PfBlockerNG
-
I'm noticing extremely high CPU usage on my pfSense box when I'm just sitting on my pfBlockerNG alerts page. Its attributed to one or more processes named "php-fpm: pool lighty (php-fpm)"
It seems like the longer I'm on the that page, the more of those processes I see, and the higher the CPU usage gets.
For what its worth, I'm seeing a significant number of alerts from attempts to access lots of different IPs at: 61.145.124.x and 183.61.112.x on port 80. These are originating from a Nexus 9 tablet. I can't figure out how they belong to, other than some Chinese telecon and some appear to be alibaba. Any ideas? I'm trying to decide if I should be concerned…
-
Hi reggie.
I haven't noticed any significant Load from the Alerts Tab myself? Do you leave it running with Auto-Refresh and Auto-Resolve running? Which Browser are you using?
Are those Alerts coming from a Country Block? You can click any of the "!" to pull more detail about those IPs. There are several different sites listed in that Lookup page.
-
BBcan177 -
I'm using Chrome, without auto-refresh or auto-resolve running. As far as I can tell, the high CPU usage continues indefinitely after the initial load for the Alerts page, and there's no sign that Chrome is attempting to update that page.
The problem is significantly exacerbated if I increase the number of alerts that are configured to appear. Try bumping up the number to the last 300 deny alerts and see what happens. My pfsense box came to a crawl until I closed the browser window that had the alerts page open.
As for the IP addresses, I tried looking at the resources pfblocker identifies, but couldn't find anything particularly useful there. I did, however, just track down the source of the traffic on my end- it's where the Go Weather app on Android goes to pull down weather data.
Update 1: BTW, separate note, does the "Enable Suppression" option work yet? I want to allow the traffic I'm seeing. I think I could just add it to the firewall suppression list via an easy rule, but pfblockerng seems to be able to manage its own suppression list. The main config page says I should see "+" icons in the alerts tab, but I still don't see them after enabling that option.
Update 2: Re-reading the config page, it sounds like I can't suppress country blocks. Hmmm… I guess I should just manually create firewall rules to pass this traffic before pfblockerng blocks it. Or is pfblockerng just going to put itself ahead of that rule?
-
If you select F12 - Dev Mode. and goto "Console" tab, do you see any errors? I bumped mine to 300 and do see four php-fpm processes, but they are all between 0.5-2% each (max 3% at times).
-
The main config page says I should see "+" icons in the alerts tab, but I still don't see them after enabling that option.
In the General tab, enable the checkbox for "Suppression". The "+" icon will not appear for Country Blocks. (Hover over the Lists column and the "+" icon when you see it for more details)
To overcome Country Blocks, you need to create a Whitelist Alias and set it to Permit Outbound.
-
If you select F12 - Dev Mode. and goto "Console" tab, do you see any errors? I bumped mine to 300 and do see four php-fpm processes, but they are all between 0.5-2% each (max 3% at times).
Sorry, I'm not sure what you mean. Do you mean I need to SSH into the pfsense box to enable dev mode, and then I'll see a console tab on the webGUI?
-
If you select F12 - Dev Mode. and goto "Console" tab, do you see any errors? I bumped mine to 300 and do see four php-fpm processes, but they are all between 0.5-2% each (max 3% at times).
Sorry, I'm not sure what you mean. Do you mean I need to SSH into the pfsense box to enable dev mode, and then I'll see a console tab on the webGUI?
The Chrome Browser (All browsers actually) have a Dev mode to help in Debugging. Click F12, when in Chrome and it will show more details that can help diagnose the issue.
-
To overcome Country Blocks, you need to create a Whitelist Alias and set it to Permit Outbound.
I'm not sure I know how to do this…
If I understand how pfblockerng works, I need to do this within pfblockerng- as any regular firewall rule will appear after the pfblockerng rules.
So, I'd have to create a IPv4 Alias/list. However, it appears that to populate that list I would have to create a local file on the pfsense box that lists the IPs and networks I want to allow. There's no way just to list the IPs directly from the web interface. Is that right?
Update: Nevermind. The custom list feature can obviously be used to do that much more easily. I knew there must be a better way.
-
The Chrome Browser (All browsers actually) have a Dev mode to help in Debugging. Click F12, when in Chrome and it will show more details that can help diagnose the issue.
Oh, that is what you meant. It never occurred to me that the browser might be able to provide meaningful diagnostic data on this issue. It was a good idea, though. I do see some errors:
https://pfsense.<redacted>/pfblockerng/javascript/domTT/domLib.js Failed to load resource: the server responded with a status of 404 (Not Found) https://pfsense.<redacted>/pfblockerng/javascript/domTT/domTT.js Failed to load resource: the server responded with a status of 404 (Not Found) https://pfsense.<redacted>/pfblockerng/javascript/domTT/behaviour.js Failed to load resource: the server responded with a status of 404 (Not Found) https://pfsense.<redacted>/pfblockerng/javascript/domTT/fadomatic.js Failed to load resource: the server responded with a status of 404 (Not Found)</redacted></redacted></redacted></redacted> -
To overcome Country Blocks, you need to create a Whitelist Alias and set it to Permit Outbound.
I'm not sure I know how to do this…
If I understand how pfblockerng works, I need to do this within pfblockerng- as any regular firewall rule will appear after the pfblockerng rules.
So, I'd have to create a IPv4 Alias/list. However, it appears that to populate that list I would have to create a local file on the pfsense box that lists the IPs and networks I want to allow. There's no way just to list the IPs directly from the web interface. Is that right?
Create a new Alias "Whitelist", You can enter IPs in the "Custom Box" below where the URLs are entered. Enter one IP per line (You can put a #comment beside each IP to Document for future Reference).
Set the "List Action" as "Permit Outbound".
Update Frequency doesn't really matter in this instance. You can enable/Disable logging of this Alias as you require. When you make any changes, Click the "Update Custom List" Checkbox at the very bottom of the Alias, and then Save.
Click "Force Update" to reload this Alias.
Ensure that the appropriate "Rules Order" is selected in the "General Tab" to allow the Permits to be placed before the Block Rules.
-
I've seen that error before. Not sure if its related… But I do really hate JS :)
Let me look into it and will get back to you. Just drop the Deny count to something more manageable (<50) -
BBcan177- Indeed- thanks for the clear instructions. I should have figured that out myself much faster. I knew there must be a better way, but the custom list heading didn't sound right until I actually read the instructions/examples around it.
Dropping the alert count helps, although sometimes even then I have awfully high CPU usage. Luckily, I don't really need to use it most of the time. I can view the firewall logs page without running into this problem.
I really appreciate the troubleshooting help!
-
Encountering a strange error this morning. IP's are getting blocked which are in none of the block list I use. For example in the image all the IP's shown blocked with the LIST "No Match"status are not in any of my block list, yet they are being blocked.
I presume it is a configuration error, but I can't seem to locate it. Also the rule listed as activating the block, changes as I disable the rule list that says activated the block. The block goes to the next rule list I have and shows the same block.
Any help would be appreciated.
cjb
-
Clear the Firewall log as any firewall rule changes can unsync the alerts.
-
BBcan177- Indeed- thanks for the clear instructions. I should have figured that out myself much faster. I knew there must be a better way, but the custom list heading didn't sound right until I actually read the instructions/examples around it.
Dropping the alert count helps, although sometimes even then I have awfully high CPU usage. Luckily, I don't really need to use it most of the time. I can view the firewall logs page without running into this problem.
I really appreciate the troubleshooting help!
@Reggie:
Could you give us some more info about the firewall hardware and if you are using 32/64 bit? -
I am using AMD 64 Bit version. Cleared the log, then re-started PF and same result.
What is strange is that the VOIP block list is a custom list we created using unauthorized IP's hitting our VOIP network, yet the IP's that PF is blocking are DNS or WEB servers and not any of the VOIP 5060 IP's we have in the VOIP list.
-
The Chrome Browser (All browsers actually) have a Dev mode to help in Debugging. Click F12, when in Chrome and it will show more details that can help diagnose the issue.
Oh, that is what you meant. It never occurred to me that the browser might be able to provide meaningful diagnostic data on this issue. It was a good idea, though. I do see some errors:
https://pfsense.<redacted>/pfblockerng/javascript/domTT/domLib.js Failed to load resource: the server responded with a status of 404 (Not Found) https://pfsense.<redacted>/pfblockerng/javascript/domTT/domTT.js Failed to load resource: the server responded with a status of 404 (Not Found) https://pfsense.<redacted>/pfblockerng/javascript/domTT/behaviour.js Failed to load resource: the server responded with a status of 404 (Not Found) https://pfsense.<redacted>/pfblockerng/javascript/domTT/fadomatic.js Failed to load resource: the server responded with a status of 404 (Not Found)</redacted></redacted></redacted></redacted>Hi Reggie,
Digdug3 and I found the following issue in a pfsense file called "fbegin.inc".
A '/' was missing in the path for these JS files.
-
I am using AMD 64 Bit version. Cleared the log, then re-started PF and same result.
What is strange is that the VOIP block list is a custom list we created using unauthorized IP's hitting our VOIP network, yet the IP's that PF is blocking are DNS or WEB servers and not any of the VOIP 5060 IP's we have in the VOIP list.
Hi cjbujold,
I'm not 100% following… If you want some more help, send me a PM.
-
Dropping the alert count helps, although sometimes even then I have awfully high CPU usage. Luckily, I don't really need to use it most of the time. I can view the firewall logs page without running into this problem.
Hi reggie, Some modifications were made to the Alerts Tab to reduce the overhead. If you are interested in testing this file, send me a PM before I submit a Pull Request for it…
-
I have posted Pull Request #818 to fix the following issues:
1. Improved IPv6 Regex
2. Suppress '0.0.0.0/32' from being added to any Alias/Lists.
3. General Tab - Moved the "Keep" Checkbox to be just below the
"Enable pfBNG" checkbox.This will bump pfBNG to version 1.04
https://pfsense.<redacted>/pfblockerng/javascript/domTT/domLib.js Failed to load resource: the server responded with a status of 404 (Not Found) https://pfsense.<redacted>/pfblockerng/javascript/domTT/domTT.js Failed to load resource: the server responded with a status of 404 (Not Found) https://pfsense.<redacted>/pfblockerng/javascript/domTT/behaviour.js Failed to load resource: the server responded with a status of 404 (Not Found) https://pfsense.<redacted>/pfblockerng/javascript/domTT/fadomatic.js Failed to load resource: the server responded with a status of 404 (Not Found)</redacted></redacted></redacted></redacted>Digdug3 and I found the following issue in a pfsense file called "fbegin.inc".
A '/' was missing in the path for these JS files.
PR #0818 - has been Merged. (pfBNG v1.04)
PR #1485 - has been Merged. To get this update, you will either need to Gitsync
or Use the Patch Manager.
(or manually edit the file /usr/local/www/fbegin.inc)