DNAT created Automatic Firewall Rule is missing services when viewed in Edit

After creating a DNAT rule with Automatic Firewall Rule selected, examining the automatically created firewall rule (via Edit) shows the Services section of the firewall rule blank.

Is this a UI error, or is the rule in fact not limited to the service that was specified when creating the DNAT rule?

Thanks for any assistance you are able to provide!



BTW - "External SSH" in the DNAT rule is a non-default internet facing port used for incoming SSH sessions.

  • Have you tried to create a firewall rule by Hand and leave automatic blank? If you scan your internal target server form the outside (Internet)are there any other services reachable?

  • Hi SY and welcome to the UTM Community!

    The first thing I would do is try a different browser or clear your browser cache.

    If the result is still the same, we can determine whether or not it's a UI glitch by checking the configuration data base.  I'm guessing at the name of the NAT object, but it should be right.  As root at the command line, paste the following command:

    cc get_object_by_name packetfilter nat 'External SSH from Any to External (WAN) (Address)'|grep auto_pf_in

    That should give you the REF_ of the automatic firewall rule.  I'll guess it's REF_PacPacExterFromAny, but you'll know what to change in the following to see the REF_ of the service in the firewall rule object:

    cc get_object  'REF_PacPacExterFromAny'|grep REF_SerTcp

    I'll guess that you see REF_SerTcpExternaSsh, so if it's not empty, this is a UI issue and you're the first to report it - that's why I suspect your browser cache.

    Please report your results!

    Cheers - Bob

  • In reply to BAlfson:

    Sorry for the delay - here's the update:

    Trying your first line doesn't give any result.  Dropping the grep gives an output of "0".

    In case there being a space in "External SSH" was causing a problem, I changed the name to External_SSH.  It made no difference.

    I'm logging in at the console since I haven't set up ssh access for root, if that makes a difference.

    Thanks for the help.

  • In reply to BAlfson:

    If it's a UI bug, it has nothing to do with browser cache.  I tried accessing the WebAdmin page using both Firefox and Chrome (both under Linux), and in both cases the service area is blank.

    Taking a shot in the dark (I'm running the software in a VM with snapshots that I can roll back if I break anything) I did a little digging around and tried to dig out the information by using cc interactively.  Here's what I did, which may or may not be what was needed.


    This displays: REF_PacNatExterSshFrom[External SSH from Any to External (WAN) (Address),packetfilter,nat]

    Hitting enter at this point displayed several lines.  The one with auto_pf_in contains REF_PacPac16553FromAny

    Exiting out of cc and doing a cc get_object 'REF_PacPac16553FromAny' includes the following partial result:

    'services' => [

    I have no idea what these results mean and would appreciate any explanation that you can give.

    Thank you.

  • In reply to SY Lerner:

    That looks like your "External SSH" object's REF.  Based on that, I assume that it's TCP 1:65535->2222.

    This means that the service is in the DNAT object so there's some problem with displaying it.

    You've proven that it wasn't the browser cache, but I've not heard of this glitch like this before, so I doubt it's a bug.  I guess some of the magic blue smoke got out of your computer. ;-)

    What happens if you delete this DNAT and create a duplicate?

    Cheers - Bob

  • In reply to BAlfson:

    I deleted the old DNAT and the custom objects in use.

    I created some new objects and created a new DNAT with an automatic rule. The purpose of the DNAT is to map a non-standard external port to the SSH port on a particular PC on the internal network.

    Clicking edit for the DNAT generated automatic firewall rule shows sources and destinations populated and services blank, as was the case initially.

    I suspect that there haven't been too many people clicking edit on automatic firewall rules.


  • In reply to SY Lerner:

    Again, guessing at the name, try

    cc get_object_by_name packetfilter packetfilter 'External SSH from Any to External (WAN)(Address)'

    The name might be 'SSH from Any to Target', but I would expect the above and for you to see the REF_ for SSH in the 'services' field.

    Cheers - Bob