Apparent bug
-
If you have various IPv4 lists and set one of them to "ON", but then subsequently set it to "OFF", the message given during update suggests that pfBlockerNG does not pull the IP addresses that formerly were in the ON list when switching to OFF.
e.g. in the example below I have an inbound permit list that enables certain countries' IP ranges. I switched one country off, and one country on and then did a "force update". The entry below suggests the new country was added, but that the previous country was not deleted:
Updating: pfB_Inbound_permit
4583 addresses added.One can see that in the ordinary course, if IP addresses have been deleted, pfBlockerNG will say so:
Updating: pfB_iBlockList
64 addresses added.11 addresses deleted.Either (1) the message is right and pfBlockerNG is indeed not pulling the IPs corresponding to the list that is now "OFF" or (2) it is pulling the IPs, but for some reason is not saying so in the log.
From looking at the various list/permit files that are created, it looks like it's (2). Is there any reason why the log doesn't reflect what's happening please?
-
When you:
set one of them to "ON", but then subsequently set it to "OFF"
did you run a Force Update command to get the list added to the Permit Alias? If not, then just selecting "ON" and saving does not add any IPs to the alias…
-
Yes, sorry, I should have been clearer.
I run force update to turn it on, and again to turn it off.
The use case is that I enable countries only when I'm travelling there. Rather than having to add an entry every time I go somewhere, I'd like to be able just to turn them on or off as necessary. So when I leave for a country a turn it on and force update and when I return I turn it off and force update.
It's the latter when I don't get the log confirmation that the country's address ranges have been deleted (though looking at the permit files it appears they have been).
Thanks for your help.
-
I haven't see any issues with this myself. Keep in mind that a "save" in the IPv4 Tab could have removed the the List and this is why it didn't show in the log when you hit Force Update. Next time, go back and review the pfblockerng.log to see the log entries for further details… The next version of the package all "save" functions will not make any changes without a "Force Update".
-
Thanks. That might have something to do with it. I think the log entries that refer to the number of entries added/deleted refer to the alias files? Even if the permit file is deleted upon saving the config, it wasn't clear to me that the corresponding entries would be removed from the alias file until the force update was run. Therefore I would have expected the log nevertheless to show the number of entries being deleted.
I've excerpted the relevant log entries below. In this example, I disabled Switzerland and enabled Japan in one step, saved, then ran force update. You can see that there is no reference to deleted entries, and the "last updated list summary" still refers to Switzerland (though it's been properly removed from the other sections).
Thanks.
**Saving configuration [ 05/12/17 10:13:15 ] ... [ Removing List(s) : InboundPermCH ] Archiving Aliastable folder Archiving selected pfBlockerNG files. **Saving configuration [ 05/12/17 10:15:38 ] ... UPDATE PROCESS START [ 05/12/17 10:15:55 ] ... ===[ IPv4 Process ]================================================= ... [ InboundPermGB ] Reload [ 05/12/17 10:18:32 ] . completed .. [ InboundPermJP ] Downloading update [ 05/12/17 10:18:35 ] .. completed .. ... ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload ... Updating: pfB_iBlockList 64 addresses added.11 addresses deleted. Updating: pfB_Inbound_permit 4583 addresses added. Archiving Aliastable folder Archiving selected pfBlockerNG files. ===[ FINAL Processing ]===================================== [ Original IP count ] [ 490720 ] [ Final IP Count ] [ 432383 ] ===[ Permit List IP Counts ]========================= 22599 total 18016 /var/db/pfblockerng/permit/InboundPermGB.txt 4583 /var/db/pfblockerng/permit/InboundPermJP.txt ... ====================[ Last Updated List Summary ]============== ... May 12 00:17 InboundPermGB May 12 00:17 InboundPermCH May 12 10:18 InboundPermJP =============================================================== .. Alias table IP Counts ----------------------------- 545732 total ... 22599 /var/db/aliastables/pfB_Inbound_permit.txt ... UPDATE PROCESS ENDED [ 05/12/17 10:20:18 ]
