Can you force a rule to apply before floating rules and hold it's position?

johnpoz

@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:

but I didn't create the pfb rules.

Which is my point.. You can not have pfblocker create any rules - just the aliases.. Then use those aliases in rules you create, now you never have to worry about the order changing.. Those rules are rules I created, not pfblocker.

When the order of rules matter, I wouldn't rely on anything "auto-magically" assigning their order.. Maybe that is just me ;)

Maybe it works great, but then at some point you add a rule, or delete a rule or you change the order and now when it "auto" does its thing your order is all messed up.

cdsJerry

@johnpoz How do I have pfb create/use an alias instead of a rule? I understand what you're saying about using the alias so that pfb isn't screwing with my rules list. That makes sense to me. But how do I get pfb to generate into an alias instead of it's own rules? Is there an option for that somewhere?

johnpoz

@cdsJerry any alias you create in pfblocker can just be added to rules.. Just turn off auto rule creation in pfblocker.

cdsJerry

@johnpoz is there a way to take the rule that was created by pfB and turn it into an alias? Will pfB still update the alias when the CRON job runs? Where do I tell it not to create a rule?

There's nothing in my Firewall/pfBlockerNG/IP/IPv4 summary page now. I'm not sure what steps I need to take to get from where I am to where I need to be. I can't add the alias to the rule set until I figure out how to create an alias with all the pfb settings inside it. I assume you're not doing that manually because.... wow... that would be a huge amount of work to enter all the stuff that's in the pfb rules currently.

I just don't know how to get from where I am to where I need to be. I think I understand both the beginning and the end, just not the middle.

SteveITS

@cdsJerry "Alias Native" per John's image only creates an alias, and no rules. You then create your own rules using that alias.

cdsJerry

@SteveITS @johnpoz I got so far as to create an Alias Native like in his picture. And that made all the pfBlocker blocks on the Rules page go away. But something has gone wrong. My rules just repeat over and over and over in Firewall / rules / WAN. It appears that the pass rules are listed 64 times each and then at the very bottom of the page are 8 block rules. The newly created alias isn't listed anywhere.

I hope this didn't totally hose the system. Now I'm in a panic. If I delete the new Alias will things go back as they had been?

If I go to Firewall / Aliases / IP the newly created alias isn't listed.

SteveITS

@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:

listing after listing after listing of the pass rules over and over again

?? I don't know what that would be.

re: your pfBlockAlias...it's State is Off there so it doesn't do anything. You need to set that On and then put a feed or something in there like so:

or from a checked Feed:

No it doesn't show in the manually created Alias list, however it shows in autocomplete when editing a rule:

cdsJerry

@SteveITS Do I just start deleting all those 64 sets of pass rules it created? Since they are duplicates of each other do I have any risk that it would delete all the rules that have the same name? Is there a way to delete multiple rules at the same time? Each time I hit delete it has to reload the page which takes several minutes. Actually I'm still waiting for it to reload the page after deleting the first rule and hitting apply changes. It's just spinning. Every now and then I get a message saying the page is taking a while and asking if I want to wait.

It's been 12 min. at this point and it's still trying to load the Firewall / Rules / WAN page. If i try to scroll down the page it shows me the first set of rules duplicated 3 times but after that it just shows empty lines. The elevator box indicates that the page is very long however it fails to ever load any further.

I think I need to figure that out before I start adding another rule.

SteveITS

@cdsJerry Have never seen that. Alias Native doesn't create any rules. If you save a backup (a good idea anyway) I think there are some rule identifiers in the XML file. There are numbers that show if you hover over the green checkmark icon or the States column link.

You could manually delete duplicates in the backup file and restore it.

cdsJerry

@SteveITS @johnpoz The page finally loaded. It now shows 128 sets of every rule so my attempt to delete one of the duplicates instead caused it to double every rule in the already massive rule list. If it's going to do this, how can I possibly delete the rules? Every time I delete a rule it reloads the page which takes about 12 min.... for every rule. And I'm not even sure it's deleting the rule yet. There's no way this is working.

I restored my rules list from a backup file. That seems to have put me back where I started. I then did everything I learned above and this time it didn't start multiplying my rule set. I think it might finally be right. WHEW!!! I was pretty scared there for a bit.

SteveITS

@cdsJerry Yeah very odd.

re: hover, sorry if I wasn't clear, Firefox shows the URL for a link at the bottom of the page:

https://FQDN/firewall_rules.php?if=wan&act=toggle&id=13
or the States column (same rule):
https://FQDN/diag_dump_states.php?ruleid=122,123

re: long load times, the page actually loads all the IPs into the title tag of the alias link so it will show on hover....can take a very long time to load a page of large aliases.

cdsJerry

@SteveITS @johnpoz Update: After waiting an hour the firewall still hasn't rebooted. I cycled the power and waited another 10 min. but it's still not responding. I can't get to the GUI at all. I connected the cable to the terminal but putty won't connect. I've double checked my COM port, speed, parity etc but there's nothing.

Logged on this morning just to double check and make sure it's all working the way I expected. I had a crash report that looks like it's related to pfb and not the changes we were making. All the GUI pages are loading very slowly and I can't get the Rules page to load at all. The dashboard says I'm using 35% of the memory but all the errors I see are memory exhausted errors. I see an entry in the CRON log file that just repeats itself over and over and over.

I'd like to think this problem is unrelated, but since it started when we made the changes above it seems like it must be related. Currently it's stuck running a CRON update and I can't get any page to load nor can I even reboot the system.

===[  IPv4 Process  ]=================================================

[ US_v4 ]			 exists.
[ US_rep_v4 ]			 exists.
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
PHP ERROR: Type: 1, File: /etc/inc/xmlparse.inc, Line: 268, Message: Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) CRON  PROCESS  START [ v3.2.0_7 ] [ 03/29/24 08:00:28 ]
 UPDATE PROCESS START [ v3.2.0_7 ] [ 03/29/24 08:00:44 ]

===[  DNSBL Process  ]================================================


===[  GeoIP Process  ]============================================

[ pfB_Top_v4 ]			 exists. [ 03/29/24 08:03:10 ]
[ pfB_Africa_v4 ]		 exists. [ 03/29/24 08:03:11 ]
[ pfB_Europe_v4 ]		 exists. [ 03/29/24 08:03:12 ]
[ pfB_NAmerica_v4 ]		 exists.
[ pfB_Oceania_v4 ]		 exists. [ 03/29/24 08:03:13 ]
[ pfB_SAmerica_v4 ]		 exists.

===[  IPv4 Process  ]=================================================

There were error(s) loading the rules: /tmp/rules.debug:63: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [63]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
@ 2024-03-29 01:01:22

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
PHP ERROR: Type: 1, File: /etc/inc/xmlparse.inc, Line: 268, Message: Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes)

Crash report begins.  Anonymous machine information:

arm
14.0-CURRENT
FreeBSD 14.0-CURRENT armv7 1400094 #1 plus-RELENG_23_09_1-n256200-3de1e293f3a: Wed Dec  6 20:55:45 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1-main/obj/armv7/XXxrkrip/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1

Crash report details:

PHP Errors:
[29-Mar-2024 02:01:19 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 12307440 bytes) in /etc/inc/crypt.inc on line 76
[29-Mar-2024 03:01:56 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
[29-Mar-2024 06:01:59 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
[29-Mar-2024 07:01:58 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268
[29-Mar-2024 08:04:14 America/New_York] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 14680312 bytes) in /etc/inc/xmlparse.inc on line 268



No FreeBSD crash data found.

SteveITS

@cdsJerry How much RAM is in the device? IIRC 128 MB is the PHP memory limit if the device is either <= 1 GB RAM or maybe < 4 GB, I don't recall.

PHP has a limit and of course the hardware RAM is a limit. The PHP limit is set in System/Advanced/Miscellaneous.

Large pfBlocker lists will of course exhaust the PHP limit loading in the list. Perhaps if it is repeatedly trying and crashing that is your issue?

If you are using "pfB_Top_v4" to "block the world" it is normally much better to "allow by country" instead as it will use far less memory.

cdsJerry

@SteveITS I've been able to get an old pfsense system up and running so the servers are back on line so the panic is over. Of course it's running an old rule set so it's less than ideal.

The unit that we've been working on is a Netgate appliance SG-3100-US. I don't know how much RAM is in it and as I'm not able to access it in any way, I can't look.

When I try to connect via the GUI it won't load the page at all. It doesn't answer pings. I can't connect via the Serial cable either. Putty just "dings" when I try to open the connection. In short, I have no way to access the firewall at the current time. I have cycled the power twice. The lights on the front of the device look normal. The light on the far right is slowly pulsing blue. Any suggestions?

SteveITS

@cdsJerry The 3100 has 2 GB RAM. It's a 32 bit CPU. FYI as such it just hit EOL per their blog post last October-ish.
https://docs.netgate.com/pfsense/en/latest/releases/24-03.html#hardware-specific-notes

The blue pulse is normal/booted. https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/io-ports.html#led-patterns

Not sure why the console wouldn't be working, try a different cable?
https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/connect-to-console.html
It should at least show the boot process.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/connect-to-gui.html

cdsJerry

@SteveITS
That's the weird little cable that isn't like any other cable. I've always just left it connected to the firewall so the connection wouldn't be worn and the cable wouldn't get any wires broken. I'm connecting with a different computer than usual, the other one died. This machine is Windows 11 Pro. But I have the bridge installed. The firewall does show in device manager and I'm getting the right port. I really doubt it's the cable. Putty just dings as soon as I hit "open". Shouldn't it take some time as it's trying to connect?

cdsJerry

@SteveITS @johnpoz I was able to access the terminal using a program other than Putty so I'm in. I get the menu but then a bit later it crashes with the memory error again. But now that I'm in, what do I need to do? I tried selecting 15 to load a previous configuration but I never get any additional prompts. It crashes with the memory error. I also tried 13 but again, no prompts before it crashes with the memory error. What steps do I need to take to restore it to a backup that doesn't crash?

SteveITS

@cdsJerry If your rules are repeated as you say maybe the config file itself is over 128 MB? Look in /cf/conf .

There is a command line history if it hasn't been overwritten.
https://docs.netgate.com/pfsense/en/latest/backup/restore.html#console-configuration-history

cdsJerry

@SteveITS We deleted the repeating rules problem and restored to an earlier version of the rules. The memory problem now seems related to a line somewhere in pfb.

Since it's loading pfsense then crashing how do I even get into it to see what's in the /cf/conf? I'm not very good at Linux and since it's crashing all the time I have even less chance. I'm not at a #line but rather the pfSense menu... then crash.

SteveITS

@cdsJerry if you use the option for shell, then:

ls -l /cf/conf

...will show the directory. "exit" will exit back to the menu.

ls = list (directory)
-l = long/verbose

One option is to use the menu option to restore to factory defaults, then restore from a good backup.

A more involved one is to reinstall from USB stick (https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/reinstall-pfsense.html) and restore from backup.