pfBlockerNG 3.2.0_4 ?

FSC830

Actually me too are lost with this package.
Seen, that package manager offers this update, but update stucks.
After clicking at update icon download lasts significant longer than usual for a package.
After clicking to "confirm" the GUI more or less dies out. No installation process is seen.
After minutes(!) the "confirm" page disappears, just the header is visible, but again no installation.
Clicking now to any other menu item last also very long.
Issue could be reproduced every time (tried the install in total 4 or 5 times), even after rebooting the appliance (SG-3100).
Is there anything I miss here for running the update?

Package v3.2.0_3 is installed, but currently not really configured.

Regards

michmoor

Just want to reiterate there aren’t any commit notes that I’ve seen. Perhaps I glossed over?
Also I’m a Patreon member for bbcan. I typically get a notification whenever there is a change on the package but there’s been no comms for this.
So it’s not clear what if any changes were done .

mcury

@michmoor One thing that I know that was changed is that maxmind geoIP token has changed and now they are including "_" caracteres in it, so pfblockerng code was updated to allow that.

Gertjan

@michmoor said in pfBlockerNG 3.2.0_4 ?:

Just want to reiterate there aren’t any commit notes that I’ve seen. Perhaps I glossed over?

Hover and click here :

It was the geomaxmind new user ID thing and something else.
No ground breaking development

Btw : my pfSense wakes me up to tell me that :

michmoor

@gertjan Is that a system notification or something you scripted?

Gertjan

@michmoor said in pfBlockerNG 3.2.0_4 ?:

something you scripted?

Close.
Copied from what I've found here on the forum.
Here I guess.
I do recall do some edits so "23.01 Plus" is happy.
I can post the 93 php file if needed.

michmoor

@gertjan Yeah if you have the current script for 23.01 i would love to look at.

Gertjan

@michmoor

Install the pfSense cron package first.

Add a line like this :

/root/pkg_check.php is the php script file :

<?php

  require_once("pkg-utils.inc");
  require_once("notices.inc");
  require_once("util.inc");

  $msg = null;
  $pmsg = null;
  $p = 0;

  // log_error("Starting update check");
  //echo "test";
  // pfSense base system check
  $system_version = get_system_pkg_version(false, true);
  if ($system_version === false) {
    printf("%s\n", 'Unable to check for updates');
    log_error("Unable to check for updates, exiting");
    exit;
  }
  
  if (!is_array($system_version) ||
    !isset($system_version['version']) ||
    !isset($system_version['installed_version'])) {
    printf("%s\n", 'Error in version information');
    log_error("Error in version information, exiting");
    exit;
  }

  switch ($system_version['pkg_version_compare']) {
    case '<':
      printf("%s%s%s\n", "pfSense version ", $system_version['version'], " is available");
      $msg = "An update to pfSense version " . $system_version['version'] . " is available\n\n";
      break;
    case '=':
      printf("%s%s%s\n", "pfSense version ", $system_version['version'], " (installed) is current");
      break;
    case '>':
      printf("%s%s%s\n", "pfSense version ", $system_version['installed_version'], " is NEWER than the latest available version ", $system_version['version']);
      $msg = "pfSense version " . $system_version['version'] . " is available (downgrade)\n\n";
      break;
    default:
      printf("%s\n", 'Error comparing installed with latest version available');
      log_error("Error comparing installed with latest version available");
      break;
  }

  // package check
  $package_list = get_pkg_info('all', true, true);
  $installed_packages = array_filter($package_list, function($v) {
    return (isset($v['installed']) && isset($v['name']));
  });

  if (empty($installed_packages)) {
    printf("%s\n", 'No packages installed');
    log_error("No packages installed, exiting");
    exit;
  }

  foreach ($installed_packages as $pkg) {
    if (isset($pkg['installed_version']) && isset($pkg['version'])) {
      //printf("%s%s%s\n", $pkg['shortname'], ': ', $pkg['installed_version']);
      $version_compare = pkg_version_compare($pkg['installed_version'], $pkg['version']);
      if ($version_compare != '=') {
        $p++;
        $pmsg .= "\n".$pkg['shortname'].': '.$pkg['installed_version'].' ==> '.$pkg['version'];
        if ($version_compare == '>') {
          $pmsg .= ' (downgrade)';
        }
        printf("%s%s%s%s%s\n", $pkg['shortname'], ': ', $pkg['installed_version'], ' ==> ', $pkg['version']);
      }
    }
  }

  if ($p > 0) {
    $msg = $msg . "The following updates are available and can be installed using System > Package Manager:\n" . $pmsg;
  }

  // check for updates to builtin packages
  exec("/usr/sbin/pkg upgrade -n | /usr/bin/sed -ne '/UPGRADED/,/^$/p'", $output, $retval);
  if (($retval == 0) && (count($output))) {
    $msg .= "\n\n" . "Some packages are part of the base system and will not show up in Package Manager. If any such updates are listed below, run `pkg upgrade` from the shell to install them:\n\n";
    array_shift($output);
    $msg .= implode("\n", array_map('ltrim', $output));
  }

  if (!empty($msg)) {
    log_error("Updates were found - sending email");
    echo $msg;
    notify_via_smtp($msg);
  }

//  log_error("Update check complete");

?>

A

chmod +x /root/pkg_check.php

might be needed.

Note that

notify_via_smtp($msg)

because I have a smtp (gmail) notification setup.

michmoor

@gertjan Nice. I also use SMTP for delivery

Is there a way to check to see it working? For example, if i have a CRON job to run every minute will I get an email notification?

Gertjan

@michmoor said in pfBlockerNG 3.2.0_4 ?:

Is there a way to check to see it working?

Yep.
Enter console or SSH, go for option 8 and type

php -q /root/pkg_check.php

and see the magic happen.
No mail if there are no updates available.
Btw : I've adapted this script for a SG-4100 running with 23.01.

michmoor

@gertjan Works without issues. Thanks for this.

It even spotted a Firmware upgrade on my 6100

16:12:33 The following updates are available and can be installed using System > Package Manager:

Netgate_Firmware_Upgrade: 0.55 ==> 0.56

Some packages are part of the base system and will not show up in Package Manager. If any such updates are listed below, run pkg upgrade from the shell to install them:

igmpproxy: 0.3,1 -> 0.3_1,1 [pfSense]
pfSense-pkg-Netgate_Firmware_Upgrade: 0.55 -> 0.56 [pfSense]
pfSense-upgrade: 1.0_53 -> 1.0_58 [pfSense]

sgw

Adding this here, because I see this behavior with current 3.2.0_4:
pfblockerng seems to block things OK, but the counters in the dashboard widget do not increase at all.
I already reinstalled, restarted etc

sgw

@gertjan thanks for pointing at that script. Testing it as well, great.

Gertjan

@sgw said in pfBlockerNG 3.2.0_4 ?:

@gertjan thanks for pointing at that script. Testing it as well, great.

You mean these :

?

sgw

@gertjan Yes, exactly.

Checked right now: I see entries in "Firewall - pfBlockerNG - Reports" for "IP Block Stats", but not in the Dashboard Widget. There are some packets shown for DNSBL, but not for IP.

I have "PRI1" enabled with "Deny Inbound", so yes, there should be blocking (and the blocking seems to work, only the widget "fails"). It's not that important, but somehow wrong anyway, right?

I also tried to remove and re-add the widget already. Or edit its settings.

pfsjap

@gertjan Thank you for the pkg_check, works great.

I'd like to ask about updates, which are part of the of the base system:

Some packages are part of the base system and will not show up in Package Manager. If any such updates are listed below, run `pkg upgrade` from the shell to install them:

igmpproxy: 0.3,1 -> 0.3_1,1 [pfSense]
pfSense-upgrade: 1.0_53 -> 1.0_58 [pfSense]

Is it recommended (and safe) practice to update those also?

Gertjan

@pfsjap

Yes,

pkg upgrade

will do the job.

MarinSNB

@gertjan How do I add this script? Do I do it using the Filer package? Would appreciate a snapshot of your configuration. I have already added the needs Cron job for it as you indicated.

Thanks much!

michmoor

@gertjan Would you happen to know what the pfsense-upgrade package is?
I get this message even after i performed my firmware upgrade on the 6100.

Installed packages to be UPGRADED:
        igmpproxy: 0.3,1 -> 0.3_1,1 [pfSense]
        pfSense-upgrade: 1.0_53 -> 1.0_58 [pfSense]

Number of packages to be upgraded: 2

46 KiB to be downloaded.

Proceed with this action? [y/N]:

rcoleman-netgate

@michmoor said in pfBlockerNG 3.2.0_4 ?:

Would you happen to know what the pfsense-upgrade package is?

It is the package that handles all pfSense updates and upgrades.