my rules and everything really on my network is methodically catalogued. I referenced this and added the proper ports back. IP access restored. Two issues resolved, since I had already fixed the Blue Access issue.

I visited my domain hosting company and looked over things there where I came across an interesting error with my hostname not resolving. Looking into that, I found IPFIRE was not longer syncing with the site across all five records. I hadn’t changed any of these so at first I just tried re-entering the login details. Didn’t work. I then removed all the entries and added them from scratch. That worked. Okay, IPFIRE somehow corrupted all the entries on upgrade. All issues resolved. Fresh backup run and stored off the firewall per SOP.