pfBlockerNG-devel v3.1.0_19/10

nimrod

@cmcdonald said in pfBlockerNG-devel v3.1.0_19/10:

@nimrod can you also share pkg info unbound ?

Of course. Here it is:

[2.6.0-RELEASE][admin@pfSense.home.arpa]/root: pkg info unbound
unbound-1.13.2
Name           : unbound
Version        : 1.13.2
Installed on   : Mon Jan 31 21:24:27 2022 CET
Origin         : dns/unbound
Architecture   : FreeBSD:12:amd64
Prefix         : /usr/local
Categories     : dns
Licenses       : BSD3CLAUSE
Maintainer     : jaap@NLnetLabs.nl
WWW            : https://www.nlnetlabs.nl/projects/unbound
Comment        : Validating, recursive, and caching DNS resolver
Options        :
	DEP-RSA1024    : off
	DNSCRYPT       : off
	DNSTAP         : off
	DOCS           : off
	DOH            : on
	ECDSA          : on
	EVAPI          : off
	FILTER_AAAA    : off
	GOST           : on
	HIREDIS        : off
	LIBEVENT       : on
	MUNIN_PLUGIN   : off
	PYTHON         : on
	SUBNET         : off
	TFOCL          : off
	TFOSE          : off
	THREADS        : on
Shared Libs required:
	libexpat.so.1
	libnghttp2.so.14
	libpython3.8.so.1.0
	libevent-2.1.so.7
Shared Libs provided:
	libunbound.so.8
Annotations    :
	FreeBSD_version: 1203500
	build_timestamp: 2022-01-12T15:27:10+0000
	built_by       : poudriere-git-3.3.99.20211130
	cpe            : cpe:2.3:a:nlnetlabs:unbound:1.13.2:::::freebsd12:x64
	port_checkout_unclean: no
	port_git_hash  : 8df9544dcbab
	ports_top_checkout_unclean: yes
	ports_top_git_hash: 7046b65c0d41
	repo_type      : binary
	repository     : pfSense
Flat size      : 7.99MiB
Description    :
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run as
a server, but are linked into an application) are easily possible.

Goals:
    * A validating recursive DNS resolver.
    * Code diversity in the DNS resolver monoculture.
    * Drop-in replacement for BIND apart from config.
    * DNSSEC support.
    * Fully RFC compliant.
    * High performance, even with validation enabled.
    * Used as: stub resolver, full caching name server, resolver library.
    * Elegant design of validator, resolver, cache modules.
          o provide the ability to pick and choose modules.
    * Robust.
    * In C, open source: The BSD license.
    * Smallest as possible component that does the job.
    * Stub-zones can be configured (local data or AS112 zones).

Non-goals:
    * An authoritative name server.
    * Too many Features.

WWW: https://www.nlnetlabs.nl/projects/unbound

cmcdonald

@nimrod Can you now try reinstalling pfBlockerNG-devel on 22.05/2.6, and repeat the above command pkg info "py*" unbound

nimrod

@cmcdonald said in pfBlockerNG-devel v3.1.0_19/10:

@nimrod Can you now try reinstalling pfBlockerNG-devel on 22.05/2.6, and repeat the above command pkg info "py*" unbound

I reinstalled it and here is the output:

[2.6.0-RELEASE][admin@pfSense.home.arpa]/root: pkg info "py*" unbound
py38-maxminddb-2.0.3
py38-ply-3.11
py38-setuptools-57.0.0
py38-sqlite3-3.8.12_7
py39-maxminddb-2.0.3
py39-setuptools-57.0.0
py39-sqlite3-3.9.9_7
python38-3.8.12_1
python39-3.9.9
unbound-1.13.2

cmcdonald

@nimrod That should be correct now. Clear the unbound errors and try again.

nimrod

@cmcdonald said in pfBlockerNG-devel v3.1.0_19/10:

@nimrod That should be correct now. Clear the unbound errors and try again.

Yup. That fixed it. Thank you sir.

BBcan177

@draco said in pfBlockerNG-devel v3.1.0_19/10:

I had hoped this might let pfBlocker directly download a JSON list like the one found at Microsoft Azure IPs. This is a file I manually download and then use pfSense's GUI CMD interface to upload for pfBlocker (I set the format to AUTO). Ran this on 3.1.0_11 just now.

The Link you posted is the HTML page. You need to use the direct link:

https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20230123.json

Keep in mind that this will parse all IPs in the json file. You could also create a new shell script to parse this JSON and get more refinement on which IPs to pull ( "Advanced Tunables - Post-Script Script" feature.)

yorke

@bbcan177

I figure out why i was getting those errors some package/feature on pfsense needed to be update (ie unbound and about 4 others ) once I ran the update and reboot and reinstall
PfblockerNG work, no more errors.
Thanks BBcan177

bigjohns97

@cmcdonald I am seeing the same error about missing python modules on 23.01 RC, was this fixed on that version as well?

nimrod

@bigjohns97 said in pfBlockerNG-devel v3.1.0_19/10:

@cmcdonald I am seeing the same error about missing python modules on 23.01 RC, was this fixed on that version as well?

Yes.

Draco

@bbcan177 said in pfBlockerNG-devel v3.1.0_19/10:

he Link you posted is the HTML page. You need to use the direct link:
https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20230123.json

Fair enough -- this means I will need to manually update the link each time, but better than copying the file from my computer up to pfSense each time, thanks!

I might have to write a screen-scraper to pull the latest URL off the download page...

bigjohns97

@nimrod Can you confirm what add-on's I should see because they differ than what is posted above.

pkg info "py*" unbound

py311-maxminddb-2.2.0_2
py311-setuptools-63.1.0
py311-sqlite3-3.11.1_8
py39-libzfs-1.1.2022081600
py39-setuptools-63.1.0
py39-yaml-5.4.1
python311-3.11.1_1
python39-3.9.15
unbound-1.17.0

nimrod

@bigjohns97

Is this before or after pfblocker reinstall ?

bigjohns97

@nimrod After

nimrod

@bigjohns97

I just noticed you are on Plus version of pfsense. The output that i shared is from CE edition.

bigjohns97

@nimrod That wouldn't matter, the difference between 2.6/22.x and 2.7/23.x is really what I am trying to confirm was fixed.

@BBcan177 builds the pfblockerng code but I believe netgate dev's such as @cmcdonald are who associate package prerequisites and manage how the actual package is presenting in package manager.

This is why my original question was to @cmcdonald as to whether his fix he did in this thread was also applied to the new 2.7/23.x branch.

cmcdonald

@bigjohns97

Report the output of

pkg info unbound

ldd `which unbound`

pkg info py*

bigjohns97

@cmcdonald said in pfBlockerNG-devel v3.1.0_19/10:

@bigjohns97

Report the output of

pkg info unbound

unbound-1.17.0
Name : unbound
Version : 1.17.0
Installed on : Sat Jan 14 12:37:18 2023 CST
Origin : dns/unbound
Architecture : FreeBSD:14:amd64
Prefix : /usr/local
Categories : dns
Licenses : BSD3CLAUSE
Maintainer : jaap@NLnetLabs.nl
WWW : https://www.nlnetlabs.nl/projects/unbound
Comment : Validating, recursive, and caching DNS resolver
Options :
DEP-RSA1024 : off
DNSCRYPT : on
DNSTAP : off
DOCS : off
DOH : on
ECDSA : on
EVAPI : off
FILTER_AAAA : off
GOST : on
HIREDIS : off
LIBEVENT : on
MUNIN_PLUGIN : off
PYTHON : on
SUBNET : off
TFOCL : off
TFOSE : off
THREADS : on
Shared Libs required:
libsodium.so.23
libpython3.9.so.1.0
libnghttp2.so.14
libexpat.so.1
libevent-2.1.so.7
Shared Libs provided:
libunbound.so.8
Annotations :
FreeBSD_version: 1400073
build_timestamp: 2022-10-27T06:51:33+0000
built_by : poudriere-git-3.3.99.20220831
cpe : cpe:2.3:a:nlnetlabs:unbound:1.17.0:::::freebsd14:x64
port_checkout_unclean: no
port_git_hash : 7b7b452fb8d5
ports_top_checkout_unclean: yes
ports_top_git_hash: 0c964f08a5cb
repo_type : binary
repository : pfSense
Flat size : 8.36MiB
Description :
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run as
a server, but are linked into an application) are easily possible.

Goals:
* A validating recursive DNS resolver.
* Code diversity in the DNS resolver monoculture.
* Drop-in replacement for BIND apart from config.
* DNSSEC support.
* Fully RFC compliant.
* High performance, even with validation enabled.
* Used as: stub resolver, full caching name server, resolver library.
* Elegant design of validator, resolver, cache modules.
o provide the ability to pick and choose modules.
* Robust.
* In C, open source: The BSD license.
* Smallest as possible component that does the job.
* Stub-zones can be configured (local data or AS112 zones).

Non-goals:
* An authoritative name server.
* Too many Features.

WWW: https://www.nlnetlabs.nl/projects/unbound

ldd `which unbound`

/usr/local/sbin/unbound:
libssl.so.111 => /usr/lib/libssl.so.111 (0x822469000)
libsodium.so.23 => /usr/local/lib/libsodium.so.23 (0x8236ec000)
libutil.so.9 => /lib/libutil.so.9 (0x822a37000)
libevent-2.1.so.7 => /usr/local/lib/libevent-2.1.so.7 (0x823fcb000)
libpython3.9.so.1.0 => /usr/local/lib/libpython3.9.so.1.0 (0x824b25000)
libcrypto.so.111 => /lib/libcrypto.so.111 (0x8259f7000)
libnghttp2.so.14 => /usr/local/lib/libnghttp2.so.14 (0x82790a000)
libthr.so.3 => /lib/libthr.so.3 (0x825eff000)
libc.so.7 => /lib/libc.so.7 (0x826edd000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x8284bd000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x829b94000)
libdl.so.1 => /usr/lib/libdl.so.1 (0x828694000)
libm.so.5 => /lib/libm.so.5 (0x828758000)
[vdso] (0x8215a5000)

pkg info "py*"

py311-maxminddb-2.2.0_2
py311-setuptools-63.1.0
py311-sqlite3-3.11.1_8
py39-libzfs-1.1.2022081600
py39-setuptools-63.1.0
py39-yaml-5.4.1
python311-3.11.1_1
python39-3.9.15

cmcdonald

@bigjohns97 and this is on 23.01?

bigjohns97

@cmcdonald Correct, dashboard shows 23.01 RC

Current Base System23.01.r.20230202.1645
Latest Base System23.01.r.20230202.1645
StatusUp to date.

cmcdonald

@bigjohns97 That is very odd.

The problem is you are running older Unbound which is using Python 3.9 and not 3.11

unbound-1.17.1_2
py311-libzfs-1.1.2022081600
py311-maxminddb-2.2.0_2
py311-setuptools-63.1.0
py311-sqlite3-3.11.1_8
py39-libzfs-1.1.2022081600
py39-maxminddb-2.2.0_1
py39-setuptools-63.1.0
python311-3.11.1_1
python39-3.9.16

These are the versions that we ship with 23.01-RC

I would try reinstalling unbound:

pkg install -fy unbound