Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    root's crontab rc.filter_configure_sync added after force pfblockerNG

    pfBlockerNG
    1
    5
    584
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      totowentsouth
      last edited by

      I have an SG-4860 running pfsense 22.01-RELEASE with pfBlockerNG-devel 3.1.0_1.

      I applied the patch to fix the IP block logging not working which fixes the IP block logging issue.
      https://www.reddit.com/r/pfBlockerNG/comments/sk9txi/ip_block_logging_not_working_pfsense_260rc/hvv99s1/?utm_source=reddit&utm_medium=web2x&context=3

      After running a forced update to pfblocker, /etc/crontab has an additonal entry:

      0,15,30,45     *       *       *       *       root    /etc/rc.filter_configure_sync

      I can comment out the line, run a force update in pfblocker, and the above line will return. A timestamp located above the block of entries matches the end of the pfblocker update run. For example:

      # pfSense specific crontab entries
# Created: February 24, 2022, 10:29 pm

      I don't know exactly when this entry originated. However, I updated to 22.01 on Feburary 18. Yesterday, I observed 1+ second ping spikes every 15 minutes and diagnosed to the entry in /etc/crontab.

      Does anyone know why this line would be added to /etc/crontab in the first place? Is this a pfblockerng issue?

      I have not uninstalled and reinstalled pfblockerng-devel; I hope to avoid that but am willing to as a last resort. I believe this entry is not re-added during the scheduled cron of pfblockerng updates.

      Also: I have pfsense CE 2.6.0-RELEASE on a protectli device running the same pfblockerng-devel and the same IP block logging patch applied. That setup does not have the offending entry in /etc/crontab nor does the entry get added during a force update.

      Any clues, thoughts or suggestions?

      Thanks!

      T 1 Reply Last reply Reply Quote 0
      • T
        totowentsouth @totowentsouth
        last edited by

        Inspection of the pfsense source code, I have traced things down to this line being installed due to time based rules. If this means rules that have a time to enable/disable, then it's not new for my rule set. And this line has never been in /etc/crontab "indefinitely" in the past (b/c ping spikes every 15 minutes were not encountered - or maybe the spike was low enough to be overloooked).

        pfsense/etc/inc/filter.inc filter_configure_sync() .. appears to call filter_tdr_install(true) if time_based_rules is true; filter_tdr_install_cron() does the evil deed..

        T 1 Reply Last reply Reply Quote 0
        • T
          totowentsouth @totowentsouth
          last edited by

          https://redmine.pfsense.org/issues/11636
          the outcome of the action described in here is exactly the issue I'm seeing..
          this issue is referenced in pfsense/etc/inc/filter.inc

          T 1 Reply Last reply Reply Quote 0
          • T
            totowentsouth @totowentsouth
            last edited by

            I removed the schedule from all firewall rules that had a schedule and now pfblockerng updates (and all else) does not add the undesirable entry to /etc/crontab.

            I shall not make use of scheduled rules. Probably the high ping spike is due at least in part to the number of rules.

            T 1 Reply Last reply Reply Quote 0
            • T
              totowentsouth @totowentsouth
              last edited by totowentsouth

              This is reported here: https://redmine.pfsense.org/issues/12827
              Forum discussion: https://forum.netgate.com/topic/169955/latency-spikes-during-filter-reload-ce-2-6-0

              1 Reply Last reply Reply Quote 0
              • First post
                Last post