PfblockerNG problems
-
Hi serialdie,
I posted a patch in the pfBNG thread… I will be submitting a PR to get this fixed soon..
Please patch the file /usr/local/www/pfblockerng/pfblockerng.php as indicated in the following thread below:
https://forum.pfsense.org/index.php?topic=86212.msg526272#msg526272Following that, goto the Log browser, "Deny" and find the List in question (fail2ban) and delete that file by clicking the "x" on the right side… Follow that with a "Force Update"
Thanks!
-
BBcan177,
Thank you so much!
-
Do you take donations?
-
I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:
the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.
But [Status: System logs: Firewall] has several entries reported.What settings are needed for "append-mode" reporting ?
-
@hda:
the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.Eh? Perhaps you could post some screenshots of the issue…
-
@hda:
the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.Eh? Perhaps you could post some screenshots of the issue…
Its fixed. I hit a few bugs that I worked out with the developer. Thanks! :)
-
Oh, OK… I'm using the -dev stuff, so usually things are updated before I notice anything.
-
Eh? Perhaps you could post some screenshots of the issue…
Fixed what ? or I wait for pfBng > 1.09 ?
-
@hda:
Eh? Perhaps you could post some screenshots of the issue…
Fixed what ? or I wait for pfBng > 1.09 ?
Look here https://forum.pfsense.org/index.php?topic=86212.855
-
@hda:
I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:
the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.
But [Status: System logs: Firewall] has several entries reported.What settings are needed for "append-mode" reporting ?
Hi hda,
If i understand your question, you are asking to see duplicate alerts in the Alerts Tab? Is that correct? You can put a
// in front of continue;
in the code below to have it display duplicate entries…
Edit file : /usr/local/www/pfblockerng/pfblockerng_alerts.php Line: 455
// Skip Repeated Alerts if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) { //continue; }
Its best to open a new thread as the other issues in this thread are related to something else…
-
OK I took a look at the screen shot and see what you mean… Could you change the following line and let me know if that fixes your issue please?
Edit file : /usr/local/www/pfblockerng/pfblockerng_alerts.php Line: 454
```// Skip repeated alerts
if (($pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_ip) {
continue;
}and also change line: 492
$previous_ip = $pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10];
Let me know if you need any help with that? Thanks!
-
… Could you change the following line and let me know if that fixes your issue please?
...Thank you for pointing me at the code spot(s). I have made the changes as per your last writing here above, BUT with commented out "continue".
I found out that one have to Update Reload pfBlockerNG AND also to reload (by picking anyone rule and do Save & apply changes) the pfSense Firewall, in order to activate the renewed php-file. What is the proper protocol for restarting all ?
Yes this works as I see now every attempt time-registered, except when the first attempt after reload is on a valid-port (listen "xyz22") i.s.o. the dummy-port (22).
So, restated, if the first attempt is on the dummy-port (nothing listening on 22), then the entry (in Firewall-log & Alerts) is made, otherwise on an listening port no entry made at first attempt after reload/restart.Results in attach.
Thank You !
Edit: I see entry-2 should be from rule 112 i.s.o.107.