@gertjan said in py_error.log errors: maxmindb and _sqlite3 modules not found:

But sometimes I (re) discover that the GUI does have it's advantages.

I agree with this, pfS GUI is sophisticated, but there are some things it can't even do... 😉

@steveits

I disabled many things of pfBlocker NG (which is the latest version)

I think my guess was right, the rules were not correctly (re-)loaded because of the IPv4 + IPv6 Alias which pfBlockerNG (DNSBL) automatically generates.

Editing these aliases is evil (and does not really work permanently) so I disabled the DNSBL feature and now everything (re-)loads fine....

Cheers

4920441

@marc05 yes indeed, if the rule exists it is checked against it, unless you match with a quick rule then it stops matching further at that point. Advantage of floating rules you can make them quick rules. If you want to reduce the checks you would want to prune rules or try consolidate them etc. or structure quick rules for known good traffic.

Anyone? No one? pfSense is allowing stuff to bypass the firewall if it's whitelisted in SquidGuard and no one is alarmed about that?

@ronpfs said in Resolver Live Sync:

@stewart Resolver Live Sync is using unbound-control(8) to modify unbound internal database instead or restarting unbound.

Glad to hear that. Is anything lost or does anything change that we would see? Or is it all back-end and everything presents the same to the users? I assume we check that box and all we see is that Unbound doesn't restart as often.

I have this issue also with pfblocker and the Amazon app (Android). I whitelist the domains that I saw in the report log but I still have the dog screen come up stating "UH-OH Something went wrong on our end." What's odd is that this only happens when searching and it only happens when searching certain terms. Has anyone found the exact domains to whitelist? (aan.amazon.com did not do it for me)

@jegr yes Ive had that checked. been running Pfblocker for the past 3 upgrades on the same pf instance.

i have the same error to after upgrading from 2.5.1 to to 2.5.2

@gertjan Thank You.

Works great!!

If you have nothing running on 80, it shouldn't be a problem - but that alias is every IP on your firewall. For such a rule it would be bad practice to use such an alias.

Would you mind PM the domain your using for acme - curious to see who the SOA is for this domain.

I have made the changes in this thread related to the 2.5.2 upgrade and pfBlockerNG. I think the issue is now fixed

https://forum.netgate.com/topic/165000/error-loading-firewall-rules

@talaverde said in py_error.log after 2.5.2 upgrade:

have to figure out which of many entries

I'll help you.
It's here :

@talaverde said in py_error.log after 2.5.2 upgrade:

2021-07-09 19:49:33,438|ERROR| [pfBlockerNG]: Failed to load: pfb_py_zone.txt: 'ascii' codec can't decode byte 0xe2 in position 1176: ordinal not in range(128)
2021-07-09 19:49:40,059|ERROR| [pfBlockerNG]: Failed to load: pfb_py_whitelist.txt: 'ascii' codec can't decode byte 0xe2 in position 3755: ordinal not in range(128

With an editor like Notepad++ you could fine it easily.

@steveits
Thank you. Indeed this works nicely.
Probably you overwrote that change with the upgrade to 3.0.0_16 ?

If this code change will be added in the next version, I suggest to also add a hint that an empty license key will deactivate all GeoIP auto updates...

Regards
Dennis

@BBcan177 Ohhhhhh I see.

"Alias Deny" doesn't create an alias and set deny rules........ I had to actually tell it to Block instead of create an Alias then it made the rules.

To confirm then, what is the point of "Alias Deny"??? I get it makes the Alias, but what does it deny?

@tdgrant said in Errors after upgrade to 2.5.2:

Thank you, Fireodo!

Glad I could help ...