CANNOT START BARNYARD..please help me!
-
I only have Snort and PFBlocker installed through the package section of the GUI. I had previously installed and ran Squid but recently removed it.
I am currently running 2.1 that was upgraded from 2.0.3 (I believe anyway)
My pkg_info output:
adodb-5.18 Database library for PHP
barnyard2-1.12 Interpreter for Snort unified2 binary output files
bsdinstaller-2.0.2012.1207 BSD Installer mega-package
freetype2-2.4.12_1 A free and portable TrueType font rendering engine
gettext-0.18.1.1 GNU gettext package
jpeg-8_4 IJG's jpeg compression utilities
kbproto-1.0.6 KB extension headers
libICE-1.0.8,1 Inter Client Exchange library for X11
libSM-1.2.1,1 Session Management library for X11
libX11-1.6.0,1 X11 library
libXau-1.0.8 Authentication Protocol library for X11
libXaw-1.0.11,2 X Athena Widgets library
libXdmcp-1.1.1 X Display Manager Control Protocol library
libXext-1.3.2,1 X11 Extension library
libXmu-1.1.1,1 X Miscellaneous Utilities libraries
libXp-1.0.2,1 X print library
libXpm-3.5.10 X Pixmap library
libXt-1.1.4,1 X Toolkit library
libdnet-1.11_3 A simple interface to low level networking routines
libiconv-1.14 A character set conversion library
libnet-1.1.6_1,1 A C library for creating IP packets
libnet11-1.1.6,1 A C library for creating IP packets
libpcap-1.4.0 Ubiquitous network traffic capture library
libpthread-stubs-0.3_3 This library provides weak aliases for pthread functions
libxcb-1.9.1 The X protocol C-language Binding (XCB) library
libxml2-2.8.0_2 XML parser library for GNOME
mysql-client-5.6.13 Multithreaded SQL database (client)
mysql-server-5.6.13 Multithreaded SQL database (server)
pcre-8.33 Perl Compatible Regular Expressions library
pear-1.9.4_2 PEAR framework for PHP
perl-5.14.4 Practical Extraction and Report Language
php5-5.4.17 PHP Scripting Language
php5-ctype-5.4.17 The ctype shared extension for php
php5-gd-5.4.17 The gd shared extension for php
php5-gettext-5.4.17 The gettext shared extension for php
php5-session-5.4.17 The session shared extension for php
php5-xml-5.4.17 The xml shared extension for php
php5-zlib-5.4.17 The zlib shared extension for php
pkgconf-0.9.2_1 Utility to help to configure compiler and linker flags
png-1.5.17 Library for manipulating PNG images
printproto-1.0.5 Print extension headers
t1lib-5.1.2_2,1 Type 1 font rasterization library for Unix/X11
xextproto-7.2.1 XExt extension headers
xproto-7.0.24 X11 protocol headersThank you so much for replying and attempting to assist me.
Let me know what other logs or info you need.
-Mike
-
OK, with that pkg_info output, I think we have a lot of work ahead to correct this. It does appear this was an upgrade from 2.0.3, and lots of old package libraries remain.
The very easiest thing to do, if you are willing, is a type of "wipe and reload" of pfSense 2.1. In other words, perform a backup of the configuration using the Diagnostics menu option, and then wipe the disk and install pfSense 2.1 from scratch. After the new install, restore your configuration using the Diagnostics menu option.
If that is not an option, then we have to play "whack-a-mole" with pkg_delete and other utilities see if we can remove all the offending libraries. The extra hassle here is each time a library or old package is removed, Snort will have to be removed and re-installed as well. Lots of work.
My suggestion, if you are game, is to do the wipe and reload process. That's what I did. I saved off my config.xml file using Diagnostics…Backup/Restore. In my case I was installing on replacement hardware, but in your case you would just install from a USB stick of CD and overwrite the old installation. Once you configure at least the LAN interface manually during the install, you can restore the saved config.xml file, reboot, and you will be good to go.
Bill
-
Bill,
Thanks for your input. I figured I would have to go that route. I'll back up my config and start over with a fresh build of 2.1…..Kinda figured that was the issue. I'll knock that out when I get home tonight and post my results.
Should I go with the x64 package? I'm running this on a dual E2160 Xeons in a 2U.... or should I stick with x86 for compatibility?? I know its overkill for pfsense but with Snort running it might task the processor(s) a little.
Thanks again!!!
-
Bill,
Thanks for your input. I figured I would have to go that route. I'll back up my config and start over with a fresh build of 2.1…..Kinda figured that was the issue. I'll knock that out when I get home tonight and post my results.
Should I go with the x64 package? I'm running this on a dual E2160 Xeons in a 2U.... or should I stick with x86 for compatibility?? I know its overkill for pfsense but with Snort running it might task the processor(s) a little.
Thanks again!!!
I changed to the x64 build when I replaced my hardware. It has been solid for me. I recommend x64 (or amd64 in the pfSense naming convention). By the way, if you are changing from i386 to x64, when you do the backup of the config.xml file, DO NOT save the RRD data from the 32-bit install. 32-bit RRD data is incompatible with the x64 code. All this means is that you just will start over with accumulated RRD stats. Not really a big deal.
Bill
-
MUAHAAAHH HAAAA HAAAAA
Bill….You rock! A fresh build and some MySQL changes and I'm now running.
I cannot express my gratitude for your guidance. I created the MySQL server on my centos box out of exhaustion with PFsense......with that said, is it feasible to run MySQL server on PF alongside it as well as an httpd server? I'm not sure if the PF crew is looking to add ACID or BASE to the packages and I would prefer to keep my power bill lower and avoid having another machine run 24/7
-
MUAHAAAHH HAAAA HAAAAA
Bill….You rock! A fresh build and some MySQL changes and I'm now running.
I cannot express my gratitude for your guidance. I created the MySQL server on my centos box out of exhaustion with PFsense......with that said, is it feasible to run MySQL server on PF alongside it as well as an httpd server? I'm not sure if the PF crew is looking to add ACID or BASE to the packages and I would prefer to keep my power bill lower and avoid having another machine run 24/7
I do not recommend putting MySQL server on your firewall. Generally you want as small an attack surface area as possible for firewalls. This means very few add-on packages. If you are worried about the power bill, how about using the free license for VMware ESXi and use virtual machines for your MySQL server? That's what I do. I have ESXi hosting a number of virtual machines, and one of them is a Snorby install with MySQL as well. You could even host pfSense itself on ESXi as a virtual machine.
Bill
-
I kind figured that…I'll just leave that machine on running Apache and MySQL...its only a Dell Optiplex 745.
Now I have new issue that you've dealt with reading through the forums but I can't find a resolve.
My block list clears itself (no restarts on either Snort or PF..) I read something about the filter reload but didn't quite understand. How can I keep my blocklist persistent? It makes me happy when it gets large or is that not advisable?
-
I kind figured that…I'll just leave that machine on running Apache and MySQL...its only a Dell Optiplex 745.
Now I have new issue that you've dealt with reading through the forums but I can't find a resolve.
My block list clears itself (no restarts on either Snort or PF..) I read something about the filter reload but didn't quite understand. How can I keep my blocklist persistent? It makes me happy when it gets large or is that not advisable?
Right now you can't do anything about the block list periodically clearing. That is a bug (or feature) that popped up in 2.1 of pfSense. I think the pfSense devs are going to address it, but it will be a while. There is no problem with the list clearing. As I have said in several threads on this topic, just like Snort detected and blocked the host the first time, so it will the next time the host sends an offending packet. Think of it this way, the first time you fired up Snort the block list was empty and Snort blocked the host on detecting an offending packet. The same thing will happen next time a host (any host) sends an offending packet: even with the block list empty.
Bill
-
Yeah, I read through all of your other posts. Would be cool if the devs made a feature to allow us to add that src IP to the firewall rules section..
Again, thanks for all of your help!!!
-
Yeah, I read through all of your other posts. Would be cool if the devs made a feature to allow us to add that src IP to the firewall rules section..
Again, thanks for all of your help!!!
I might be able to do that from the Snort side by copying some functionality available from the Firewall Log page. Not sure, as I have not investigated in detail; just thinking off the top of my head.
Of course something like that might have limited usefulness because many times "bad actor host IP addresses" frequently change, so an IP block today may well be worthless tomorrow. Or worse yet, if it was a dynamically assigned IP and now a "good guy" has it, he will be permanently blocked from your network. Better in my view to use the automatic 1-hour clearing of Snort-blocked IPs. You can set this on the Global Settings tab. Right now, with the random early clearing of the block table, you may not see a true 1-hour interval, though.
Bill