3.1.0_6 UPDATE

A Former User

@jmv43-0
I really think the is owed to the different versions of pfSense
2.6 stable and 2.7 devel and on the other side pfblocker-ng
as stable, 3.1.0_4, 3.1.0_5 and actual 3.1.0_6. So the patch is
really unique and must match exactly to the versions you
installed. Or better said it should be clear and save that this
patch is also matching whatever combination you have installed. At my site it was pfs+ (22.05) together with
pfBlocker-NG devel 3.1.0_6 (upgraded to it before ~24 hours)

But finding it really out for me was not so easy until the post from @SteveITS he wrote below my post.

Gertjan

@dobby_ said in 3.1.0_6 UPDATE:

All numbers are normal again since that "patch".

That "load average" and swap usage, are these current numbers ? Or from before ?

A Former User

@Gertjan

That "load average" and swap usage, are these
current numbers ?

This are the current numbers after applying the patch!

Or from before ?

And this are also the numbers before I updated pfSense (pfs+ 22.05) to pfblockerng (3.1.0_6), after upgrade to pfblockerng 3.1.0_6 I got nearly 50 % Swap usage and something around +/-91 % RAM usage, and CPU was
spiking up to something around 60% - 80%.

Gertjan

@dobby_ said in 3.1.0_6 UPDATE:

This are the current numbers after applying the patch!

When the swap space start to get used, see that as a signal that your device, starting with memory, can't cope any more.
Two solutions :
Lower significantly the work load.
Double your memory and CPU.

A Former User

@gertjan

When the swap space start to get used, see that as a
signal that your device, starting with memory, can't
cope any more.

Ok that is right, but in normal the half of the ram and
swap is free and this over a long time only if ClamAV,
snort and pfblocker-ng are updating the lists and rules
it goes here and there nearly 70 % of both, but after the update it goes back to the above shown levels.

Two solutions :
Lower significantly the work load.

Could be the way for me, I run Snort, Squid & SquidGuard,
and pfBlocker-NG plus ClamAV on a PC Engines APU4D4.
In the future it comes on top of all, WiFi with Captive Portal and FreeRadius.

Double your memory and CPU.

In the near future this is planed for the whole setup.
Only some MacBooks, 1 PC and 1 Laptop at home usage.
So I really don´t know what to take I am between some
different solutions and not at the moment ready to chose.

But thanks anyway for the tip, you were right with the ram
and cpu load. The older APU will then be a GPS based NTP
and OpenLDAP server with some other services for the LAN.

Gertjan

@dobby_ said in 3.1.0_6 UPDATE:

Snort, Squid & SquidGuard, plus ClamAV

Just for my own curiosity : knowing that 99,x % of all traffic is TLS these days, so the traffic payload is completely random for pfSense, what should ClamAV do ? Scanning virus in the packet headers ?

A Former User

@gertjan said in 3.1.0_6 UPDATE:

what should ClamAV do ? Scanning virus in the packet headers ?

I use Squid as a caching-proxy and let ClamAV do the av scanning on it.

Gertjan

@dobby_

Ok, that's the way to do it ;)

keyser

@mcury said in 3.1.0_6 UPDATE:

@steveits said in 3.1.0_6 UPDATE:

came out the other day but only for 2.6 apparently.

It is also available for plus, updated yesterday.

I wonder whats going on here… Rumors have it that it is Netgate that maintains this package now and @BBcan177 is no longer on board.

Regardless if that is true or not, it makes less than NO sense to release not one but two minor fixes of the package where the most glaring obvious bug i still present.
Has the package been hijacked, and is now delivering malware instead?

We need some proper information about these release from whoever is responsible for the included changes and who approved it.

fireodo

@keyser

Hi,

as far as I can see, has the content of pfblockerng.inc between line 4136 and 4142 completely been reworked (that was the part that made the problems
https://redmine.pfsense.org/issues/13154 )

But I agree - a clarification from Netgate or whoever would be very much appreciated!

Regards,
fireodo

A Former User

@keyser

Has the package been hijacked, and is now delivering
malware instead?

Why? Because Netgate is now the maintainer? Then you could not trust the whole system (pfSense) and this makes
no sense for me. If I trust someone (Netgate) and use his entire system I will also trust them if they (Netgate) maintain a package!

We need some proper information about these release
from whoever is responsible for the included changes
and who approved it.

Thinking one step ahead please, it is better in my eyes getting the hands on a package that is available and present, then one is not maintained any more!

I will be more lucky with a patch, given in a short time
that is working, I mean it is better then watching out the whole ticket parade and not patch is available.

keyser

@fireodo said in 3.1.0_6 UPDATE:

@keyser

Hi,

as far as I can see, has the content of pfblockerng.inc between line 4136 and 4142 completely been reworked (that was the part that made the problems
https://redmine.pfsense.org/issues/13154 )

But I agree - a clarification from Netgate or whoever would be very much appreciated!

Regards,
fireodo

If that is completely reworked, why does it still suffer the same issue then? I haven't updated yet because of this, and as far as I can tell people are still applying the same "fix" by removing the ")" in line 4136. So something is still the same in that section.

keyser

@dobby_ said in 3.1.0_6 UPDATE:

Why? Because Netgate is now the maintainer? Then you could not trust the whole system (pfSense) and this makes
no sense for me. If I trust someone (Netgate) and use his entire system I will also trust them if they (Netgate) maintain a package!

Yes, I agree, if Netgate took over I still trust it although this release without release notes and with the bug still present does shake my confidence a bit.
But the question is: Is netgate the maintainer now? We have no information, and theoretically this update could come from some other source and was accidentally approved without throrough review (Given the bug is still there, I'm guessing there has been no review.....)

We need some proper information about these release
from whoever is responsible for the included changes
and who approved it.

Thinking one step ahead please, it is better in my eyes getting the hands on a package that is available and present, then one is not maintained any more!

I will be more lucky with a patch, given in a short time
that is working, I mean it is better then watching out the whole ticket parade and not patch is available.

Ehh no. The 3.1.0_4 build was supported up until recently by BBCAN, and until pfSense has made a new release (2.7/22.11) another pfBlockerNG-devel release is not needed unless it fixes the problem _4 had.

fireodo

@keyser said in 3.1.0_6 UPDATE:

I haven't updated yet because of this, and as far as I can tell people are still applying the same "fix" by removing the ")" in line 4136. So something is still the same in that section.

I saw the modifications in 3.1.0_6 FOR pfsense 2.6.0 - I dont know if that is also the case in pfsense+ 22.05!
(the previous version 3.1.0_5 for 2.6.0 still had the issue in line 4136)

Gertjan

Read How to unblock duckduckgo and find why it's being blocked.

BB is still there

And @keyser

fireodo

@gertjan said in 3.1.0_6 UPDATE:

Read How to unblock duckduckgo and find why it's being blocked.

I saw that Thread and it was nice to see that he is still implicated in pfblockerng ...

jdeloach

@keyser said in 3.1.0_6 UPDATE:

@dobby_ said in 3.1.0_6 UPDATE:

But the question is: Is netgate the maintainer now? We have no information, and theoretically this update could come from some other source and was accidentally approved without throrough review (Given the bug is still there, I'm guessing there has been no review.....)

Ehh no. The 3.1.0_4 build was supported up until recently by BBCAN, and until pfSense has made a new release (2.7/22.11) another pfBlockerNG-devel release is not needed unless it fixes the problem _4 had.

What problem did _4 have? I am a long user of this package and was not aware of any bugs/issues.

Gertjan

@jdeloach said in 3.1.0_6 UPDATE:

What problem did _4 have?

Scroll to the top, start reading ;)

@keyser said in 3.1.0_6 UPDATE:

and as far as I can tell people are still applying the same "fix" by removing the ")" in line 4136.

jdeloach

@gertjan said in 3.1.0_6 UPDATE:

@jdeloach said in 3.1.0_6 UPDATE:

What problem did _4 have?

Scroll to the top, start reading ;)

@keyser said in 3.1.0_6 UPDATE:

and as far as I can tell people are still applying the same "fix" by removing the ")" in line 4136.

I don't see any issues listed in any of the messages, that I have ever had. Granted I don't use Netgate hardware and only run CE 2.6.0. Swap space is always 0% and CPU usage is never spikes above about 3%.

By the way I'm running Snort as well as pfBlockerNG.

BBcan177

Before the pitch forks come out... I am still here and nothing has changed but its been challenging lately ... working on a release which should hopefully be available later this week or next week for the 2.6 and 2.7 branches. Thanks for the patience!

Its been quite a ride since 2014:
https://twitter.com/BBcan177/status/1354556985652506624