PfblockerNG problems

serialdie

Do you take donations?

hda

I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.
But [Status: System logs: Firewall] has several entries reported.

What settings are needed for "append-mode" reporting ?

doktornotor

@hda:

the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.

Eh? Perhaps you could post some screenshots of the issue…

serialdie

@doktornotor:

@hda:

the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.

Eh? Perhaps you could post some screenshots of the issue…

Its fixed. I hit a few bugs that I worked out with the developer. Thanks! :)

doktornotor

Oh, OK… I'm using the -dev stuff, so usually things are updated before I notice anything.

hda

@doktornotor:

Eh? Perhaps you could post some screenshots of the issue…

Fixed what ? or I wait for pfBng > 1.09 ?

FWlog1.png_thumb

pfBalerts1.png_thumb

serialdie

@hda:

@doktornotor:

Eh? Perhaps you could post some screenshots of the issue…

Fixed what ? or I wait for pfBng > 1.09 ?

Look here https://forum.pfsense.org/index.php?topic=86212.855

BBcan177

@hda:

I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.
But [Status: System logs: Firewall] has several entries reported.

What settings are needed for "append-mode" reporting ?

Hi hda,

If i understand your question, you are asking to see duplicate alerts in the Alerts Tab? Is that correct? You can put a

// in front of continue;

in the code below to have it display duplicate entries…

Edit file : /usr/local/www/pfblockerng/pfblockerng_alerts.php Line: 455


                        // Skip Repeated Alerts 
			if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) {
				//continue;
			}

Its best to open a new thread as the other issues in this thread are related to something else…

BBcan177

OK I took a look at the screen shot and see what you mean… Could you change the following line and let me know if that fixes your issue please?

Edit file : /usr/local/www/pfblockerng/pfblockerng_alerts.php Line: 454
```

// Skip repeated alerts
if (($pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_ip) {
continue;
}


and also change line:  492

$previous_ip = $pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10];


Let me know if you need any help with that?

Thanks!

hda

@BBcan177:

… Could you change the following line and let me know if that fixes your issue please?
...

Thank you for pointing me at the code spot(s). I have made the changes as per your last writing here above, BUT with commented out "continue".

I found out that one have to Update Reload pfBlockerNG AND also to reload (by picking anyone rule and do Save & apply changes) the pfSense Firewall, in order to activate the renewed php-file. What is the proper protocol for restarting all ?

Yes this works as I see now every attempt time-registered, except when the first attempt after reload is on a valid-port (listen "xyz22") i.s.o. the dummy-port (22).
So, restated, if the first attempt is on the dummy-port (nothing listening on 22), then the entry (in Firewall-log & Alerts) is made, otherwise on an listening port no entry made at first attempt after reload/restart.

Results in attach.

Thank You !

Edit: I see entry-2 should be from rule 112 i.s.o.107.

pfBalerts2.png_thumb