PFBlockerNG stops working (RESOLVED)
-
Hi Sammy,
I believe that all Package Maintainers love to hear when things don't work on NANOBSD! :)
The process for NanoBSD is as follows:
- Download Alias/Lists. Files are created in /var/db/pfblockerng/deny (or other sub folders as required).
- Aliastables are created in /var/db/aliastables
- An archive of the Aliastables is made and saved in /usr/pbi/pfblockerng-<arch>/etc/aliastables.tar.bz2
Each time Cron/Update runs, if there are any changes to the files, a new archive file is created. - At reboot an earlyshellcmd is run that un-compresses this archive and restores it to /var/db/aliastables. This is completed prior to pfSense Loading the Aliastables and Rules.
However, the /var/db/pfblockerng folder and sub-folders are not restored. These will be created at the next Cron event or a manual "Force Update" process. The archive only contains the aliastables to reduce the size of the Archive to only the critical "/var/db/aliastables" folder and files because Nano systems typically do not have large amounts of non-volatile storage space.
Steps to confirm -
- Please verify that the archive file is created before reboot and that it contains the Aliastables.
- Reboot and confirm that the archive file is extracted. You will see this in a Bootup window (from a Monitor)
- view the contents of the folder /var/db/aliastables.</arch>
-
Another possibility is that you have pfBlockerNG set to Update and then you are invoking the Reboot of the Box before the Update process has completed?
-
Here is the step by step. It actually shows the problem from start to finish.
Basically the cron is not working is not "re-creating" the file structure as its supposed to. So while the alistables survive the reboot the get destroyed at cron. But if you do a "manual" "force reboot" things work again.
Please see the steps and screenshots attached.
-
Instead of using "Force Cron" after the reboot. Please use "Force Update" and see if that makes a difference. I don't use Nano but the two users who replied in this thread both use the Nano version with pfBNG without issues.
I would also suggest you read the pfBlockerNG thread about Blocking the world and reverse that approach to Allow a few Countries instead.
https://forum.pfsense.org/index.php?topic=86212.msg486644#msg486644
-
Yes as shown in Img 6, "Force Update" works. The only things is how do I automate that ?? I am willing to change the crontab file so that I do no an hourly force update. Since the reboot happens late at night we are not on site to log in and do a manual "Force Update". For robustness sakes there should be a way to automate this step.
-
It works just fine automated for me (on multiple nanobsd boxes). I'd suggest to uncheck the Keep Settings box, remove the package and start from scratch.
I would also suggest you read the pfBlockerNG thread about Blocking the world and reverse that approach to Allow a few Countries instead.
Yeah, indeed…
-
The particular situation here is unique as most users have other Lists along with Country Blocking.
So I see the issue now with "Force Cron". I will write an update and send it to you to test before I release it.
-
Thanks BBCAN … I will await your response.
SAM
-
BBCan is a ROCK STAR !!!
Emailed me the patch and it works now like a charm. So I'm sure he/she will be sending the code upstream to be included in the next update of the package.
The affected version was 1.06
Thanks again for an amazing package and amazing support !!!
-
-
We cant arque with that ;)
-
Yep ROCKIN'
Scratching around trying to figure out why no rules were being created, no logs showing any complaints, configuring everything and looking for things that might hint of what could be broken. Then found this thread… pressed Reload and for the first time after hours of having pfBng enabled, it runs:
UPDATE PROCESS START [ 04/03/15 23:55:19 ]
All the rules werre written and appended to my interface rule-sets.
Sweet! Thanks to all of you for these posts and of course bbcan177… who it seems may have nailed this for 1.07/8.
Not a moment too soon (mine worked just before midnight)!
-
Hi unEsxi,
Your situation is not related to the issue in this thread. You need to use "Force Update" to apply changes. There is a big red disclaimer above the "Save" button.
Thanks for the overall positive Feedback!
