pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start

jeremyc311

Hello everyone,
I just installed pfBlockerNG. I used the wizard to configure the interfaces. Everything seems to go well, but when I check the status of my services, the pfBlockerNG-devel service won’t start, even when I try to launch it manually.

UPDATE PROCESS ENDED [ 08/5/25 15:00:12 ]
 CRON  PROCESS  START [ v3.2.8 ] [ 08/5/25 16:00:00 ]
[ Abuse_Feodo_C2_v4 ]
  Remote timestamp: Tue, 5 Aug 2025 13:55:03 GMT
  Local  timestamp: Tue, 5 Aug 2025 12:55:03 GMT	Update found
[ Abuse_SSLBL_v4 ]
  Remote timestamp: Fri, 3 Jan 2025 11:40:41 GMT
  Local  timestamp: Fri, 3 Jan 2025 11:40:41 GMT	Update not required
[ CINS_army_v4 ]
  Remote timestamp: Tue, 5 Aug 2025 11:49:59 GMT
  Local  timestamp: Tue, 5 Aug 2025 11:49:59 GMT	Update not required
[ ET_Block_v4 ] [ 08/5/25 16:00:01 ]
  Remote timestamp: Mon, 4 Aug 2025 04:30:02 GMT
  Local  timestamp: Mon, 4 Aug 2025 04:30:02 GMT	Update not required
[ ET_Comp_v4 ] [ 08/5/25 16:00:03 ]
  Remote timestamp: Mon, 4 Aug 2025 22:36:09 GMT
  Local  timestamp: Mon, 4 Aug 2025 22:36:09 GMT	Update not required
[ ISC_Block_v4 ] [ 08/5/25 16:00:08 ]
  Remote timestamp: Tue, 5 Aug 2025 13:45:05 GMT
  Local  timestamp: Tue, 5 Aug 2025 12:00:06 GMT	Update found
[ Spamhaus_Drop_v4 ] [ 08/5/25 16:00:11 ]
  Remote timestamp: Tue, 5 Aug 2025 10:59:32 GMT
  Local  timestamp: Tue, 5 Aug 2025 10:59:32 GMT	Update not required
[ Talos_BL_v4 ]
							Update found
 UPDATE PROCESS START [ v3.2.8 ] [ 08/5/25 16:00:12 ]

===[  DNSBL Process  ]================================================

 Loading DNSBL Statistics... completed
 Loading DNSBL SafeSearch... disabled
 Loading DNSBL Whitelist... completed

[ StevenBlack_ADs ]		 exists.

===[  GeoIP Process  ]============================================


===[  IPv4 Process  ]=================================================

[ Abuse_Feodo_C2_v4 ]		 Downloading update .. 200 OK. completed ..
  Empty file, Adding '127.1.7.7' to avoid download failure.
  ------------------------------
  Original Master     Final     
  ------------------------------
  0        1          1           [ Pass ] 
  -----------------------------------------------------------------

[ Abuse_SSLBL_v4 ]		 exists.
[ CINS_army_v4 ]		 exists.
[ ET_Block_v4 ]			 exists.
[ ET_Comp_v4 ]			 exists.
[ ISC_Block_v4 ]		 Downloading update .. 200 OK. completed ..
  ------------------------------
  Original Master     Final     
  ------------------------------
  20       8          8           [ Pass ] 
  -----------------------------------------------------------------

[ Spamhaus_Drop_v4 ]		 exists. [ 08/5/25 16:00:13 ]
[ Talos_BL_v4 ]			 Downloading update .. 403 Forbidden

 [ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL
  DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download.


The Following List has been REMOVED [ Talos_BL_v4 ]


===[  Aliastables / Rules  ]==========================================

No changes to Firewall rules, skipping Filter Reload

 Updating: pfB_PRI1_v4
no changes.

===[ FINAL Processing ]=====================================

   [ Original IP count   ]  [ 18651 ]

   [ Final IP Count  ]  [ 16446 ]


===[ Deny List IP Counts ]===========================

   16447 total
   14490 /var/db/pfblockerng/deny/CINS_army_v4.txt
    1613 /var/db/pfblockerng/deny/ET_Block_v4.txt
     325 /var/db/pfblockerng/deny/ET_Comp_v4.txt
       9 /var/db/pfblockerng/deny/Spamhaus_Drop_v4.txt
       8 /var/db/pfblockerng/deny/ISC_Block_v4.txt
       1 /var/db/pfblockerng/deny/Abuse_SSLBL_v4.txt
       1 /var/db/pfblockerng/deny/Abuse_Feodo_C2_v4.txt

====================[ Empty Lists w/127.1.7.7 ]==================

Abuse_Feodo_C2_v4.txt
Abuse_SSLBL_v4.txt

===[ DNSBL Domain/IP Counts ] ===================================

  227972 /var/db/pfblockerng/dnsbl/StevenBlack_ADs.txt

====================[ IPv4/6 Last Updated List Summary ]==============

Jan 3	2025	Abuse_SSLBL_v4
Aug 4	06:30	ET_Block_v4
Aug 5	00:36	ET_Comp_v4
Aug 5	12:59	Spamhaus_Drop_v4
Aug 5	13:49	CINS_army_v4
Aug 5	15:00	ISC_Block_v4
Aug 5	15:55	Abuse_Feodo_C2_v4

====================[ DNSBL Last Updated List Summary ]==============

Aug 5	13:09	StevenBlack_ADs
===============================================================

Database Sanity check [  FAILED  ] ** These two counts should match! **
------------
Masterfile Count    [ 16446 ]
Deny folder Count   [ 16445 ]

Duplication sanity check (Pass=No IPs reported)
------------------------
Masterfile/Deny folder uniq check
Deny folder/Masterfile uniq check

Sync check (Pass=No IPs reported)
----------

Alias table IP Counts
-----------------------------
   16447 /var/db/aliastables/pfB_PRI1_v4.txt

pfSense Table Stats
-------------------
table-entries hard limit   400000
Table Usage Count         171866

 UPDATE PROCESS ENDED [ 08/5/25 16:00:14 ]

Thks for your help !

Gertjan

@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

===[ DNSBL Process ]================================================

Loading DNSBL Statistics... completed
Loading DNSBL SafeSearch... disabled
Loading DNSBL Whitelist... completed

... and the rest is "IP" stuff , not DNSBL.
Do you have DNSBL lists ?
I mean, if you gave none, the "pfb_dnsbl - pfBlockerNG DNSBL service" doesn't need to run.

@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

[ Talos_BL_v4 ] Downloading update .. 403 Forbidden

Better put this one on a hold for now - or call the guy who host the file and ask him to repair the situation ^^

@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

Masterfile Count [ 16446 ]
Deny folder Count [ 16445 ]

Euh ..... one is awol. Not sure what to say : disable one by one your lists and when things start to work again, you'll know which one to disable.

anthonys

@Gertjan said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

Masterfile Count [ 16446 ]
Deny folder Count [ 16445 ]

This sanity check failure might be the issue as discussed here:
pfblockerNG Database Sanity check Failed

jeremyc311

@anthonys
thks for your solution ,I no longer have the error on the count. I still have the DNSBL service with the red cross. I’m simply trying to do GeoIP blocking, so I enabled GeoIP blocking for different continents. I’m surprised to see in my logs only one blocked IP, which is related to my TrueNAS.

Aug 5 09:01:14,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,116.147.64.181,51765,51413,out,Unk,pfB_PRI1_v4,116.146.0.0/15,ET_Block_v4,Unknown,truenasr740,null,+
Aug 5 13:23:26,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,177.72.195.114,51765,6881,out,BR,pfB_PRI1_v4,177.72.195.114,CINS_army_v4,Unknown,truenasr740,null,+
Aug 5 13:23:32,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,217.76.54.225,51765,51561,out,DE,pfB_PRI1_v4,217.76.54.225,CINS_army_v4,vmi1567930.contaboserver.net,truenasr740,null,+
Aug 5 13:34:02,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,102.212.41.5,51765,1721,out,NG,pfB_PRI1_v4,102.212.41.5,CINS_army_v4,Unknown,truenasr740,null,+
Aug 5 14:20:57,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,177.72.195.114,51765,6881,out,BR,pfB_PRI1_v4,177.72.195.114,CINS_army_v4,Unknown,truenasr740,null,+
Aug 5 14:21:02,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,217.76.54.225,51765,51561,out,DE,pfB_PRI1_v4,217.76.54.225,CINS_army_v4,vmi1567930.contaboserver.net,truenasr740,null,+
Aug 11 08:06:58,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,177.72.195.114,51765,6881,out,BR,pfB_PRI1_v4,177.72.195.114,CINS_army_v4,Unknown,truenasr740,null,+

I’m just starting out, so please be kind. Thank you.

Gertjan

@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

I’m surprised to see in my logs only one blocked IP, which is related to my TrueNAS

I'll decode this one :

@jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

Aug 5 09:01:14,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,116.147.64.181,51765,51413,out,Unk,pfB_PRI1_v4,116.146.0.0/15,ET_Block_v4,Unknown,truenasr740,null,+

Traffic, coming into LAN, from a LAN device (192.168.2.13 = your TrueNAS) going to a Chinise ( 116.147.64.181 ) Brazilian ( 177.72.195.114 - = next line ) was blocked by the "pfB_PRI1_v4" list.
That's probably good thing ? ( ! ). Up to you to discover why your NAS should initiate connections to these countries. A NAS can go outside for maintenance purposes, for example to look for updates of it's system. These could be located anywhere of course.

The GeoIP IP created a rule for you.
How and where do you use that this rule ?

reberhar

@Gertjan Hi Gertjan,

I am having similar problems, but I think mine have to do with HA. My switches always fight me when I do a new version of pfBlocker. So for me the problem has to do with CARP VIPs, or THE VIP that pfBlocker configures.

Yes my switches do multicasting,

Happens everytime for me. I don't look forward to those updates.

On remote locations ... reboot the server, reboot the main downstream switch and finally ... it will work.

No need to reply. I'm just grumbling. I just don't like nurse maiding the equipment. I keep thinking that there must be a better way.

Roy

Gertjan

@reberhar

pfBlockerng fights with switches ?
Euh ....

pfBlockerng can (will ?!) create a :

and if this IP is already used by some other equipment then you have a choice to make.
Changing this 10.10.10.1 for something else, like 10.10.100.1 and the fight will be over.

Personally, I think this "DNSBL Webserver" usage is something that belongs to the past, as this web server was useful in the past, when everybody was using http:// web sites. That's not the case anymore. It's https:/ these days. And https:// sites can be redirected to https://10.10.10.1 and show the sure a page that the site he was about to visit was blocked. The browser would display a huge TLS (certificate) error leaving most users clueless.
I just 'null' block all DNSBL hosts and call it a day.

reberhar

@Gertjan Hi Gertjan,

Yes at 11 last night I got it all going. I know what to do or at least to try.

I suspect the level two switches are keeping track of something. Yes of course, the MAC, but the MAC is not changing. If it were ARP I would have a guess. There is, of course that odd HA/CARP VRRP mac that might be the problem. Donno.

For some reason the pfBlocker VIP acts differently than the other CARP VIPs and pfb_dnsbl is tied to that. If that VIP is not working neither is pfb_dnsbl.

When the problem is present I can reproduce it by going into pfBlocker, General and then saving.
The VIP will fail and pfb_dnsbl will stop. I use this to check to see if my solution works. It is when pfBlocker does its night time run that the problem appears. The next day those VIPs are in a bad state and pfb_dnsbl stops. I bring them back online with the Firewall VIP menu option, entering said VIP like I am going to edit it and then saving it. All is good until night again. No need to do any of this now that the problem is fixed.

The resolution was different depending the switches down stream. Some of them totally surprised me.
I didn't always have to reset the switches, sometime rebooting took care of the problem, making sure that the pfBlocker update was done and the VIP and pfBlocker were functioning. I usually used reroute in my reboot.

In one especially odd case, the problem was resolved with doing the update on both primary and secondary and rebooting. The downstream switch was a dumb switch. Usually I like to do the backup server first, assuming the pfBlocker VIP will talk to the primary. Aparently sometimes this isn't the case.

Thanks for listening.

I know you guys can't solve every problem, and that's ok. I am thankful anyway to have this forum.

Roy

reberhar

@Gertjan
@Gertjan said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

think this "DNSBL Webserver" usage is something that belongs to the past, as this web server was useful in the past, when everybody was using http:// web sites.

Yes you are right about the http web page. I don't really care if they can see the web page pfb_dnsbl offers or not. You gotta have it for pfb_dnsbl to work ...

Roy