Can you force a rule to apply before floating rules and hold it's position?

SteveITS

@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:

Unbound.conf file missing

Man, you are having a tough week! Google has only ONE result for that...the source code.
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc

if (file_exists("{$pfb['dnsbldir']}/unbound.conf")) {
...
}
else {
	pfb_logger("\n\n*** [ Unbound.conf file missing. Exiting! ] ***\n\n", 1);
}

Disable DNSBL? Enable DNSBL?

cdsJerry

@SteveITS You don't know the half of it. I lost a key employee this week. I lost my wedding band last night while killing a groundhog that was under my porch. My notebook computer died over the weekend. And my mother -in-law is moving up from Florida because my wife and I are going to need to take care of her now.

And then there's this firewall..... Which as you know was a clean install this morning and here I am beating my head on it again.

Yes... this week has sucked pretty bad so far.\

Is this what's preventing the alias from being created?

There were error(s) loading the rules: /tmp/rules.debug:53: cannot define table pfB_Europe_v4: Cannot allocate memory - The line in question reads [53]: table <pfB_Europe_v4> persist file "/var/db/aliastables/pfB_Europe_v4.txt"
@ 2024-04-02 15:20:20

SteveITS

Yikes, I hope it gets better.

@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:

Cannot allocate memory

So either pfSense is out of memory or PHP is out of memory. Probably the latter since I think the limit is 128 MB on ARM? Usually that's not an issue until loading in files over that size because PHP has to allocate the memory to read in the file.

System/Advanced/Miscellaneous has a PHP Settings section with a memory limit.

Also check System/Advanced/Firewall & NAT that Firewall Maximum Table Entries is minimum 2 million when using pfBlocker, and raise as necessary.

Depending on what you're doing with pfB_Europe_v4, it is usually way more efficient to "allow my country" than "block the world" because the latter uses lots more RAM/table entry space.

cdsJerry

@SteveITS It's a better day already. I went out in the rain yesterday with my metal detector and was able to find my wedding ring in the hay field. I'd have never found it without the metal detector. My luck is improving. I'm going to go with that!

On the PHP settings it looks like everything is at defaults. IF I'm looking at this right, PHP memory is set to the default of 128? Could I set that to something higher?
Screenshot 2024-04-03 120515.png

On the system/advanced/firewall & NAT.. 2 million??? Mine is set to the default of 400,000. That's a huge difference. Would you confirm I should change it to 2 million?

Screenshot 2024-04-03 121107.png

I've always heard it's a bad practice to try to block the world. So many things come from outside countries for support, purchases, etc. it would be hard to know who to allow in. But maybe allowing 12 countries in would be better.. if we can figure out where our customers are actually working from? So much is outsourced it might be impossible to tell.

SteveITS

@cdsJerry Nice.

I skimmed back above but didn't see, did you state your free memory? It shouldn't hurt to raise the PHP limit unless you actually run out of physical memory. So I guess I'd try 512, and see.

Yes set it to 2000000. Each IP in an alias table uses one entry. Though IIRC pfSense logs an error about running out of table entries. I'd heard long ago to start there and raise if necessary, when using pfBlocker.

cdsJerry

@SteveITS said in Can you force a rule to apply before floating rules and hold it's position?:

ur free memory?

The Dashboard shows Memory usage of 11% of 2027 MiB

cdsJerry

@SteveITS I increased the two memory settings and ran the CRON update in pfb but I'm still getting that config error message, and as a result, no alias from pfb to put into the firewall rules.

** Restarting firewall filter daemon **
Saving configuration [ 04/2/24 15:34:50 ]
*** [ Unbound.conf file missing. Exiting! ] ***
** Stopping firewall filter daemon **

SteveITS

@cdsJerry I think I would start a "Unbound.conf file missing. Exiting!" thread in the pfBlocker forum category.

I have these:
/: find . -name "unbound.conf"
./var/unbound/unbound.conf
./usr/local/etc/unbound/unbound.conf
...plus two for strongswan. I wouldn't think either of those are in a directory $pfb['dnsbldir']. The second looks like it's an example file and all commented out.

cdsJerry

@cdsJerry I decided to give it another shot. I re-installed the configs from before all this mess started. I made the two changes to memory we'd done this morning and then re-created the pfb alias. It said it created it successfully however it doesn't show up under aliases, but if I create a Firewall rule it does show up there, so I went into the rules and added the new rule with the pfbAlias, saved, applied. I still had all the pfb entries in the firewall/rules so I went back and unchecked the enable box in pfblocker and saved. When I went back to firewall/rules, the alias was gone and no longer shows up if I try to add a rule.

So I don't get it. If pfblocker is enabled I get both an alias and the firewall rules. If it's disabled I lose both. And the alias never shows up under firewall/Aliases even when that alias is visible in the Firewall/rules.

SteveITS

@cdsJerry pfB aliases are not "supposed" to show up in Firewall/Aliases, those are only manual aliases I guess. It shows in Diagnostics/Tables along with other internal aliases.

If you disable pfBlocker I would think that un-creates the aliases. Invalid aliases should alert...believe they show as text-not-links on the rules pages. I see it sometimes after an upgrade if I uninstall pfBlocker before upgrading pfSense (per the upgrade guide) and install it again after.

cdsJerry

@SteveITS Wow. So it's working. I'll delete the pfb rules in the firewall and just leave the alias and ... finished. What a long haul. THANK YOU so much for your help Steve.

SteveITS

@cdsJerry Nice. So the "Unbound.conf file missing" error is gone? Or maybe doesn't matter?

cdsJerry

@SteveITS I still see the "Unbound.conf file missing. Exiting" error when I look at the log during a CRON update but I guess it doesn't matter.

HOWEVER.... pfb is still putting it's firewall rules on the rule set, at the top. I had deleted them but it put them back when it runs the CRON. There's still something wrong. I have both the alias and the pfb rules. I have to be close. Do I need to set the pfb update to Disabled and just let the Alias do the updates?

SteveITS

@cdsJerry In Firewall/pfBlockerNG/IP/IPv4 what is Action set to for your entries? If you only want the alias then it should be Alias Native there.

Disabled would not generate the alias or download the list.

cdsJerry

@SteveITS it is set for Alias Native with a Frequency of 12 hours.
BTW, it appears that it's now blocking a lot of valid traffic that it wasn't blocking before. For example the notice from this page was blocked. I only saw it after some of my vendors said their emails were bouncing back to them and I turned off pfBlocker. Once I turned it off I got a flood of emails so it's blocking a lot of traffic it never blocked before.

I've had to disable it... the emails are still rolling it. At this point I'm afraid to turn it back on. It was blocking emails from all over the place including the USA. I don't understand why.

SteveITS

@cdsJerry Looking back above, the Top Spammers rules as I recall are just a poorly named entire-country list? Remove that one.

Not sure why it would be creating rules if all are set Alias Native. Which rules are being created? There are ways to use the Geo tab I think and create deny rules on that page, for instance...

cdsJerry

@SteveITS That's what I was saying yesterday. If I have pfb enabled it's created both the alias AND the rules each time it updates.

And... I don't know what's happening that those rules are now blocking a lot of traffic to the mail server which were never blocked before. If I turn off pfb the emails come rolling in. I hadn't changed any of the countries etc in pfb so why the change?

It all seems so random. It never does what I expect it to do.

SteveITS

@cdsJerry If it's set to create the rules, it will also create the alias.

However if it's set to Alias Native it should not create rules.

Can you double check all four pfB tabs under IP are Alias Native?

re: mail server, post your pfB and/or port 25 WAN rules?

cdsJerry

@SteveITS Under firewall/pfblocking/ip/ I don't have all four in use.
IPV4 has only one item, it's set to Alias Native
IPV6 Nothing defined
GeoIP has a list but there are no aliases?
Reputation - nothing entered.
Screenshot 2024-04-04 164928.png

And under reputation
Screenshot 2024-04-04 165045.png

The mail port rule is pretty straight forward and hasn't been changed in ages.
Screenshot 2024-04-04 165416.png

Screenshot 2024-04-04 165906.png

SteveITS

@cdsJerry All those Deny Inbound lines on the Geo tab will create rules. And if you receive mail from a server there it would be blocked.

You can change those to Alias Native, or else on the IPv4 tab create them yourself using country codes:

and:

I can't find a post in a quick search but as I mentioned above I think I've read here that Top Spammers is just a list of entire countries and nothing to do with actual spam. Disable that and see if your mail flows better.