PfBlockerNG - Causing reboot failure?
-
Not sure my issue is caused by pfBlockerNG, but it happens ever time I try and install it. I can install pfBlockerNG, configure it such that all countries except the United States are blocked, both IPv4 and 6. Start it and everything appears to work normal. When I shut the router down and try to reboot it, it hangs everytime at the "configuring firewall" stage. This happens ever time I install pfBlockerNG.
While would have expected this to have been caught, you never know so am requesting someone else with pfBlockerNG try and reboot their router, preferably a test machine just in case. I have tried a fresh install, build the configuration and everything works. I can reboot with no issues. Install pfBlockerNG and it hangs.
My only solution is to completely blow away my current install with a fresh install of pfSense and reload of a backup prior to the pfBlockerNG install. I am sure there is a way to recover without this extreme measure, but I do not know how.
-
It could be related to list timeout during boot.
Try to disable the service before rebooting to confirm it's an apply list problem during boot.
-
That worked. I installed pfBlockerNG, configured it, verified the rules were inplace then shutdown the service by unchecking the "Enable pfBlockerNG" service box and saving in the pfBlockerNG: General Settings screen. I then rebooted successfully.
This is good for a test, but obviously not a real fix. While in a controlled shutdown/reboot you could disable the service, if you remember, an uncontrolled shutdown/reboot/restart would be an issue.
Is there a config parameter I could modify that would lengthen the timeout period?
-
When I shut the router down and try to reboot it, it hangs everytime at the "configuring firewall" stage.
Hi switchman,
This issue is not a bug in the pfBlockerNG code. I assume that you are on a Nano or are using a Ramdisk. In these types of installs, the /var/db/aliastables folder is getting wiped at each reboot. I would also recommend that you look at the pfBlockerNG thread and reverse your approach for blocking all countries (except for a few) and change that to a "Permit" certain countries instead.
On 'bootup' you will see "configuring firewall…" and it will wait a minute for each aliastable that is configured in pfSense for pfBlockerNG. This happens early on in the reboot process, and I am not able to run any code without manipulating the base pfSense code. I am working on a solution but it the short term, you can use this solution below to improve the reboot issue…
Edit /etc/inc/pfsense-utils.inc (Line 1648)
and change $connect_timeout = 60 to $connect_timeout = 5 ( This will change the timeout to 5 seconds )
Original :
1648 function download_file($url, $destination, $verify_ssl = false, $connect_timeout = 60, $timeout = 0) {
Modified:
1648 function download_file($url, $destination, $verify_ssl = false, $connect_timeout = 5, $timeout = 0) {
However, please note that /var/db/aliastables is still empty, so to get pfBlockerNG working again, you will need to execute a "Force Update" or wait for the next pfBNG Cron event.
I will keep you updated with my progress on a better solution… (and again, this is only related to NANO / RAMDisk installations)
-
I am having the same problem but I am running off a hard drive. The boot up just hangs and all I can do is a complete re install.
Is there anyway to recover a system when this happens or is the only way to reinstall?
-
I am having the same problem but I am running off a hard drive. The boot up just hangs and all I can do is a complete re install.
Is there anyway to recover a system when this happens or is the only way to reinstall?
The system is not hung… Its in a timeout.. For each alias it is waiting a Minute. Please follow the recommendation in my post above for a quick fix. I will be posting an update to over come this issue. I am waiting on some testers to confirm that its working as expected…
-
Thanks for the info, I will go back an read the full thread to see how to enable your recommendation to ". I would also recommend that you look at the pfBlockerNG thread and reverse your approach for blocking all countries (except for a few) and change that to a "Permit" certain countries instead. "
I am new to pfSense and it takes a while to get an handle on it and all of the packages that can be utilized and how they work.
-
All countries are permitted by default. On the top 20, you still have to select the countries on the list. I could be me, but how would that make sense?
Thanks for the info, I will go back an read the full thread to see how to enable your recommendation to ". I would also recommend that you look at the pfBlockerNG thread and reverse your approach for blocking all countries (except for a few) and change that to a "Permit" certain countries instead. "
I am new to pfSense and it takes a while to get an handle on it and all of the packages that can be utilized and how they work.