Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfb_filter and pfb_dnsbl services are not running Pfsense 25.07.1

    Scheduled Pinned Locked Moved pfBlockerNG
    13 Posts 2 Posters 4.8k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      nanda
      last edited by nanda

      Hi

      pfblockerng-dev services are not running in one of the firewall. It is clean installation of Pfsense v25.07.1, followed by installation of pfblockerng-dev v3.2.7.

      Any assistance is highly appreciated.

      d50cb5d7-1b90-4f24-a5b8-519a951cf4ed-image.png

      Sanity check failure

      Database Sanity check [  FAILED  ] ** These two counts should match! **
      ------------
      Masterfile Count    [ 46572 ]
      Deny folder Count   [ 46571 ]
      
      

      PfblockerNG-dev log contains sanity check failure, it may be cause behind this issue. Hence, the source code is changed as recommended in the thread. Sanity check failure disappeared, yet the status of services remained same after force reload.

      Manual restart
      Manually tried to restart the services. It did not return anything to the terminal, so errors were not encountered.

      [25.07.1-RELEASE][suser@...]/usr/local/etc/rc.d: ./pfb_filter.sh restart
      [25.07.1-RELEASE][suser@...]/usr/local/etc/rc.d: ./pfb_dnsbl.sh restart
      

      Force reload logs

      Sep 5 18:05:01 	php-fpm 	88649 	/pfblockerng/pfblockerng_update.php: Configuration Change: suser@xx.xx.xx.xx (Local Database): pfBlockerNG: Running Force Reload
      Sep 5 18:05:02 	check_reload_status 	629 	Syncing firewall
      Sep 5 18:05:03 	php-fpm 	88649 	/pfblockerng/pfblockerng_update.php: Configuration Change: suser@xx.xx.xx.xx (Local Database): Removed cron job for pfblockerng.php cron
      Sep 5 18:05:05 	check_reload_status 	629 	Syncing firewall
      Sep 5 18:05:14 	php 	55216 	/usr/local/www/pfblockerng/pfblockerng.php: Configuration Change: (system): pfBlockerNG: saving DNSBL changes
      Sep 5 18:05:15 	check_reload_status 	629 	Syncing firewall
      Sep 5 18:05:15 	php 	55216 	/usr/local/www/pfblockerng/pfblockerng.php: Error creating pfBlockerNG DNSBL Certificate: openssl library returns: error:06800097:asn1 encoding routines::string too long
      Sep 5 18:06:40 	php 	55216 	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
      Sep 5 18:06:41 	php 	55216 	/usr/local/www/pfblockerng/pfblockerng.php: Configuration Change: (system): pfBlockerNG: save settings
      Sep 5 18:06:43 	check_reload_status 	629 	Syncing firewall
      Sep 5 18:06:43 	check_reload_status 	629 	Reloading filter
      Sep 5 18:06:43 	php 	55216 	[pfBlockerNG] Restarting firewall filter daemon
      Sep 5 18:06:44 	php 	55216 	/usr/local/www/pfblockerng/pfblockerng.php: Configuration Change: (system): Installed cron job for /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1 
      

      From force reload logs, it is found that DNSBL certificate generation has issue due to long string. The cause is most probably the usage of hostname in certificate parameters (CN). Host and domain names are 45 and 30 characters long respectively.

      Firewall filter daemon did not start though it did not encounter any issues.

      To be safe, dependencies version were also verified.

      [25.07.1-RELEASE][suser@...]/: lighttpd -v
      lighttpd/1.4.76 (ssl) - a light and fast webserver
      [25.07.1-RELEASE][suser@...]/: jq --version
      jq-1.7.1
      [25.07.1-RELEASE][suser@...]/: rsync --version
      rsync  version 3.4.0  protocol version 32
      ...
      [25.07.1-RELEASE][suser@...]/: iprange --version
      iprange 1.0.4
      ...
      [25.07.1-RELEASE][suser@...]/: python3.11 --version
      Python 3.11.11
      [25.07.1-RELEASE][suser@...]/: php --version
      PHP 8.3.19 (cli) (built: Aug 12 2025 18:51:59) (NTS)
      ...
      
      J 1 Reply Last reply Reply Quote 0
      • J Offline
        jrey @nanda
        last edited by

        @nanda said in pfb_filter and pfb_dnsbl services are not running Pfsense 25.07.1:

        PfblockerNG-dev log contains sanity check failure,

        This won't be stopping it - also there is "fix" for the miscount in the forum.
        This thread discusses the line that needs to be changed

        https://forum.netgate.com/topic/197555/new-pfblockerng-install-database-sanity-check-failed/42?_=1757088489332

        did you do a force reload ?
        what does the pfblocker dashboard widget show ?

        N 1 Reply Last reply Reply Quote 0
        • N Offline
          nanda @jrey
          last edited by

          @jrey

          This won't be stopping it - also there is "fix" for the miscount in the forum.
          This thread discusses the line that needs to be changed

          https://forum.netgate.com/topic/197555/new-pfblockerng-install-database-sanity-check-failed/42?_=1757088489332

          The specified line is changed and the same thread is also referred in given the question.

          did you do a force reload ?

          Yes, force reload performed after file change.

          what does the pfblocker dashboard widget show ?

          Same result (please see the 1st image)

          J 1 Reply Last reply Reply Quote 0
          • J Offline
            jrey @nanda
            last edited by

            @nanda said in pfb_filter and pfb_dnsbl services are not running Pfsense 25.07.1:

            Same result (please see the 1st image)

            That's the services widget on the dashboard - not the pfblocker widget what does it show ?

            J 1 Reply Last reply Reply Quote 0
            • J Offline
              jrey @jrey
              last edited by

              @nanda

              can you show us the dnsbl setup page python mode? and any other settings you may have - image of the settings page would be helpful

              The certificate error you are showing is likely the show stopper.
              what blocking mode are you using ? DNSBL Web/VIP? Null block no logging? or null block (logging) ?
              the certificate error might suggest you are using. DNSBL Web/VIP but let's confirm

              J 1 Reply Last reply Reply Quote 0
              • J Offline
                jrey @jrey
                last edited by

                @nanda

                Have you got any packages installed that include openssl ?

                what version is installed ?

                openssl version 
                
                N 1 Reply Last reply Reply Quote 0
                • N Offline
                  nanda @jrey
                  last edited by nanda

                  @jrey

                  That's the services widget on the dashboard - not the pfblocker widget what does it show ?

                  20bc1178-75db-4e77-a01f-59b59370896f-image.png

                  can you show us the dnsbl setup page python mode? and any other settings you may have - image of the settings page would be helpful

                  Please see the screenshots below:

                  54af77a9-fd19-4f85-af49-16a00f4c214d-image.png

                  5eb04ef2-e4f6-4355-8771-fcf4abd19770-image.png

                  The certificate error you are showing is likely the show stopper.

                  If this might be the case, how it will affect pfb_filter daemon service? pfb_dnsbl did require certificate whereas pfb_filter did not.

                  what blocking mode are you using ? DNSBL Web/VIP? Null block no logging? or null block (logging) ?

                  DNSBL Web/VIP

                  Have you got any packages installed that include openssl ?

                  I do not see any installed packages, from given information, that include openssl. I think openssl is a necessity for pfsense functions, for example, certificate generation, and it will be a part of pfsense image.

                  02fe0648-a1dc-4dcb-8063-7aee488e90bc-image.png

                  what version is installed ?

                  [25.07.1-RELEASE][suser@...]/: openssl version
                  OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
                  
                  J 1 Reply Last reply Reply Quote 0
                  • J Offline
                    jrey @nanda
                    last edited by

                    @nanda

                    Let me take a look -- just recovering from a 3 hour power outage, which caught an 18TB raid in the middle of a rebuild after a failed drive was hot swapped earlier this morning -- might be a bit before I can spin up my test systems -- Fun Friday.

                    Not that it should matter here - but any reason you don't use unbound python mode ?
                    Uses Less Memory (what are you running on for RAM)
                    you mentioned it was a clean install.

                    new install - are clients using this as the DNS now?

                    that dashboard widget sort of says it is running (hasn't done anything (0 count) and are the services still down at that point ? usually when the services are down the check mark is what you see.

                    the Virtual IP address that end in .255 seems like a strange choice unless you have a very specific setup - is there a reason you picked that instead of the default ?

                    I'd be curious if you willing to try - if you turned off the DNSBL Webservice/VIP and used say Null Blocking (logging) - then see if the services start and stay running ?

                    Actually in my setup I have the "no global logging" option selected on that screen and then set Null Blocking (logging) on the individual selections -

                    N 1 Reply Last reply Reply Quote 0
                    • N Offline
                      nanda @jrey
                      last edited by nanda

                      @jrey

                      The usage of specific IP address has no special reason. It is for convenience.
                      The configuration is changed as recommended.

                      DNSBL mode => unbound python mode
                      412ffd2d-7ed3-42b2-b39b-0d86a8a28290-image.png

                      Virtual ip address => 10.102.101.10
                      5f81d358-1010-4d0b-b3f8-19c435152122-image.png

                      Global logging => Null blocking (logging)
                      5b8db672-0951-4070-8412-1fdfd83d5626-image.png

                      Services are not starting.
                      12a3bd39-0e90-4521-bd46-b99b0aab7848-image.png

                      When I checked the status of the service, the firewall returned, "does not exist". I tried to find the executable in the directory, but I couldn't except sh file. Manual execution of sh files did neither produce executable nor start the service.

                      [25.07.1-RELEASE][suser@...]/root: service pfb_filter status
                      pfb_filter does not exist in /etc/rc.d or the local startup
                      directories (/usr/local/etc/rc.d), or is not executable
                      [25.07.1-RELEASE][suser@...]/root: ls /usr/local/etc/rc.d/
                      choparp          dnsmasq          isc-dhcrelay6    nginx            php_fpm          sshguard         unbound
                      dbus             expiretable      kea              openvpn          radvd            strongswan       uuidd
                      dhcp6c           igmpproxy        lighttpd         pcscd            rrdcached        suricata         waagent
                      dhcp6relay       isc-dhcpd        microcode_update pfb_dnsbl.sh     rsyncd           suricata.sh      waagent.sh
                      dhcp6s           isc-dhcpd6       miniupnpd        pfb_filter.sh    scponlyc         syslog-ng        wireguardd
                      dhcpcd           isc-dhcrelay     mpd5             pfnet-controller smartd           syslog-ng.sh     xinetd
                      
                      J 1 Reply Last reply Reply Quote 0
                      • J Offline
                        jrey @nanda
                        last edited by jrey

                        @nanda said in pfb_filter and pfb_dnsbl services are not running Pfsense 25.07.1:

                        When I checked the status of the service, the firewall returned, "does not exist".

                        as in on the Status -> Services page? or where specifically ?
                        and yet it shows on the dashboard services widget..

                        And you said this was a fresh install so ...

                        are there any errors in pfblockerNG 's error.log, dnsbl_parsed_error or py_error
                        (Firewall -> pfBlockerNG -> Logs

                        on the pfblockerNG -> General.

                        make sure the Keep Settings option is enabled

                        then head over to packages and try to reinstall the package (you may remove and install or just reinstall)
                        see if you spot any install errors during the install

                        then when complete
                        you will need to change the masterfile / mastercat line again

                        and then check the update page at
                        Firewall -> pfBlockerNG -> Update

                        should have a status showing the next scheduled cron event (if that is within a few minutes just wait for it to run). if it is more than say 20 minutes away or says not scheduled (or similar) then on the same update screen force Cron hit run.

                        when that is complete
                        check the status
                        then reboot
                        check the status

                        N 1 Reply Last reply Reply Quote 0
                        • N Offline
                          nanda @jrey
                          last edited by nanda

                          @jrey said

                          When I checked the status of the service, the firewall returned, "does not exist".

                          as in on the Status -> Services page? or where specifically ?
                          and yet it shows on the dashboard services widget..

                          Please see below. I can see .sh files but not executables (suricata & syslog-ng have both).

                          [25.07.1-RELEASE][suser@...]/root: ls /usr/local/etc/rc.d/
                          choparp          dnsmasq          isc-dhcrelay6    nginx            php_fpm          sshguard         unbound
                          dbus             expiretable      kea              openvpn          radvd            strongswan       uuidd
                          dhcp6c           igmpproxy        lighttpd         pcscd            rrdcached        suricata         waagent
                          dhcp6relay       isc-dhcpd        microcode_update pfb_dnsbl.sh     rsyncd           suricata.sh      waagent.sh
                          dhcp6s           isc-dhcpd6       miniupnpd        pfb_filter.sh    scponlyc         syslog-ng        wireguardd
                          dhcpcd           isc-dhcrelay     mpd5             pfnet-controller smartd           syslog-ng.sh     xinetd
                          

                          are there any errors in pfblockerNG 's error.log, dnsbl_parsed_error or py_error
                          (Firewall -> pfBlockerNG -> Logs

                          error.log contains a few lines on feeds failed to fetch entires
                          py_error is empty
                          dnsbl_parsed_error (see below) did not have any errors that prevent service execution

                          ... 19:00:44,StevenBlack_ADs,ip6-loopback,::1 ip6-loopback
                          ... 19:14:40,StevenBlack_ADs,ip6-loopback,::1 ip6-loopback
                          ... 19:14:46,EasyList,admi2fib4exit,||admi2fib4exit^
                          ... 00:01:20,EasyList,admi2fib4exit,||admi2fib4exit^
                          ... 00:01:09,EasyList,admi2fib4exit,||admi2fib4exit^
                          ... 16:50:29,UT1_adult,xxx,xxx
                          

                          Keep settings is enabled, package uninstalled and reinstalled, code changed, feed updated and finally system rebooted. No change in the service status in dashboard's service widget.

                          I found that except log (e.g., block, permit), the other functions are working. So, I will stop digging further on this regard and hope that future firewall upgrade will solve it. I need to identify, segregate and transfer logs to SIEM, which won't be a hassle.

                          Thank you very much for your assistance.

                          With appreciation
                          Nanda, D.Sc. (Tech.)

                          J 1 Reply Last reply Reply Quote 0
                          • J Offline
                            jrey @nanda
                            last edited by

                            @nanda said in pfb_filter and pfb_dnsbl services are not running Pfsense 25.07.1:

                            I can see .sh files but not executables

                            those pfb_*.sh files are the executables

                            looking at the errors (suggests some of the lists you are using) you might want to look for these lines in the pfblockerng.log especially if you are on smaller hardware (like an 1100) you may just have to be more selective on your list selection (smaller lists)

                            pfSense Table Stats
                            -------------------
                            table-entries hard limit   600000
                            Table Usage Count         161557
                            

                            You likely have the default values set, (which might be too small)
                            then the idea here is to have the Total Usage Count < (Hard Limit / 2)

                            If you need adjustment will find the setting for the hard limit on
                            System -> Advanced / Firewall & NAT -> (in the section Packet Processing) (on 25.07.1)

                            the comment there reads:

                            Maximum number of table entries for systems such
                            as aliases, sshguard, snort, etc, combined.
                            Note: Leave this blank for the default.
                            
                            N 1 Reply Last reply Reply Quote 0
                            • N Offline
                              nanda @jrey
                              last edited by nanda

                              @jrey

                              those pfb_*.sh files are the executables

                              Thanks for clarifying the executables.

                              I do not think that the hardware and table entry size won't be problem as the current configuration provides sufficient computation and memory for its operations. Pfsense is running in different hardware, e.g., Intel Xenon Platinum 8272CL processor and maximum table entries is set to 10 times than the default.

                              pfSense Table Stats
                              -------------------
                              table-entries hard limit  4000000
                              Table Usage Count         465931
                              
                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.