pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start
-
Hello everyone,
I just installed pfBlockerNG. I used the wizard to configure the interfaces. Everything seems to go well, but when I check the status of my services, the pfBlockerNG-devel service won’t start, even when I try to launch it manually.UPDATE PROCESS ENDED [ 08/5/25 15:00:12 ] CRON PROCESS START [ v3.2.8 ] [ 08/5/25 16:00:00 ] [ Abuse_Feodo_C2_v4 ] Remote timestamp: Tue, 5 Aug 2025 13:55:03 GMT Local timestamp: Tue, 5 Aug 2025 12:55:03 GMT Update found [ Abuse_SSLBL_v4 ] Remote timestamp: Fri, 3 Jan 2025 11:40:41 GMT Local timestamp: Fri, 3 Jan 2025 11:40:41 GMT Update not required [ CINS_army_v4 ] Remote timestamp: Tue, 5 Aug 2025 11:49:59 GMT Local timestamp: Tue, 5 Aug 2025 11:49:59 GMT Update not required [ ET_Block_v4 ] [ 08/5/25 16:00:01 ] Remote timestamp: Mon, 4 Aug 2025 04:30:02 GMT Local timestamp: Mon, 4 Aug 2025 04:30:02 GMT Update not required [ ET_Comp_v4 ] [ 08/5/25 16:00:03 ] Remote timestamp: Mon, 4 Aug 2025 22:36:09 GMT Local timestamp: Mon, 4 Aug 2025 22:36:09 GMT Update not required [ ISC_Block_v4 ] [ 08/5/25 16:00:08 ] Remote timestamp: Tue, 5 Aug 2025 13:45:05 GMT Local timestamp: Tue, 5 Aug 2025 12:00:06 GMT Update found [ Spamhaus_Drop_v4 ] [ 08/5/25 16:00:11 ] Remote timestamp: Tue, 5 Aug 2025 10:59:32 GMT Local timestamp: Tue, 5 Aug 2025 10:59:32 GMT Update not required [ Talos_BL_v4 ] Update found UPDATE PROCESS START [ v3.2.8 ] [ 08/5/25 16:00:12 ] ===[ DNSBL Process ]================================================ Loading DNSBL Statistics... completed Loading DNSBL SafeSearch... disabled Loading DNSBL Whitelist... completed [ StevenBlack_ADs ] exists. ===[ GeoIP Process ]============================================ ===[ IPv4 Process ]================================================= [ Abuse_Feodo_C2_v4 ] Downloading update .. 200 OK. completed .. Empty file, Adding '127.1.7.7' to avoid download failure. ------------------------------ Original Master Final ------------------------------ 0 1 1 [ Pass ] ----------------------------------------------------------------- [ Abuse_SSLBL_v4 ] exists. [ CINS_army_v4 ] exists. [ ET_Block_v4 ] exists. [ ET_Comp_v4 ] exists. [ ISC_Block_v4 ] Downloading update .. 200 OK. completed .. ------------------------------ Original Master Final ------------------------------ 20 8 8 [ Pass ] ----------------------------------------------------------------- [ Spamhaus_Drop_v4 ] exists. [ 08/5/25 16:00:13 ] [ Talos_BL_v4 ] Downloading update .. 403 Forbidden [ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download. The Following List has been REMOVED [ Talos_BL_v4 ] ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload Updating: pfB_PRI1_v4 no changes. ===[ FINAL Processing ]===================================== [ Original IP count ] [ 18651 ] [ Final IP Count ] [ 16446 ] ===[ Deny List IP Counts ]=========================== 16447 total 14490 /var/db/pfblockerng/deny/CINS_army_v4.txt 1613 /var/db/pfblockerng/deny/ET_Block_v4.txt 325 /var/db/pfblockerng/deny/ET_Comp_v4.txt 9 /var/db/pfblockerng/deny/Spamhaus_Drop_v4.txt 8 /var/db/pfblockerng/deny/ISC_Block_v4.txt 1 /var/db/pfblockerng/deny/Abuse_SSLBL_v4.txt 1 /var/db/pfblockerng/deny/Abuse_Feodo_C2_v4.txt ====================[ Empty Lists w/127.1.7.7 ]================== Abuse_Feodo_C2_v4.txt Abuse_SSLBL_v4.txt ===[ DNSBL Domain/IP Counts ] =================================== 227972 /var/db/pfblockerng/dnsbl/StevenBlack_ADs.txt ====================[ IPv4/6 Last Updated List Summary ]============== Jan 3 2025 Abuse_SSLBL_v4 Aug 4 06:30 ET_Block_v4 Aug 5 00:36 ET_Comp_v4 Aug 5 12:59 Spamhaus_Drop_v4 Aug 5 13:49 CINS_army_v4 Aug 5 15:00 ISC_Block_v4 Aug 5 15:55 Abuse_Feodo_C2_v4 ====================[ DNSBL Last Updated List Summary ]============== Aug 5 13:09 StevenBlack_ADs =============================================================== Database Sanity check [ FAILED ] ** These two counts should match! ** ------------ Masterfile Count [ 16446 ] Deny folder Count [ 16445 ] Duplication sanity check (Pass=No IPs reported) ------------------------ Masterfile/Deny folder uniq check Deny folder/Masterfile uniq check Sync check (Pass=No IPs reported) ---------- Alias table IP Counts ----------------------------- 16447 /var/db/aliastables/pfB_PRI1_v4.txt pfSense Table Stats ------------------- table-entries hard limit 400000 Table Usage Count 171866 UPDATE PROCESS ENDED [ 08/5/25 16:00:14 ]
Thks for your help !
-
@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:
===[ DNSBL Process ]================================================
Loading DNSBL Statistics... completed
Loading DNSBL SafeSearch... disabled
Loading DNSBL Whitelist... completed... and the rest is "IP" stuff , not DNSBL.
Do you have DNSBL lists ?
I mean, if you gave none, the "pfb_dnsbl - pfBlockerNG DNSBL service" doesn't need to run.@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:
[ Talos_BL_v4 ] Downloading update .. 403 Forbidden
Better put this one on a hold for now - or call the guy who host the file and ask him to repair the situation ^^
@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:
Masterfile Count [ 16446 ]
Deny folder Count [ 16445 ]Euh ..... one is awol. Not sure what to say : disable one by one your lists and when things start to work again, you'll know which one to disable.
-
@Gertjan said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:
Masterfile Count [ 16446 ] Deny folder Count [ 16445 ]
This sanity check failure might be the issue as discussed here:
pfblockerNG Database Sanity check Failed -
@anthonys
thks for your solution ,I no longer have the error on the count. I still have the DNSBL service with the red cross. I’m simply trying to do GeoIP blocking, so I enabled GeoIP blocking for different continents. I’m surprised to see in my logs only one blocked IP, which is related to my TrueNAS.Aug 5 09:01:14,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,116.147.64.181,51765,51413,out,Unk,pfB_PRI1_v4,116.146.0.0/15,ET_Block_v4,Unknown,truenasr740,null,+ Aug 5 13:23:26,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,177.72.195.114,51765,6881,out,BR,pfB_PRI1_v4,177.72.195.114,CINS_army_v4,Unknown,truenasr740,null,+ Aug 5 13:23:32,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,217.76.54.225,51765,51561,out,DE,pfB_PRI1_v4,217.76.54.225,CINS_army_v4,vmi1567930.contaboserver.net,truenasr740,null,+ Aug 5 13:34:02,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,102.212.41.5,51765,1721,out,NG,pfB_PRI1_v4,102.212.41.5,CINS_army_v4,Unknown,truenasr740,null,+ Aug 5 14:20:57,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,177.72.195.114,51765,6881,out,BR,pfB_PRI1_v4,177.72.195.114,CINS_army_v4,Unknown,truenasr740,null,+ Aug 5 14:21:02,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,217.76.54.225,51765,51561,out,DE,pfB_PRI1_v4,217.76.54.225,CINS_army_v4,vmi1567930.contaboserver.net,truenasr740,null,+ Aug 11 08:06:58,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,177.72.195.114,51765,6881,out,BR,pfB_PRI1_v4,177.72.195.114,CINS_army_v4,Unknown,truenasr740,null,+
I’m just starting out, so please be kind. Thank you. -
@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:
I’m surprised to see in my logs only one blocked IP, which is related to my TrueNAS
I'll decode this one :
@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:
Aug 5 09:01:14,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,116.147.64.181,51765,51413,out,Unk,pfB_PRI1_v4,116.146.0.0/15,ET_Block_v4,Unknown,truenasr740,null,+
Traffic, coming into LAN, from a LAN device (192.168.2.13 = your TrueNAS) going to a Chinise ( 116.147.64.181 ) Brazilian ( 177.72.195.114 - = next line ) was blocked by the "pfB_PRI1_v4" list.
That's probably good thing ? ( ! ). Up to you to discover why your NAS should initiate connections to these countries. A NAS can go outside for maintenance purposes, for example to look for updates of it's system. These could be located anywhere of course.The GeoIP IP created a rule for you.
How and where do you use that this rule ? -
@Gertjan Hi Gertjan,
I am having similar problems, but I think mine have to do with HA. My switches always fight me when I do a new version of pfBlocker. So for me the problem has to do with CARP VIPs, or THE VIP that pfBlocker configures.
Yes my switches do multicasting,
Happens everytime for me. I don't look forward to those updates.
On remote locations ... reboot the server, reboot the main downstream switch and finally ... it will work.
No need to reply. I'm just grumbling. I just don't like nurse maiding the equipment. I keep thinking that there must be a better way.
Roy
-
pfBlockerng fights with switches ?
Euh ....pfBlockerng can (will ?!) create a :
and if this IP is already used by some other equipment then you have a choice to make.
Changing this 10.10.10.1 for something else, like 10.10.100.1 and the fight will be over.Personally, I think this "DNSBL Webserver" usage is something that belongs to the past, as this web server was useful in the past, when everybody was using http:// web sites. That's not the case anymore. It's https:/ these days. And https:// sites can be redirected to https://10.10.10.1 and show the sure a page that the site he was about to visit was blocked. The browser would display a huge TLS (certificate) error leaving most users clueless.
I just 'null' block all DNSBL hosts and call it a day. -
@Gertjan Hi Gertjan,
Yes at 11 last night I got it all going. I know what to do or at least to try.
I suspect the level two switches are keeping track of something. Yes of course, the MAC, but the MAC is not changing. If it were ARP I would have a guess. There is, of course that odd HA/CARP VRRP mac that might be the problem. Donno.
For some reason the pfBlocker VIP acts differently than the other CARP VIPs and pfb_dnsbl is tied to that. If that VIP is not working neither is pfb_dnsbl.
When the problem is present I can reproduce it by going into pfBlocker, General and then saving.
The VIP will fail and pfb_dnsbl will stop. I use this to check to see if my solution works. It is when pfBlocker does its night time run that the problem appears. The next day those VIPs are in a bad state and pfb_dnsbl stops. I bring them back online with the Firewall VIP menu option, entering said VIP like I am going to edit it and then saving it. All is good until night again. No need to do any of this now that the problem is fixed.The resolution was different depending the switches down stream. Some of them totally surprised me.
I didn't always have to reset the switches, sometime rebooting took care of the problem, making sure that the pfBlocker update was done and the VIP and pfBlocker were functioning. I usually used reroute in my reboot.In one especially odd case, the problem was resolved with doing the update on both primary and secondary and rebooting. The downstream switch was a dumb switch. Usually I like to do the backup server first, assuming the pfBlocker VIP will talk to the primary. Aparently sometimes this isn't the case.
Thanks for listening.
I know you guys can't solve every problem, and that's ok. I am thankful anyway to have this forum.
Roy
-
@Gertjan
@Gertjan said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:think this "DNSBL Webserver" usage is something that belongs to the past, as this web server was useful in the past, when everybody was using http:// web sites.
Yes you are right about the http web page. I don't really care if they can see the web page pfb_dnsbl offers or not. You gotta have it for pfb_dnsbl to work ...
Roy