Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start

    Scheduled Pinned Locked Moved pfBlockerNG
    9 Posts 4 Posters 2.0k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jeremyc311
      last edited by

      Hello everyone,
      I just installed pfBlockerNG. I used the wizard to configure the interfaces. Everything seems to go well, but when I check the status of my services, the pfBlockerNG-devel service won’t start, even when I try to launch it manually.

      UPDATE PROCESS ENDED [ 08/5/25 15:00:12 ]
       CRON  PROCESS  START [ v3.2.8 ] [ 08/5/25 16:00:00 ]
      [ Abuse_Feodo_C2_v4 ]
        Remote timestamp: Tue, 5 Aug 2025 13:55:03 GMT
        Local  timestamp: Tue, 5 Aug 2025 12:55:03 GMT	Update found
      [ Abuse_SSLBL_v4 ]
        Remote timestamp: Fri, 3 Jan 2025 11:40:41 GMT
        Local  timestamp: Fri, 3 Jan 2025 11:40:41 GMT	Update not required
      [ CINS_army_v4 ]
        Remote timestamp: Tue, 5 Aug 2025 11:49:59 GMT
        Local  timestamp: Tue, 5 Aug 2025 11:49:59 GMT	Update not required
      [ ET_Block_v4 ] [ 08/5/25 16:00:01 ]
        Remote timestamp: Mon, 4 Aug 2025 04:30:02 GMT
        Local  timestamp: Mon, 4 Aug 2025 04:30:02 GMT	Update not required
      [ ET_Comp_v4 ] [ 08/5/25 16:00:03 ]
        Remote timestamp: Mon, 4 Aug 2025 22:36:09 GMT
        Local  timestamp: Mon, 4 Aug 2025 22:36:09 GMT	Update not required
      [ ISC_Block_v4 ] [ 08/5/25 16:00:08 ]
        Remote timestamp: Tue, 5 Aug 2025 13:45:05 GMT
        Local  timestamp: Tue, 5 Aug 2025 12:00:06 GMT	Update found
      [ Spamhaus_Drop_v4 ] [ 08/5/25 16:00:11 ]
        Remote timestamp: Tue, 5 Aug 2025 10:59:32 GMT
        Local  timestamp: Tue, 5 Aug 2025 10:59:32 GMT	Update not required
      [ Talos_BL_v4 ]
      							Update found
       UPDATE PROCESS START [ v3.2.8 ] [ 08/5/25 16:00:12 ]
      
      ===[  DNSBL Process  ]================================================
      
       Loading DNSBL Statistics... completed
       Loading DNSBL SafeSearch... disabled
       Loading DNSBL Whitelist... completed
      
      [ StevenBlack_ADs ]		 exists.
      
      ===[  GeoIP Process  ]============================================
      
      
      ===[  IPv4 Process  ]=================================================
      
      [ Abuse_Feodo_C2_v4 ]		 Downloading update .. 200 OK. completed ..
        Empty file, Adding '127.1.7.7' to avoid download failure.
        ------------------------------
        Original Master     Final     
        ------------------------------
        0        1          1           [ Pass ] 
        -----------------------------------------------------------------
      
      [ Abuse_SSLBL_v4 ]		 exists.
      [ CINS_army_v4 ]		 exists.
      [ ET_Block_v4 ]			 exists.
      [ ET_Comp_v4 ]			 exists.
      [ ISC_Block_v4 ]		 Downloading update .. 200 OK. completed ..
        ------------------------------
        Original Master     Final     
        ------------------------------
        20       8          8           [ Pass ] 
        -----------------------------------------------------------------
      
      [ Spamhaus_Drop_v4 ]		 exists. [ 08/5/25 16:00:13 ]
      [ Talos_BL_v4 ]			 Downloading update .. 403 Forbidden
      
       [ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL
        DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download.
      
      
      The Following List has been REMOVED [ Talos_BL_v4 ]
      
      
      ===[  Aliastables / Rules  ]==========================================
      
      No changes to Firewall rules, skipping Filter Reload
      
       Updating: pfB_PRI1_v4
      no changes.
      
      ===[ FINAL Processing ]=====================================
      
         [ Original IP count   ]  [ 18651 ]
      
         [ Final IP Count  ]  [ 16446 ]
      
      
      ===[ Deny List IP Counts ]===========================
      
         16447 total
         14490 /var/db/pfblockerng/deny/CINS_army_v4.txt
          1613 /var/db/pfblockerng/deny/ET_Block_v4.txt
           325 /var/db/pfblockerng/deny/ET_Comp_v4.txt
             9 /var/db/pfblockerng/deny/Spamhaus_Drop_v4.txt
             8 /var/db/pfblockerng/deny/ISC_Block_v4.txt
             1 /var/db/pfblockerng/deny/Abuse_SSLBL_v4.txt
             1 /var/db/pfblockerng/deny/Abuse_Feodo_C2_v4.txt
      
      ====================[ Empty Lists w/127.1.7.7 ]==================
      
      Abuse_Feodo_C2_v4.txt
      Abuse_SSLBL_v4.txt
      
      ===[ DNSBL Domain/IP Counts ] ===================================
      
        227972 /var/db/pfblockerng/dnsbl/StevenBlack_ADs.txt
      
      ====================[ IPv4/6 Last Updated List Summary ]==============
      
      Jan 3	2025	Abuse_SSLBL_v4
      Aug 4	06:30	ET_Block_v4
      Aug 5	00:36	ET_Comp_v4
      Aug 5	12:59	Spamhaus_Drop_v4
      Aug 5	13:49	CINS_army_v4
      Aug 5	15:00	ISC_Block_v4
      Aug 5	15:55	Abuse_Feodo_C2_v4
      
      ====================[ DNSBL Last Updated List Summary ]==============
      
      Aug 5	13:09	StevenBlack_ADs
      ===============================================================
      
      Database Sanity check [  FAILED  ] ** These two counts should match! **
      ------------
      Masterfile Count    [ 16446 ]
      Deny folder Count   [ 16445 ]
      
      Duplication sanity check (Pass=No IPs reported)
      ------------------------
      Masterfile/Deny folder uniq check
      Deny folder/Masterfile uniq check
      
      Sync check (Pass=No IPs reported)
      ----------
      
      Alias table IP Counts
      -----------------------------
         16447 /var/db/aliastables/pfB_PRI1_v4.txt
      
      pfSense Table Stats
      -------------------
      table-entries hard limit   400000
      Table Usage Count         171866
      
       UPDATE PROCESS ENDED [ 08/5/25 16:00:14 ]
      
      

      Thks for your help !Capture d’écran 2025-08-05 162532.png

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @jeremyc311
        last edited by

        @jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

        ===[ DNSBL Process ]================================================

        Loading DNSBL Statistics... completed
        Loading DNSBL SafeSearch... disabled
        Loading DNSBL Whitelist... completed

        ... and the rest is "IP" stuff , not DNSBL.
        Do you have DNSBL lists ?
        I mean, if you gave none, the "pfb_dnsbl - pfBlockerNG DNSBL service" doesn't need to run.

        @jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

        [ Talos_BL_v4 ] Downloading update .. 403 Forbidden

        Better put this one on a hold for now - or call the guy who host the file and ask him to repair the situation ^^

        @jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

        Masterfile Count [ 16446 ]
        Deny folder Count [ 16445 ]

        Euh ..... one is awol. Not sure what to say : disable one by one your lists and when things start to work again, you'll know which one to disable.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        A 1 Reply Last reply Reply Quote 0
        • A Offline
          anthonys @Gertjan
          last edited by

          @Gertjan said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

          Masterfile Count [ 16446 ]
          Deny folder Count [ 16445 ]
          

          This sanity check failure might be the issue as discussed here:
          pfblockerNG Database Sanity check Failed

          J 1 Reply Last reply Reply Quote 0
          • J Offline
            jeremyc311 @anthonys
            last edited by jeremyc311

            @anthonys
            thks for your solution ,I no longer have the error on the count. I still have the DNSBL service with the red cross. I’m simply trying to do GeoIP blocking, so I enabled GeoIP blocking for different continents. I’m surprised to see in my logs only one blocked IP, which is related to my TrueNAS.

            Aug 5 09:01:14,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,116.147.64.181,51765,51413,out,Unk,pfB_PRI1_v4,116.146.0.0/15,ET_Block_v4,Unknown,truenasr740,null,+
            Aug 5 13:23:26,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,177.72.195.114,51765,6881,out,BR,pfB_PRI1_v4,177.72.195.114,CINS_army_v4,Unknown,truenasr740,null,+
            Aug 5 13:23:32,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,217.76.54.225,51765,51561,out,DE,pfB_PRI1_v4,217.76.54.225,CINS_army_v4,vmi1567930.contaboserver.net,truenasr740,null,+
            Aug 5 13:34:02,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,102.212.41.5,51765,1721,out,NG,pfB_PRI1_v4,102.212.41.5,CINS_army_v4,Unknown,truenasr740,null,+
            Aug 5 14:20:57,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,177.72.195.114,51765,6881,out,BR,pfB_PRI1_v4,177.72.195.114,CINS_army_v4,Unknown,truenasr740,null,+
            Aug 5 14:21:02,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,217.76.54.225,51765,51561,out,DE,pfB_PRI1_v4,217.76.54.225,CINS_army_v4,vmi1567930.contaboserver.net,truenasr740,null,+
            Aug 11 08:06:58,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,177.72.195.114,51765,6881,out,BR,pfB_PRI1_v4,177.72.195.114,CINS_army_v4,Unknown,truenasr740,null,+
            
            

            Capture d’écran 2025-08-11 082030.png Capture d’écran 2025-08-11 081244.png
            I’m just starting out, so please be kind. Thank you.

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @jeremyc311
              last edited by

              @jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

              I’m surprised to see in my logs only one blocked IP, which is related to my TrueNAS

              I'll decode this one :

              @jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

              Aug 5 09:01:14,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,116.147.64.181,51765,51413,out,Unk,pfB_PRI1_v4,116.146.0.0/15,ET_Block_v4,Unknown,truenasr740,null,+

              Traffic, coming into LAN, from a LAN device (192.168.2.13 = your TrueNAS) going to a Chinise ( 116.147.64.181 ) Brazilian ( 177.72.195.114 - = next line ) was blocked by the "pfB_PRI1_v4" list.
              That's probably good thing ? ( ! ). Up to you to discover why your NAS should initiate connections to these countries. A NAS can go outside for maintenance purposes, for example to look for updates of it's system. These could be located anywhere of course.

              The GeoIP IP created a rule for you.
              How and where do you use that this rule ?

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              R 1 Reply Last reply Reply Quote 0
              • R Offline
                reberhar @Gertjan
                last edited by

                @Gertjan Hi Gertjan,

                I am having similar problems, but I think mine have to do with HA. My switches always fight me when I do a new version of pfBlocker. So for me the problem has to do with CARP VIPs, or THE VIP that pfBlocker configures.

                Yes my switches do multicasting,

                Happens everytime for me. I don't look forward to those updates.

                On remote locations ... reboot the server, reboot the main downstream switch and finally ... it will work.

                No need to reply. I'm just grumbling. I just don't like nurse maiding the equipment. I keep thinking that there must be a better way.

                Roy

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan @reberhar
                  last edited by

                  @reberhar

                  pfBlockerng fights with switches ?
                  Euh ....

                  pfBlockerng can (will ?!) create a :

                  1641fd4f-3fc7-4c90-8948-f7476235bb75-image.png

                  and if this IP is already used by some other equipment then you have a choice to make.
                  Changing this 10.10.10.1 for something else, like 10.10.100.1 and the fight will be over.

                  Personally, I think this "DNSBL Webserver" usage is something that belongs to the past, as this web server was useful in the past, when everybody was using http:// web sites. That's not the case anymore. It's https:/ these days. And https:// sites can be redirected to https://10.10.10.1 and show the sure a page that the site he was about to visit was blocked. The browser would display a huge TLS (certificate) error leaving most users clueless.
                  I just 'null' block all DNSBL hosts and call it a day.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  R 2 Replies Last reply Reply Quote 0
                  • R Offline
                    reberhar @Gertjan
                    last edited by reberhar

                    @Gertjan Hi Gertjan,

                    Yes at 11 last night I got it all going. I know what to do or at least to try.

                    I suspect the level two switches are keeping track of something. Yes of course, the MAC, but the MAC is not changing. If it were ARP I would have a guess. There is, of course that odd HA/CARP VRRP mac that might be the problem. Donno.

                    For some reason the pfBlocker VIP acts differently than the other CARP VIPs and pfb_dnsbl is tied to that. If that VIP is not working neither is pfb_dnsbl.

                    When the problem is present I can reproduce it by going into pfBlocker, General and then saving.
                    The VIP will fail and pfb_dnsbl will stop. I use this to check to see if my solution works. It is when pfBlocker does its night time run that the problem appears. The next day those VIPs are in a bad state and pfb_dnsbl stops. I bring them back online with the Firewall VIP menu option, entering said VIP like I am going to edit it and then saving it. All is good until night again. No need to do any of this now that the problem is fixed.

                    The resolution was different depending the switches down stream. Some of them totally surprised me.
                    I didn't always have to reset the switches, sometime rebooting took care of the problem, making sure that the pfBlocker update was done and the VIP and pfBlocker were functioning. I usually used reroute in my reboot.

                    In one especially odd case, the problem was resolved with doing the update on both primary and secondary and rebooting. The downstream switch was a dumb switch. Usually I like to do the backup server first, assuming the pfBlocker VIP will talk to the primary. Aparently sometimes this isn't the case.

                    Thanks for listening.

                    I know you guys can't solve every problem, and that's ok. I am thankful anyway to have this forum.

                    Roy

                    1 Reply Last reply Reply Quote 0
                    • R Offline
                      reberhar @Gertjan
                      last edited by reberhar

                      @Gertjan
                      @Gertjan said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start:

                      think this "DNSBL Webserver" usage is something that belongs to the past, as this web server was useful in the past, when everybody was using http:// web sites.

                      Yes you are right about the http web page. I don't really care if they can see the web page pfb_dnsbl offers or not. You gotta have it for pfb_dnsbl to work ...

                      Roy

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.