PfBlockerng 3.1.0.9 error - does not save Custom DST Port alias

cjbujold · Dec 21, 2022, 5:03 PM

Unable to create a Whitelist in IP Advanced Inbound Firewall Rule Settings.

When you enter an alias in the Custom DST Port field the alias is never saved causing an error and inability to create the whitelist.

The alias contains 2 ports, 80 and 443.

login-to-view

BBcan177 · Dec 21, 2022, 9:15 PM

@cjbujold
When using the Custom DST Port settings, you can't leave the protocol to "any". This is something internal to how pfSense/FreeBSD handles the rules, and doesn't allow "any" for the protocol when adding Port definitions.

Its in the Note there:

Note: Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!

And on save

"Settings: Protocol setting cannot be set to 'Default' with Advanced Inbound firewall rule settings."

Tzvia · Dec 21, 2022, 9:21 PM

@bbcan177 I have the same problem. IP block settings. Set to block in both directions, but only want it to block incoming on specific ports. I had this setup and working on 3.1.0.5, but updating to 3.1.0.9 blanked out my alias from the inbound settings. I have no need to block with PFBLOCKER, what the firewall will do as a matter of course, except for a few ports that I have open for a VPN. But I can't set it to do that and have posted here maybe 4 days ago...

cjbujold · Dec 21, 2022, 9:37 PM

Not using "Any" using TCP only and Alias will not stay.

BBcan177 · Dec 21, 2022, 10:46 PM

@cjbujold ok I will check it out. Thanks.

cjbujold · Dec 28, 2022, 3:34 PM

Rebooted PFsense and getting this error if this can help.

There were error(s) loading the rules: /tmp/rules.debug:299: macro 'pfB_WhiteList_v4' not defined - The line in question reads [299]: block log quick on { igb0 } inet proto tcp from $pfB_WhiteList_v4 to any ridentifier 1770009684 flags S/SA label "USER_RULE: pfB_WhiteList_v4 auto rule" label "id:1770009684"
@ 2022-12-28 10:57:44

Bob.Dig · Jan 1, 2023, 5:10 PM

Today I also hit this. No port is saved and that is kinda problematic. I will have to turn off logging for that rule to not get flooded.

BBcan177 · Jan 1, 2023, 5:10 PM

@bob-dig @cjbujold

See the patch here and report back pls.

From the Shell or pfSense GUI > Diagnostics > Command Prompt > Execute Shell Command, run this command to download the patch.

curl -o /usr/local/www/pfblockerng/pfblockerng_category_edit.php "https://gist.githubusercontent.com/BBcan177/1a33c42d0a61f3ddd9c2f1b1d514ed83/raw"

Bob.Dig · Jan 1, 2023, 5:26 PM

@bbcan177 said in PfBlockerng 3.1.0.9 error - does not save Custom DST Port alias:

See the patch here and report back pls.

Thanks @BBcan177 , that has fixed it for me!

tman222 · Jan 1, 2023, 7:22 PM

Happy to report as well that the patch above resolved the issue with the Custom DST Port entry not saving under Advanced Inbound Firewall Rule Settings. Thanks @BBcan177 for the quick fix.

aumuelle · Jan 1, 2023, 8:37 PM

patch fixed it for entries in ipv4 - but not for geoip
anyone else seeing this?

BBcan177 · Jan 1, 2023, 8:38 PM

@aumuelle I will address that also. Ran out of time today

Tzvia · Jan 2, 2023, 3:30 AM

@bbcan177 said in PfBlockerng 3.1.0.9 error - does not save Custom DST Port alias:

curl -o /usr/local/www/pfblockerng/pfblockerng_category_edit.php "https://gist.githubusercontent.com/BBcan177/1a33c42d0a61f3ddd9c2f1b1d514ed83/raw"

Working here- input my port-alias and the setting stuck- and the REPORTS/ALERTS calmed down and I am only seeing inbound alerts on the ports listed in my alias.

cjbujold · Jan 2, 2023, 1:28 PM

That fixed the issue, Thanks

lsarakinos · Jan 3, 2023, 10:56 AM

Thank you @BBcan177
Patch fixed the problem

Bob.Dig · Jan 5, 2023, 6:55 PM

@bob-dig said in PfBlockerng 3.1.0.9 error - does not save Custom DST Port alias:

Today I also hit this. No port is saved and that is kinda problematic. I will have to turn off logging for that rule to not get flooded.

login-to-view

@BBcan177 Today I had the impression that rsync downloads don't work. I switched to auto and gave a regular http-address and the list got updated again. I don't know where the problem lies, could be up to them (uceprotect) and is not related to the topic about ports at all! Just to let you know... Rsync doesn't seem to be that necessary anyways.

BBcan177 · Jan 6, 2023, 2:46 PM

@bob-dig what is the URL that you use for that feed?

Bob.Dig · Jan 6, 2023, 3:14 PM

@bbcan177
rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.net
rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-2.uceprotect.net

But with (auto) those did it:
http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz
http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz

This IP was buggen me: 195.133.40.188

BBcan177 · Jan 6, 2023, 5:09 PM

@bob-dig said in PfBlockerng 3.1.0.9 error - does not save Custom DST Port alias:

rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.net
rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-2.uceprotect.net

They seem ok with my tests? Do you see any errors in the error.log? What happens when you ping rsync-mirrors.uceprotect.net?

Bob.Dig · Jan 8, 2023, 7:28 PM

@bbcan177 said in PfBlockerng 3.1.0.9 error - does not save Custom DST Port alias:

Do you see any errors in the error.log? What happens when you ping rsync-mirrors.uceprotect.net?

Sry, I don't even know where to look at what... I am a noob for the most part. I only know that it has worked before and, maybe, after the "patch" from here, rsync didn't worked anymore, presumably. Or it was just a coincidence.