Can you force a rule to apply before floating rules and hold it's position?

cdsJerry

Is there a way to place a standard rule above the floating rules and have it stay there even after pfBlocker regenerates? I have two places that must have access through the firewall but it appears their sources are sometimes (often) in a country blocked by pfBlocker. As a result their traffic is blocked and I have problems.

I've created a rule to allow their data to pass and it works great until pfBlocker updates it's rules, which it always places at the top as a floating rule. This then blocks my required traffic.

johnpoz

@cdsJerry why not just use the aliases in your own rules and not have pfblocker auto create rules?

Auto placement of rules can have all kinds of issue if you want your rules in a specific order. I have multiple aliases used in rules, they never change order because I am the one to set the order, pfblocker just keeps the aliases updated.

cdsJerry

@johnpoz if pfBlocker doesn't auto-create it's rules how do they get updated?

I'm not an expert on this. I installed pfBlocker and did as little modification as possible in the hopes that I wouldn't break it.

Wait... is this what I need to change? Would I just set it to pfSense Pass/Match| pfB_Pass/Match| pfB_Block/Reject| pfSense block/Reject ? Would that fix my issue?

johnpoz

@cdsJerry you don't have to set any "rules" in pfb, just create the aliases and create your own firewall rules with the aliases

Bob.Dig

@cdsJerry Or you let pfBlocker places those rules on WAN, not floating. Heck, I believe it is even ootb like this...

cdsJerry

@johnpoz but I didn't create the pfb rules. It created those on it's own and placed them on the rule set. I said it was a floating rule and I think I was wrong about that. It's not a floating rule. It's just placed at the top of the rule set. The Floating Rules box isn't checked but it's still auto-creating the rule and placing it at the top of the rule list.

I think maybe the answer is the IP Rules Configuration box I posted above. I'll try changing Firewall Auto Rule and see if that solves my issue.

johnpoz

@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:

but I didn't create the pfb rules.

Which is my point.. You can not have pfblocker create any rules - just the aliases.. Then use those aliases in rules you create, now you never have to worry about the order changing.. Those rules are rules I created, not pfblocker.

When the order of rules matter, I wouldn't rely on anything "auto-magically" assigning their order.. Maybe that is just me ;)

Maybe it works great, but then at some point you add a rule, or delete a rule or you change the order and now when it "auto" does its thing your order is all messed up.

cdsJerry

@johnpoz How do I have pfb create/use an alias instead of a rule? I understand what you're saying about using the alias so that pfb isn't screwing with my rules list. That makes sense to me. But how do I get pfb to generate into an alias instead of it's own rules? Is there an option for that somewhere?

johnpoz

@cdsJerry any alias you create in pfblocker can just be added to rules.. Just turn off auto rule creation in pfblocker.

cdsJerry

@johnpoz is there a way to take the rule that was created by pfB and turn it into an alias? Will pfB still update the alias when the CRON job runs? Where do I tell it not to create a rule?

There's nothing in my Firewall/pfBlockerNG/IP/IPv4 summary page now. I'm not sure what steps I need to take to get from where I am to where I need to be. I can't add the alias to the rule set until I figure out how to create an alias with all the pfb settings inside it. I assume you're not doing that manually because.... wow... that would be a huge amount of work to enter all the stuff that's in the pfb rules currently.

I just don't know how to get from where I am to where I need to be. I think I understand both the beginning and the end, just not the middle.

SteveITS

@cdsJerry "Alias Native" per John's image only creates an alias, and no rules. You then create your own rules using that alias.

cdsJerry

@SteveITS @johnpoz I got so far as to create an Alias Native like in his picture. And that made all the pfBlocker blocks on the Rules page go away. But something has gone wrong. My rules just repeat over and over and over in Firewall / rules / WAN. It appears that the pass rules are listed 64 times each and then at the very bottom of the page are 8 block rules. The newly created alias isn't listed anywhere.

I hope this didn't totally hose the system. Now I'm in a panic. If I delete the new Alias will things go back as they had been?

If I go to Firewall / Aliases / IP the newly created alias isn't listed.

SteveITS

@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:

listing after listing after listing of the pass rules over and over again

?? I don't know what that would be.

re: your pfBlockAlias...it's State is Off there so it doesn't do anything. You need to set that On and then put a feed or something in there like so:

or from a checked Feed:

No it doesn't show in the manually created Alias list, however it shows in autocomplete when editing a rule:

cdsJerry

@SteveITS Do I just start deleting all those 64 sets of pass rules it created? Since they are duplicates of each other do I have any risk that it would delete all the rules that have the same name? Is there a way to delete multiple rules at the same time? Each time I hit delete it has to reload the page which takes several minutes. Actually I'm still waiting for it to reload the page after deleting the first rule and hitting apply changes. It's just spinning. Every now and then I get a message saying the page is taking a while and asking if I want to wait.

It's been 12 min. at this point and it's still trying to load the Firewall / Rules / WAN page. If i try to scroll down the page it shows me the first set of rules duplicated 3 times but after that it just shows empty lines. The elevator box indicates that the page is very long however it fails to ever load any further.

I think I need to figure that out before I start adding another rule.

SteveITS

@cdsJerry Have never seen that. Alias Native doesn't create any rules. If you save a backup (a good idea anyway) I think there are some rule identifiers in the XML file. There are numbers that show if you hover over the green checkmark icon or the States column link.

You could manually delete duplicates in the backup file and restore it.

cdsJerry

@SteveITS @johnpoz The page finally loaded. It now shows 128 sets of every rule so my attempt to delete one of the duplicates instead caused it to double every rule in the already massive rule list. If it's going to do this, how can I possibly delete the rules? Every time I delete a rule it reloads the page which takes about 12 min.... for every rule. And I'm not even sure it's deleting the rule yet. There's no way this is working.

I restored my rules list from a backup file. That seems to have put me back where I started. I then did everything I learned above and this time it didn't start multiplying my rule set. I think it might finally be right. WHEW!!! I was pretty scared there for a bit.

SteveITS

@cdsJerry Yeah very odd.

re: hover, sorry if I wasn't clear, Firefox shows the URL for a link at the bottom of the page:

https://FQDN/firewall_rules.php?if=wan&act=toggle&id=13
or the States column (same rule):
https://FQDN/diag_dump_states.php?ruleid=122,123

re: long load times, the page actually loads all the IPs into the title tag of the alias link so it will show on hover....can take a very long time to load a page of large aliases.

cdsJerry

@SteveITS @johnpoz Update: After waiting an hour the firewall still hasn't rebooted. I cycled the power and waited another 10 min. but it's still not responding. I can't get to the GUI at all. I connected the cable to the terminal but putty won't connect. I've double checked my COM port, speed, parity etc but there's nothing.

Logged on this morning just to double check and make sure it's all working the way I expected. I had a crash report that looks like it's related to pfb and not the changes we were making. All the GUI pages are loading very slowly and I can't get the Rules page to load at all. The dashboard says I'm using 35% of the memory but all the errors I see are memory exhausted errors. I see an entry in the CRON log file that just repeats itself over and over and over.

I'd like to think this problem is unrelated, but since it started when we made the changes above it seems like it must be related. Currently it's stuck running a CRON update and I can't get any page to load nor can I even reboot the system.

===[  IPv4 Process  ]=================================================

[ US_v4 ]			 exists.
[ US_rep_v4 ]			 exists.
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
PHP ERROR: Type: 1, File: /etc/inc/xmlparse.inc, Line: 268, Message: Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) CRON  PROCESS  START [ v3.2.0_7 ] [ 03/29/24 08:00:28 ]
 UPDATE PROCESS START [ v3.2.0_7 ] [ 03/29/24 08:00:44 ]

===[  DNSBL Process  ]================================================


===[  GeoIP Process  ]============================================

[ pfB_Top_v4 ]			 exists. [ 03/29/24 08:03:10 ]
[ pfB_Africa_v4 ]		 exists. [ 03/29/24 08:03:11 ]
[ pfB_Europe_v4 ]		 exists. [ 03/29/24 08:03:12 ]
[ pfB_NAmerica_v4 ]		 exists.
[ pfB_Oceania_v4 ]		 exists. [ 03/29/24 08:03:13 ]
[ pfB_SAmerica_v4 ]		 exists.

===[  IPv4 Process  ]=================================================

There were error(s) loading the rules: /tmp/rules.debug:63: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [63]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
@ 2024-03-29 01:01:22

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
PHP ERROR: Type: 1, File: /etc/inc/xmlparse.inc, Line: 268, Message: Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes)

Crash report begins.  Anonymous machine information:

arm
14.0-CURRENT
FreeBSD 14.0-CURRENT armv7 1400094 #1 plus-RELENG_23_09_1-n256200-3de1e293f3a: Wed Dec  6 20:55:45 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1-main/obj/armv7/XXxrkrip/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1

Crash report details:

PHP Errors:
[29-Mar-2024 02:01:19 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12307440 bytes) in /etc/inc/crypt.inc on line 76
[29-Mar-2024 03:01:56 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
[29-Mar-2024 06:01:59 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
[29-Mar-2024 07:01:58 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
[29-Mar-2024 08:04:14 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268



No FreeBSD crash data found.

SteveITS

@cdsJerry How much RAM is in the device? IIRC 128 MB is the PHP memory limit if the device is either <= 1 GB RAM or maybe < 4 GB, I don't recall.

PHP has a limit and of course the hardware RAM is a limit. The PHP limit is set in System/Advanced/Miscellaneous.

Large pfBlocker lists will of course exhaust the PHP limit loading in the list. Perhaps if it is repeatedly trying and crashing that is your issue?

If you are using "pfB_Top_v4" to "block the world" it is normally much better to "allow by country" instead as it will use far less memory.

cdsJerry

@SteveITS I've been able to get an old pfsense system up and running so the servers are back on line so the panic is over. Of course it's running an old rule set so it's less than ideal.

The unit that we've been working on is a Netgate appliance SG-3100-US. I don't know how much RAM is in it and as I'm not able to access it in any way, I can't look.

When I try to connect via the GUI it won't load the page at all. It doesn't answer pings. I can't connect via the Serial cable either. Putty just "dings" when I try to open the connection. In short, I have no way to access the firewall at the current time. I have cycled the power twice. The lights on the front of the device look normal. The light on the far right is slowly pulsing blue. Any suggestions?