Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfblockerNG problems

    Scheduled Pinned Locked Moved pfSense Packages
    13 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      serialdie
      last edited by

      @BBcan177,

      Do you take donations?

      1 Reply Last reply Reply Quote 0
      • H
        hda
        last edited by

        I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

        the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
        Not just for the same IP, even for another IP.
        But [Status: System logs: Firewall] has several entries reported.

        What settings are needed for "append-mode" reporting ?

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          @hda:

          the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
          Not just for the same IP, even for another IP.

          Eh? Perhaps you could post some screenshots of the issue…

          1 Reply Last reply Reply Quote 0
          • S
            serialdie
            last edited by

            @doktornotor:

            @hda:

            the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
            Not just for the same IP, even for another IP.

            Eh? Perhaps you could post some screenshots of the issue…

            Its fixed. I hit a few bugs that I worked out with the developer. Thanks! :)

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              Oh, OK… I'm using the -dev stuff, so usually things are updated before I notice anything.

              1 Reply Last reply Reply Quote 0
              • H
                hda
                last edited by

                @doktornotor:

                Eh? Perhaps you could post some screenshots of the issue…

                Fixed what ? or I wait for pfBng > 1.09 ?

                FWlog1.png
                FWlog1.png_thumb
                pfBalerts1.png
                pfBalerts1.png_thumb

                1 Reply Last reply Reply Quote 0
                • S
                  serialdie
                  last edited by

                  @hda:

                  @doktornotor:

                  Eh? Perhaps you could post some screenshots of the issue…

                  Fixed what ? or I wait for pfBng > 1.09 ?

                  Look here https://forum.pfsense.org/index.php?topic=86212.855

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    @hda:

                    I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

                    the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
                    Not just for the same IP, even for another IP.
                    But [Status: System logs: Firewall] has several entries reported.

                    What settings are needed for "append-mode" reporting ?

                    Hi hda,

                    If i understand your question, you are asking to see duplicate alerts in the Alerts Tab? Is that correct? You can put a

                    //  in front of  continue;

                    in the code below to have it display duplicate entries…

                    Edit file :  /usr/local/www/pfblockerng/pfblockerng_alerts.php  Line: 455

                    
                                            // Skip Repeated Alerts 
                    			if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) {
                    				//continue;
                    			}
                    

                    Its best to open a new thread as the other issues in this thread are related to something else…

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • BBcan177B
                      BBcan177 Moderator
                      last edited by

                      OK I took a look at the screen shot and see what you mean… Could you change the following line and let me know if that fixes your issue please?

                      Edit file :   /usr/local/www/pfblockerng/pfblockerng_alerts.php   Line: 454
                                             ```

                      // Skip repeated alerts
                                              if (($pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_ip) {
                                                      continue;
                                              }

                      
                      and also change line:  492
                      
                      

                      $previous_ip = $pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10];

                      
                      Let me know if you need any help with that?
                      
                      Thanks!

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • H
                        hda
                        last edited by

                        @BBcan177:

                        … Could you change the following line and let me know if that fixes your issue please?
                        ...

                        Thank you for pointing me at the code spot(s). I have made the changes as per your last writing here above, BUT with commented out "continue".

                        I found out that one have to Update Reload pfBlockerNG AND also to reload (by picking anyone rule and do Save & apply changes) the pfSense Firewall, in order to activate the renewed php-file. What is the proper protocol for restarting all ?

                        Yes this works as I see now every attempt time-registered, except when the first attempt after reload is on a valid-port (listen "xyz22") i.s.o. the dummy-port (22).
                        So, restated, if the first attempt is on the dummy-port (nothing listening on 22), then the entry (in Firewall-log & Alerts) is made, otherwise on an listening port no entry made at first attempt after reload/restart.

                        Results in attach.

                        Thank You !

                        Edit: I see entry-2 should be from rule 112 i.s.o.107.

                        pfBalerts2.png_thumb
                        pfBalerts2.png

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.