Firewall rules for IPsec network apparently generated multiple times

larsen · 30 March 2026 14:32

Running iptables --list IPSECOUTPUT -n I get ~6.800 lines, most of which is:

ACCEPT esp – ipfire_IP remote_IP_1
ACCEPT ah – ipfire_IP remote_IP_1
ACCEPT 94 – ipfire_IP remote_IP_1

Currently, there are three ipsec connections established. I can see rules for the other two connections multiple times as well, but not nearly as much as for the first one mentioned.

See # iptables --list IPSECOUTPUT -nChain IPSECOUTPUT (1 references)target - Pastebin.com

I have reloaded the firewall rules via the GUI, so I guess those ipsec should have also been rebuilt. Haven’t tried a reboot. Anyhow, if those were to be created the right way on restart, there probably still would be a problem of them accumulating over time.

Has someone noticed this behaviour, too?

IPFire 2.29 (x86_64) - Core-Update 200

stephen · 3 April 2026 04:44

Hello Lars,

I’ve seen this as well. I haven’t had the time to research the reason but can confirm that it’s been going on for a while - not new in CU 200.

Regards,

Stephen

luxskywalker · 3 April 2026 09:03

on my CU198 i can’t second this

1 IPSec Connection →

[root@XXX ~]# iptables --list IPSECOUTPUT -n Chain IPSECOUTPUT (1 references) target prot opt source destination ACCEPT esp -- 149.xxx.xxx.xxx 178.xxx.xxx.xxx ACCEPT ah -- 149.xxx.xxx.xxx 178.xxx.xxx.xxx ACCEPT 94 -- 149.xxx.xxx.xxx 178.xxx.xxx.xxx ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 [root@XXX ~]#

bonnietwin · 3 April 2026 11:02

On my CU200 vm network running with a n2n ipsec connection I also can’t confirm this.

Here is my output.

[root@XXX yyy]# iptables --list IPSECOUTPUT -n
Chain IPSECOUTPUT (1 references)
target     prot opt source               destination         
ACCEPT     esp  --  192.168.26.200       192.168.26.222      
ACCEPT     ah   --  192.168.26.200       192.168.26.222      
ACCEPT     94   --  192.168.26.200       192.168.26.222      
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500

tphz · 3 April 2026 11:05

Core-Update 201 Development Build: master/7f0ed6b7
Core-Update 201 Development Build: master/a5909296

IPSec N2N

iptables --list IPSECOUTPUT -n
Chain IPSECOUTPUT (1 references)
target     prot opt source               destination         
ACCEPT     esp  --  a.b.c.d          u.v.w.y       
ACCEPT     ah   --  a.b.c.d          u.v.w.y       
ACCEPT     94   --  a.b.c.d          u.v.w.y       
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500

Regards

ms · 3 April 2026 12:56

Hello,

I pushed a fix for this here:

Please install the development build as soon as it becomes available and let me know if this fixes the problem.

larsen · 3 April 2026 14:07

@ms Great catch!

I’m on vacation next week, and will try to apply the changes to our version afterwards.