PfBlocker

kilthro

@marcelloc:

The first try is always to increase max_table_entries on system advanced.

Most of Cannot allocate memory from  /tmp/rules.debug are related to this.

Ok I will try that and see if that helps. I didnt want to touch anything until i asked. Its just strange, that its been fine for a couple of months with the same tables ect. Then just started happening. Then if i delete the list/table and rebuilt it was fine for a little while. I appreciate the feedback. This evening I will increase it and see if that removes the problem.

marcelloc

@kilthro:

This evening I will increase it and see if that removes the problem.

It does not affect firewall function at all, you can apply it any time.

kilthro

@marcelloc:

@kilthro:

This evening I will increase it and see if that removes the problem.

It does not affect firewall function at all, you can apply it any time.

Good to know, Thanks. I will not be back at that location until this evening. I just get email notifications when something is working right. :-)

kilthro

Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.

Oh well.. Thanks again for the suggestion.

tommyboy180

@kilthro:

Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.

Oh well.. Thanks again for the suggestion.

Any packages recently installed? What about any system restarts?

kilthro

@tommyboy180:

@kilthro:

Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.

Oh well.. Thanks again for the suggestion.

Any packages recently installed? What about any system restarts?

Nope nothing installed. Snort is blinking in the package widget as there is an update for that but I haven't done it yet since I typically have to reset all of the stuff back up in it when it updates.. It runs flawlessly but when I upgrade it, it always seems to flaky so I have put that off for now lol..  The system has been up for 50 days+ straight with no restarts. Honestly I have configured it, and for the most part forget about it unless I get an email stating something errors out ect.. Every now and then I may log into it to check for updates and status on things but that's not regular.

When i was increasing the amount I did tried 400k and 600k with the same error. 900k was the first where it didn't error out so that what I stuck with. This morning when everything updated I didn't get an error so it seems like that amount is ok for now.

Amarth

This has probably been covered but I could not find any info on it. There seems to be a formatting issue on the pfBlocker Dashboard Widget.

Line: 69

print "```
";

Causes the column labels to offset to the right. ie: Alias ends up over the CIDR count.  I saw no closing

marcelloc

It's a missing debug cmd prior to var_dump.

If It's on 1.0.1 package version, I'll remove on next release.

vlurk

It looks like I am having the "cannot allocate memory" issue as well, running a 2.0.1 (i386) release, nanobsd 2G and pfBlocker 1.0.1. I increased the max table size, read page 21 as well but it just wouldn't cut it with my small platform.

Since I REALLY wanted to get the Bluetack's level1 blocklist, I needed to try something else and eventually found another solution…

What I did is write a simple perl script with that will read the list, and output a new CIDR list splitted into many files, actually 100,000 entries per file.

I then created a small cron job to download the list and execute the script on a linux server running Apache.  Finally, I configured three different blocklists (aliases) under pfblocker (not just a big one with three URLs...).  And it works!  Maybe having such a mechanism (splitting big files) built into pfblocker could be useful for some.

In case someone is interested by the perl script, it looks like this:

#!/usr/bin/perl
use Net::CIDR::Lite;

my $filenum = "0" x 4; # if you ++ a string, it keeps the padding

sub new_file {
        $filenum ++;
        my $name = "splat_$filenum.lis";
        open OUT, ">$name" or die "canne open $name cap'n:$!\n";
        warn "writing to:$name\n";
}

my $cidr = Net::CIDR::Lite->new;
open (MYFILE, $ARGV[0]);
while (<myfile>) {
  chomp;
  $_ =~ /[^:]+:(.*)/;
  my $range = $1; #extracted IP Range, verify it is IPv4
  if ( $range =~ m/\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\-\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/i ) {
        $cidr->add_range($range);
  }
}
close (MYFILE);
my $index = 0;
my @cidr_list = $cidr->list;
foreach my $block ( @cidr_list ) {
        if ( $index % 100000 == 0 ) {
                new_file;
        }
        print OUT $block,"\n";
        $index++;
}
close (OUT);</myfile> 

It receives the unzipped list in input, and will output the files in the CWD. Simple as that.

Have a nice day.

marcelloc

Good contributon. Thank you. :)

marcelloc

Just updated pfBlocker to 1.0.2 with:

• Fix on array check error at line 368 when there is no alias defined on pfSense

• reduce duplicate cases on automatic rules when using multiple interfaces as inbound and/or outbound

• Increase php memory limit to 250Mb when x64 pfSense is detected(DO AT YOUR OWN RISK PATCH applied to code ;))

• Updated country ip lists

tommyboy180

Awesome!

taryezveb

@tommyboy180:

Awesome!

+1, Thanks

vlurk

Thanks for the update: I am gonna give it a shot like right after I post this.

I noticed that my script would fail when some blocklist would include multiple colons on one line. Here is my updated script, which now accept a number of lines as the second argument.

#!/usr/bin/perl
use Net::CIDR::Lite;

my $filenum = "0" x 4; # if you ++ a string, it keeps the padding
my $limit = 100000; # default max number of lines

sub new_file {
	$filenum ++;
	my $name = "splat_$filenum.lis";
	open OUT, ">$name" or die "canne open $name cap'n:$!\n";
        warn "writing to:$name\n";
}

my $cidr = Net::CIDR::Lite->new;
open (MYFILE, $ARGV[0]);
if ( defined($ARGV[1])) {
	if ( $ARGV[1] =~  m/^\d{2,6}$/ ) {
		$limit = int($ARGV[1]);
	}
}

while (<myfile>) {
  chomp;
  my @line = split(/:+/);
  my $range = $line[-1]; #get IP Range, verify it is IPv4
  if ( $range =~ m/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\-\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$/ ) {
	$cidr->add_range($range);
  }
}
close (MYFILE);
my $index = 0;
my @cidr_list = $cidr->list;
foreach my $block ( @cidr_list ) {
	if ( $index % $limit == 0 ) {
		close (OUT);
		new_file;
	}
	print OUT $block,"\n";
	$index++;
}
close (OUT);</myfile> 

Since my platform is not x64, and only have 256MB of RAM, I am not sure the new patch will fix the memory allocation issue for me… I am running with 60% memory used on average. Right now I am using a 60,000 lines as my maximum. 100,000 would seem to fail on some occasions.

marcelloc

Vlurk,

The memory patch is only for am64.
As we try to avoid file hacks, I've applied a value that is defined on config.inc but not reflected on gui.
As you have few memory available, the best option is the way you are doing or of course a hardware upgrade.

Thank's for the script update.

LinuxTracker

I know Rules ReOrdering after a pfBlocker change has been covered in this thread.
I'd like to bring it back up because it's making me crazy.

Here's my situation.
I use the pfBlocker widget.  I also have my rules customized and ordered a certain way.

In the last pfBlocker ver., I'd set every Action to Deny Inbound.
Next I'd customize and reorder the auto-created rules. I'd be finished in 10 min or so.
I'm pretty sure pfBlocker automatically changed Action to Alias when I had adjusted the rules.
The end result was the rules wouldn't change after an update.

In this latest pfBlocker ver., my last method doesn't work.  I have to set action to Alias myself.
If I don't, my rule changes are wiped out after every update.

So, I make any changes at all to pfBlocker, I'm re-writing my blocking rules totally from scratch.
It's the only way I can have Widget+CustomizedRules+CustomRulesOrder.

It's doubled my time to restore settings after each pfBlocker config change.
Selecting a single country becomes a 20+min process, per machine.

I'm to weary to come up with any helpful suggestions/workarounds right now.
I'll revisit the thread when my brain is working again.

Thanks.

edit: I had another look at the Backup feature and discovered the option for FirewallRules.
I've make my copy and will try to restore from it after my next pfBlocker change.

marcelloc

Linuxtracker,

After a update, as well as I know, you need just to enable pfBlocker to get all your settings working again.

Maybe I misundertood you but I did not coded an automatic action switch from deny to alias only.

The steps I do for rule reordering are:

Apply pfBlocker conf with action I want on rules.
Change alias description on created firewall rules and then customize it's order.
Back on pfBlocker and change action to alias only.

LinuxTracker

@marcelloc:

1. Apply pfBlocker conf with action I want on rules.
2. Change alias description on created firewall rules and then customize it's order.
3. Back on pfBlocker and change action to alias only.

I did #1 and #2 and had just started on #3.
The moment I set the first country-group to alias (S.America) it tosses that country group off the list.
The remaining rules - order and customizations - were all reset.

As near as I can tell, any change at all in pfBlocker now mandates that I rewrite my rules from scratch.

It may be that every list update does the same.  
I offer that because the rules table completely reset about 11:30pm today - I have to rewrite them again.

marcelloc

Linuxtracker,

How are you renaming rule description before changing action to alias only?
I did a clean install and then:

• Installed pfblocker

• denied inbound access to argentina and some countries on Oceania

• Renamed the rule description from South America to block Argentina

• saved firewall rules and applied changes

• back to pfblocker, set action to alias only on South America tab

• saved config

After this, both rules(South america and Oceania) are still there.

I'll do some tests with lists applied too.

LinuxTracker

@marcelloc:

Linuxtracker,

How are you renaming rule description before changing action to alias only?

I don't change the rule descriptions that are generated by pfBlocker.
I figured they were necessary for the widget to work.

When I write the rules from scratch, the descriptions are identical to the pfBlocker generated ones.
ie:```
pfBlockerSouthAmerica auto rule

Thanks