@SteveITS A little snooping (thanks for tip), I may have found the culprit. Now to see if I can fix it. The logs told me what was happening.
CINS_army_v4,lb02.groups.io,Unknown,null,+
CINS_army_v4,lb02.groups.io,Unknown,null,-

I unchecked/shut off the CINS_army feed and did a reload. That appears to have solved the issue. I'm just concerned why it was blocked recently. I don't stay up on some of this stuff, but even my work environment didn't block groups.io (and they block a lot).

@smolka_J No tweaking , i don't like that.

@johnpoz Thank you for the detailed and quick reply! I'm still looking at it to ensure I understand.
@ahking19 I did understand your message, and I created the firewall rules myself, as opposed to auto. Thank you.

@Beerman Some form of fix will be but may be in a different area or dependency package that pfBlockerNG uses. That line wasn't present in 3.2.0_8 and earlier versions of the pfblockerng.inc so I'm assuming something had changed in the magic database file(s) that's used to determine mime types. I have a similar error on feed PRI4_v4 - CCT_IP_v4 https://cybercrime-tracker.net/fuckerz.php that is coming up invalid Mime Type application/javascript, while the same feed is working fine on my CE VMs on pfBlockerNG 3.2.0_8. Tried adding a line with 'application/javascript' but that didn't do anything for it specifically

They had an earlier post about the upcoming changes as well which kinda explains it better:
https://blog.snort.org/2024/08/upcoming-changes-to-snortorg-sample-ip.html

My plus Offers me upgrade to 3.2.0.10 Is that safe? Or should I stay on 3.2.0.9

@michmoor said in pfblocker - speed up search:

I cant speak for @Gertjan but

just looking at the various screen captures provided the return expectation of @Gertjan is at least 500 results. That means on whatever search you are doing please return the most recent 500 that match. For alerts in particular if all (4) sections of the report have the same return value limit and you are searching you are telling each section to return 500 results. Could generate a lot of reading and then looking up related "stuff" to do that on top.

Screen Shot 2024-09-20 at 6.15.34 PM.png

if you are looking for DNSBL set that field to 50 to start, set the other 3 to 0
Screen Shot 2024-09-20 at 6.43.57 PM.png

for the alerts report Unified setting and DNS Reply setting will have no impact
this is how the 6 return value settings line up to the 3 reports.

Screen Shot 2024-09-20 at 6.46.14 PM.png

Sorry the IP Permit and IP Match both go to Alerts, made the green lines too wide and the overlapped. Honest there are 4 green lines there... 😊

Hi all,

since I deleted the files and de-installed watchdog no more errors occurred in the last 24 hours (which included a few cron jobs by pfblocker) so things seem to be fine again.

Oh, and yes, I have been running the python mode before (and still am) on DNSBL.

thanks again for helping.

@SteveITS
I tried both - Update and Reload. I'm just wondering that not all of the domains in my list where blocked.

Edit:
I tried again. The first time nothing happened. I tried again a reload for all and then:

-1th webpage got an certificate error "net::ERR_CERT_AUTHORITY_INVALID" (the certificate had the pfSense details inside)

-all other webpages are working^^

For me seems that this plugin/plugin is absolutely broken

@Squuiid @BBcan177
Just me:
Unbound python mode

but:
I increased my system's RAM to 32GB

978225a9-c315-41c3-b214-b111040959ea-image.png

87fbc299-5850-4cde-b265-46f202a8a5f5-image.png

my values:

8ea18e9d-125d-4998-a4d0-00261300bf87-image.png

I increased my system's RAM to 32GB

e5069e5e-b473-4c91-b1e8-a2e3898316cb-image.png

@anubhav if you forward, you should not have dnssec enabled - where you forward is either going to do dnssec for you, like googledns or cloudflare, etc. or they won't like my 4.2.2.2 example

enabling dnssec and forwarding is just going to lead to problems.

And if your going to forward, if you want dnssec all the NS that you have listed to forward to should be doing it, or you can have different results depending on which actual NS got asked. Or if you don't want it - then all the NS you forward to shouldn't be doing it.

@michmoor There was a thread several months back…I think it boiled down to the update running (by schedule) on the secondary while the sync was still happening. But I don’t think there’s a way around that because the schedule setting is synced. We see it every couple months. I eventually set the pfB update to be a bit more frequent so it would fix itself.

💡 there it is

so as I expected that reboot is causing these 'Unknown' records to be added to the ip_cache database.

When the system is starting up
the filter starts blocking (as it should)..
but the "lists" that pfB would be using are not available (I think this is primarily where tmpfs is memory based - I need to test this on a virtual using disk not ram disk someday - lol)
so when the process goes to look it up of course they are Unknown.

The problem is the "Unknown" entries are being written to the cache and then
subsequent hits from the same IP lookup it up in the cache and find unknown.
even if the underlying list might now be available, it will read the "unknown" from cache and use that. - That's the problem

There is a better way, pondering, but for now the simple solution is don't cache "unknown"

$stmt->execute();

becomes this

if ($pfb_query[0] != 'Unknown') { $stmt->execute(); }

Now the records won't be cached (still blocked and reported that way during the startup process) but as soon as the underlying data is correct the records start caching with IP address again. - Confirmed by doing...

I'm ok with a couple of hundred block records saying unknown during the boot process, but then using the cached "unknown".. not so good.

Now it occurs to me as well, that the ip_cache appears to only get flushed on a reboot, but the underlying lists used by pfBlocker could change. An IP that was listed and therefore blocked yesterday, may have been removed from a list and therefore should not be cached against the previous list. ie a) it is not on a list anymore (not blocked) and/or b) it is on a different list and should not be listed against the old one (or both)

I'm thinking that when you see this

408 addresses added.337 addresses deleted.

you don't need to worry about the "added" ones - they will cache if/when used.
but the deleted ones (337 in this case) should be removed from the cache if they are there..
The quick solution here might be simply flush the entire cache and just let it start over, like on a reboot. I'm not seeing that it currently does either.(a seek and delete or a flush)

If you reboot often the cache is flushed every time you do, but if you typically run for weeks (like here) the cache will become bloated with IPs that may or may not be what they currently are.
The mechanism to remove stale ones and "update" existing one with fresher info doesn't seem to be there/work IMHO

Pondering continues.. Still need to look at the reports but I don't believe they use the cache and likely shouldn't, you want to report on what happened at that time (from the record) not what happened from a stale or incorrect cache. etc etc

Cheers

@Gertjan

Thanks for all the info :) I'll likely follow up with the point of just blocking all http traffic and call it a night..

The curious side of me just keeps on.. wireshark isn't doing much here and results are inconsistent making it hard to pin down.

I have limited the scope while troubleshooting, and stayed on the default ports. I have selected only my LAN VLAN 192.168.10.x for the Web Server Interface, along with only allowing LAN for the permit/ping IP floating rules. I can see they are created and are in the right order. There are 2 scenarios that play out here;

--After changing Web Server Interface from localhost to LAN, but before Update>Reload>DNSBL--

The VIP page will display with the correct evaluated domain/feed and remains accessible, after i have changed the Web Server Interface from localhost (80/443) to LAN (80/443), browsing both 10.10.10.1 and http://ib.3lift.com/ (StevenBlack_ADs) The VIP page will not display on 127.0.0.1 I cannot ping 10.10.10.1 I cannot curl 10.10.10.1 - terminal hangs I can ping 127.0.0.1 I can curl 127.0.0.1 - output as working previously attached.

--After changing Web Server Interface from localhost to LAN, after Update>Reload>DNSBL--

The VIP page no longer displays browsing both 10.10.10.1 and http://ib.3lift.com/ (StevenBlack_ADs) The VIP page will not display on 127.0.0.1 I can ping 10.10.10.1 I can curl 10.10.10.1 - output as working previously attached I can ping 127.0.0.1 I can curl 127.0.0.1 - output as working previously attached.

The change seems to happen around the time that the log shows TLD finalize on the reload task (attached)

Reload.JPG LAN only - before DNSBL reload.JPG LAN only config.JPG

@jrey can you share how you are sending DNS data to graylog ?
I've trying to accomplish that without any success.

@pfsense4me1 there is something wrong with the base pfSense install. Take a backup config, install. Do a fresh install and restore the backup config file.

hey @BBcan177, thanks for the reply.

no, i mean the feed is long since completely deleted from the pfB instance, doesn't appear anywhere under the Feeds tab—but its name is somehow still being referenced by current logging.

that's why i'm trying to determine from where/what that specific field of the unified.log is referencing. where i've indicated "[DELETED CUSTOM FEED NAME]" is where the completely deleted custom feed's old name is printed. (i.e., the 17th value/field of the unified.log line.)