pfb_filter and pfb_dnsbl services are not running Pfsense 25.07.1

nanda

Hi

pfblockerng-dev services are not running in one of the firewall. It is clean installation of Pfsense v25.07.1, followed by installation of pfblockerng-dev v3.2.7.

Any assistance is highly appreciated.

Sanity check failure

Database Sanity check [  FAILED  ] ** These two counts should match! **
------------
Masterfile Count    [ 46572 ]
Deny folder Count   [ 46571 ]

PfblockerNG-dev log contains sanity check failure, it may be cause behind this issue. Hence, the source code is changed as recommended in the thread. Sanity check failure disappeared, yet the status of services remained same after force reload.

Manual restart
Manually tried to restart the services. It did not return anything to the terminal, so errors were not encountered.

[25.07.1-RELEASE][suser@...]/usr/local/etc/rc.d: ./pfb_filter.sh restart
[25.07.1-RELEASE][suser@...]/usr/local/etc/rc.d: ./pfb_dnsbl.sh restart

Force reload logs

Sep 5 18:05:01 	php-fpm 	88649 	/pfblockerng/pfblockerng_update.php: Configuration Change: suser@xx.xx.xx.xx (Local Database): pfBlockerNG: Running Force Reload
Sep 5 18:05:02 	check_reload_status 	629 	Syncing firewall
Sep 5 18:05:03 	php-fpm 	88649 	/pfblockerng/pfblockerng_update.php: Configuration Change: suser@xx.xx.xx.xx (Local Database): Removed cron job for pfblockerng.php cron
Sep 5 18:05:05 	check_reload_status 	629 	Syncing firewall
Sep 5 18:05:14 	php 	55216 	/usr/local/www/pfblockerng/pfblockerng.php: Configuration Change: (system): pfBlockerNG: saving DNSBL changes
Sep 5 18:05:15 	check_reload_status 	629 	Syncing firewall
Sep 5 18:05:15 	php 	55216 	/usr/local/www/pfblockerng/pfblockerng.php: Error creating pfBlockerNG DNSBL Certificate: openssl library returns: error:06800097:asn1 encoding routines::string too long
Sep 5 18:06:40 	php 	55216 	[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Sep 5 18:06:41 	php 	55216 	/usr/local/www/pfblockerng/pfblockerng.php: Configuration Change: (system): pfBlockerNG: save settings
Sep 5 18:06:43 	check_reload_status 	629 	Syncing firewall
Sep 5 18:06:43 	check_reload_status 	629 	Reloading filter
Sep 5 18:06:43 	php 	55216 	[pfBlockerNG] Restarting firewall filter daemon
Sep 5 18:06:44 	php 	55216 	/usr/local/www/pfblockerng/pfblockerng.php: Configuration Change: (system): Installed cron job for /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1

From force reload logs, it is found that DNSBL certificate generation has issue due to long string. The cause is most probably the usage of hostname in certificate parameters (CN). Host and domain names are 45 and 30 characters long respectively.

Firewall filter daemon did not start though it did not encounter any issues.

To be safe, dependencies version were also verified.

[25.07.1-RELEASE][suser@...]/: lighttpd -v
lighttpd/1.4.76 (ssl) - a light and fast webserver
[25.07.1-RELEASE][suser@...]/: jq --version
jq-1.7.1
[25.07.1-RELEASE][suser@...]/: rsync --version
rsync  version 3.4.0  protocol version 32
...
[25.07.1-RELEASE][suser@...]/: iprange --version
iprange 1.0.4
...
[25.07.1-RELEASE][suser@...]/: python3.11 --version
Python 3.11.11
[25.07.1-RELEASE][suser@...]/: php --version
PHP 8.3.19 (cli) (built: Aug 12 2025 18:51:59) (NTS)
...

jrey

@nanda said in pfb_filter and pfb_dnsbl services are not running Pfsense 25.07.1:

PfblockerNG-dev log contains sanity check failure,

This won't be stopping it - also there is "fix" for the miscount in the forum.
This thread discusses the line that needs to be changed

https://forum.netgate.com/topic/197555/new-pfblockerng-install-database-sanity-check-failed/42?_=1757088489332

did you do a force reload ?
what does the pfblocker dashboard widget show ?

nanda

@jrey

This won't be stopping it - also there is "fix" for the miscount in the forum.
This thread discusses the line that needs to be changed

https://forum.netgate.com/topic/197555/new-pfblockerng-install-database-sanity-check-failed/42?_=1757088489332

The specified line is changed and the same thread is also referred in given the question.

did you do a force reload ?

Yes, force reload performed after file change.

what does the pfblocker dashboard widget show ?

Same result (please see the 1st image)

jrey

@nanda said in pfb_filter and pfb_dnsbl services are not running Pfsense 25.07.1:

Same result (please see the 1st image)

That's the services widget on the dashboard - not the pfblocker widget what does it show ?

jrey

@nanda

can you show us the dnsbl setup page python mode? and any other settings you may have - image of the settings page would be helpful

The certificate error you are showing is likely the show stopper.
what blocking mode are you using ? DNSBL Web/VIP? Null block no logging? or null block (logging) ?
the certificate error might suggest you are using. DNSBL Web/VIP but let's confirm

jrey

@nanda

Have you got any packages installed that include openssl ?

what version is installed ?

openssl version

nanda

@jrey

That's the services widget on the dashboard - not the pfblocker widget what does it show ?

can you show us the dnsbl setup page python mode? and any other settings you may have - image of the settings page would be helpful

Please see the screenshots below:

The certificate error you are showing is likely the show stopper.

If this might be the case, how it will affect pfb_filter daemon service? pfb_dnsbl did require certificate whereas pfb_filter did not.

what blocking mode are you using ? DNSBL Web/VIP? Null block no logging? or null block (logging) ?

DNSBL Web/VIP

Have you got any packages installed that include openssl ?

I do not see any installed packages, from given information, that include openssl. I think openssl is a necessity for pfsense functions, for example, certificate generation, and it will be a part of pfsense image.

what version is installed ?

[25.07.1-RELEASE][suser@...]/: openssl version
OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)

jrey

@nanda

Let me take a look -- just recovering from a 3 hour power outage, which caught an 18TB raid in the middle of a rebuild after a failed drive was hot swapped earlier this morning -- might be a bit before I can spin up my test systems -- Fun Friday.

Not that it should matter here - but any reason you don't use unbound python mode ?
Uses Less Memory (what are you running on for RAM)
you mentioned it was a clean install.

new install - are clients using this as the DNS now?

that dashboard widget sort of says it is running (hasn't done anything (0 count) and are the services still down at that point ? usually when the services are down the check mark is what you see.

the Virtual IP address that end in .255 seems like a strange choice unless you have a very specific setup - is there a reason you picked that instead of the default ?

I'd be curious if you willing to try - if you turned off the DNSBL Webservice/VIP and used say Null Blocking (logging) - then see if the services start and stay running ?

Actually in my setup I have the "no global logging" option selected on that screen and then set Null Blocking (logging) on the individual selections -

nanda

@jrey

The usage of specific IP address has no special reason. It is for convenience.
The configuration is changed as recommended.

DNSBL mode => unbound python mode

Virtual ip address => 10.102.101.10

Global logging => Null blocking (logging)

Services are not starting.

When I checked the status of the service, the firewall returned, "does not exist". I tried to find the executable in the directory, but I couldn't except sh file. Manual execution of sh files did neither produce executable nor start the service.

[25.07.1-RELEASE][suser@...]/root: service pfb_filter status
pfb_filter does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
[25.07.1-RELEASE][suser@...]/root: ls /usr/local/etc/rc.d/
choparp          dnsmasq          isc-dhcrelay6    nginx            php_fpm          sshguard         unbound
dbus             expiretable      kea              openvpn          radvd            strongswan       uuidd
dhcp6c           igmpproxy        lighttpd         pcscd            rrdcached        suricata         waagent
dhcp6relay       isc-dhcpd        microcode_update pfb_dnsbl.sh     rsyncd           suricata.sh      waagent.sh
dhcp6s           isc-dhcpd6       miniupnpd        pfb_filter.sh    scponlyc         syslog-ng        wireguardd
dhcpcd           isc-dhcrelay     mpd5             pfnet-controller smartd           syslog-ng.sh     xinetd

jrey

@nanda said in pfb_filter and pfb_dnsbl services are not running Pfsense 25.07.1:

When I checked the status of the service, the firewall returned, "does not exist".

as in on the Status -> Services page? or where specifically ?
and yet it shows on the dashboard services widget..

And you said this was a fresh install so ...

are there any errors in pfblockerNG 's error.log, dnsbl_parsed_error or py_error
(Firewall -> pfBlockerNG -> Logs

on the pfblockerNG -> General.

make sure the Keep Settings option is enabled

then head over to packages and try to reinstall the package (you may remove and install or just reinstall)
see if you spot any install errors during the install

then when complete
you will need to change the masterfile / mastercat line again

and then check the update page at
Firewall -> pfBlockerNG -> Update

should have a status showing the next scheduled cron event (if that is within a few minutes just wait for it to run). if it is more than say 20 minutes away or says not scheduled (or similar) then on the same update screen force Cron hit run.

when that is complete
check the status
then reboot
check the status