Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with pfblocker - Syntax error in config file

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mr_bobo
      last edited by

      I'm running the current version of pfSense on a Dell PC w/ a 2.66 GHz P4 and 1.25GB RAM. It runs great and uses very little resources.

      The only package I have installed is pfblocker and have been running it set to "Deny Both" for Africa, Asia, South America, and Oceania, and "Deny Inbound" for Europe and North America without any problems for the past couple weeks.

      I reformatted the machine 4 days ago, rebooted today, and was adding rules to the WAN interface when I noticed a yellow alert scrolling across where it usually shows the machine name. From System logs:

      May 14 16:20:51 php: : There were error(s) loading the rules: /tmp/rules.debug:22: cannot define table pfBlockerNorthAmerica: Cannot allocate memory /tmp/rules.debug:24: cannot define table pfBlockerOceania: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [22]: table <pfblockernorthamerica>persist file "/var/db/aliastables/pfBlockerNorthAmerica.txt"

      May 14 16:20:51 php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:22: cannot define table pfBlockerNorthAmerica: Cannot allocate memory /tmp/rules.debug:24: cannot define table pfBlockerOceania: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded The line in question reads [22]: table <pfblockernorthamerica>persist file "/var/db/aliastables/pfBlockerNorthAmerica.txt"

      May 14 16:20:50 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:22: cannot define table pfBlockerNorthAmerica: Cannot allocate memory /tmp/rules.debug:24: cannot define table pfBlockerOceania: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded'</pfblockernorthamerica></pfblockernorthamerica>

      I rebooted and tried unsuccessfully to get it straightened out by uninstalling and reinstalling the package, so ended up reformatting the machine again, going thorough General and Advanced setup, reinstalling the pfblocker package again with the same settings, then rebooting. When I logged back in through the web interface reference to the same error was already scrolling. I tried setting the default rules again, rebooted the machine and got the same error when I logged back in.

      I disabled the North America and Oceania rules and after a reboot it seems to be working alright but the firewall rules aren't listing the same rules on the WAN interface they were before I reformatted today. It was listing the countries before, but isn't now:

      Firewall: Rules  WAN:
      RFC 1918 networks
      Reserved/not assigned by IANA

      Firewall: Rules  LAN:
      pfBlockerAfrica
      pfBlockerAsia
      pfBlockerSouthAmerica

      Firewall: Aliases
      pfBlockerAfrica
      pfBlockerAsia
      pfBlockerEurope
      pfBlockerSouthAmerica

      Any ideas what's going on with it?  I haven't edited the pfblocker rules in any way or added any extra rules since reformatting it today.

      EDIT: I checked out a list of shortwave radio stations to check if pfblocker rules for the countries I'm blocking both ways are really working and it seems to be a hit and miss situation. It blocks China but allows access to Afghanistan, blocks Brazil but allows access to Peru, etc.

      1 Reply Last reply Reply Quote 0
      • marcellocM Offline
        marcelloc
        last edited by

        mr_bobo,

        try these steps:

        • Acknowledge All erros to clean the messages status.

        • Disable pfblocker to clean the aliastable

        • Increase a lot Firewall Maximum Table Entries on system -> advanced -> firewall/nat

        • Apply some rule configuration for example to make sure you have no  _Cannot allocate memory_error

        • Re enable pfblocker

        att,
        Marcello Coutinho

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • M Offline
          mr_bobo
          last edited by

          Hi Marcello,

          That seems to have fixed it.

          I set the Firewall Maximum Table Entries to 999999 (the default was 200000), made a rule blocking 209.69.0.0/16 In and Out, set pfblocker to "Deny Both" for Oceania and "Deny In" North America, enabled pfblocker, rebooted,  and there were no error messages this time when I accessed the web config page.

          It's till not blocking all the outgoing access it should, I can still access the Indonesian, Nigeria, and Togo shortwave stations among others it shouldn't, but it's just me using the network. I'm not going to trip on it as long as it's blocking incoming and the pf firewall itself seems to be working fine.

          Thanks a lot for helping me out and getting it fixed for me, I appreciate it. :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.