PfBlocker service not restarting after cron or manual update.
-
Hi everyone. I've searched the forum and haven't been able to find a similar thread… hopefully this question hasn't been solved already. I've been using pfSense 2.3 for about a month now, and this is my first post. Please excuse my lack of knowledge :).
I've installed pfBlockerNG on my 2.3 installation. The service runs fine, and I'm only using some block lists that were recommended. It's been running okay for about a week now. I haven't configured DNSBL (I started to, but it slowed everything way down, so I turned it back off for now). I'll tackle that after I resolve this...
My problem is this: When the cron job runs to update the block lists, it never restarts. I can replicate this by forcing a manual update as well. The logs that I've seen aren't very useful. The pfBlockerNG log is attached, and the error log and dnsbl log are empty.
My system log is attached as well. No other logs seem to provide any relevant info.
Any thoughts?
pfBlockernglog.txt -
I haven't configured DNSBL (I started to, but it slowed everything way down, so I turned it back off for now).
I answered this in this thread and also in reddit today. DNSBL is only slow if the LAN devices have incorrect DNS settings, or issues w/ Multi-Subnets:
https://www.reddit.com/r/PFSENSE/comments/4jrnkw/pfblockerng_dns_traffic_not_sure_what_this_is/My problem is this: When the cron job runs to update the block lists, it never restarts. I can replicate this by forcing a manual update as well. The logs that I've seen aren't very useful. The pfBlockerNG log is attached, and the error log and dnsbl log are empty.
I am not following… What do you mean by "never restarts"? The pfblockerng.log looks fine. Did you define the "Frequency" setting for each alias, so that it updates as per a specific Time?
-
Thanks for replying BB. I was hoping you would. :)
I am not following… What do you mean by "never restarts"?
Maybe it is I who doesn't understand, but the dnsbl service (pfBlockerNG DNSBL Web Server) listed under "services status" does not restart… maybe since I am not using the DNSBL function of pfBlocker, this service shouldn't start? Without this service running, is pfBlocker (as I have it currently configured) still blocking the blacklisted IP addresses? When I manually start it, it runs without error until the next cron or manual update. If it's not needed in my current config, then there is no issue... Will I still see the blocking of blacklisted IPs without this service running?
Did you define the "Frequency" setting for each alias, so that it updates as per a specific Time?
I have 2 aliases, both with an update frequency of daily. See attached screenprint. In my config file (config.xml), here are the 2 cron entries related to pfBlocker:
<minute>0</minute> <hour>19</hour> <mday>1,2,3,4,5,6,7</mday> <month>*</month> <wday>2</wday> <who>root</who> <command></command>/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> /var/log/pfblockerng/extras.log 2>&1 <minute>15</minute> <hour>0</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1I answered this in this thread and also in reddit today. DNSBL is only slow if the LAN devices have incorrect DNS settings, or issues w/ Multi-Subnets
I admit that I have not invested the time to troubleshoot DNSBL… however, my configuration doesn't seem too complex. I do have multiple subnets and VLANS setup. I am using unbound, and it is working. I have a NAT redirect rule on each VLAN interface to redirect all DNS queries back to the firewall, and I am not using the forwarder. I've attached my resolver settings tab.
I do appreciate your help. Thank you for taking the time to reply.
-
If DNSBL is not enabled, then don't worry about the DNSBL service.
When you do get back to re-enabling it, you can select the option in the "DNSBL" Tab to auto-create a floating permit rule that will allow the local LAN interfaces to hit the DNSBL VIP (you need to select the LAN interfaces there too). Ultimately, each LAN device should be able to ping and browse to the DNSBL VIP (1x1 pix). If that doesn't happen, then you need to figure out what it blocking the LAN from seeing the DNSBL VIP…
For CRON, It looks like it will run at Midnight... So review the pfblockerng.log at that time, as the log will be different than what you have posted... If midnight hasn't occurred yet for you, then goto the Update tab before midnight and hit the "View" button and wait for the Cron to run... You will see the logs populate live. Otherwise review the logs from that time period to be able to get more info.
-
If DNSBL is not enabled, then don't worry about the DNSBL service.
So I can confirm that the floating pfBlocker firewall rules based on the downloaded IP lists (in my aliases) DO work even when the dnsbl service is not running. I probably should have realized that before asking my initial question. :o
For CRON, It looks like it will run at Midnight… So review the pfblockerng.log at that time, as the log will be different than what you have posted
My log output for the CRON update is shown below. The dnsbl service does not restart following this update. I assume that is because I have it disabled on the DNSBL Tab. Once I re-enable it I will report back as to whether or not the service restarts under those conditions.
CRON PROCESS START [ 05/18/16 00:15:00 ] [ BT_Hijacked ] Remote timestamp: Tue, 17 May 2016 08:00:02 GMT Local timestamp: Mon, 16 May 2016 07:50:01 GMT Update found [ BT_dshield ] Remote timestamp: Tue, 17 May 2016 04:30:02 GMT Local timestamp: Mon, 16 May 2016 04:20:06 GMT Update found [ BT_forumspam ] Remote timestamp: Tue, 17 May 2016 14:40:45 GMT Local timestamp: Mon, 16 May 2016 14:30:02 GMT Update found [ BT_webexploit ] Remote timestamp: Tue, 17 May 2016 08:20:13 GMT Local timestamp: Mon, 16 May 2016 08:10:01 GMT Update found [ BT_Hijacked2 ] ( md5 changed ) Update found [ Spamhaus_DROP ] Remote timestamp: Wed, 18 May 2016 02:31:11 GMT Local timestamp: Tue, 17 May 2016 02:30:02 GMT Update found [ BT_spyware ] Remote timestamp: Tue, 17 May 2016 08:30:02 GMT Local timestamp: Mon, 16 May 2016 08:20:05 GMT Update found [ CI_malicious ] Remote timestamp: Tue, 17 May 2016 16:40:10 GMT Local timestamp: Mon, 16 May 2016 16:30:02 GMT Update found [ malc0de ] Remote timestamp: Tue, 17 May 2016 10:20:02 GMT Local timestamp: Mon, 16 May 2016 10:10:02 GMT Update found [ abuse_ZeuS ] Remote timestamp: Tue, 17 May 2016 07:30:02 GMT Local timestamp: Mon, 16 May 2016 07:20:02 GMT Update found [ abuse_SpyEye ] Remote timestamp: Tue, 17 May 2016 10:20:02 GMT Local timestamp: Mon, 16 May 2016 10:10:02 GMT Update found [ abuse_Palevo ] Remote timestamp: Tue, 17 May 2016 10:20:02 GMT Local timestamp: Mon, 16 May 2016 10:10:02 GMT Update found [ BT_badpeers ] Remote timestamp: Tue, 17 May 2016 15:10:38 GMT Local timestamp: Mon, 16 May 2016 15:00:32 GMT Update found [ Onion ] Remote timestamp: Tue, 17 May 2016 15:10:08 GMT Local timestamp: Mon, 16 May 2016 15:00:04 GMT Update found [ Blocked ] Remote timestamp: Tue, 15 Mar 2016 04:30:01 GMT Local timestamp: Tue, 15 Mar 2016 04:30:01 GMT Update not required [ Compromised ] Remote timestamp: Tue, 17 May 2016 16:54:33 GMT Local timestamp: Tue, 15 Mar 2016 04:30:10 GMT Update found [ ciarmy ] Remote timestamp: Wed, 18 May 2016 03:16:35 GMT Local timestamp: Tue, 17 May 2016 03:16:50 GMT Update found UPDATE PROCESS START [ 05/18/16 00:15:05 ] Clearing all DNSBL Feeds... Stop Service DNSBL ** DNSBL Disabled ** ===[ Continent Process ]============================================ ===[ IPv4 Process ]================================================= [ BT_Hijacked ] Downloading update [ 05/18/16 00:15:07 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 495 685 532 [ ==> FAILED <== ] ----------------------------------------------------------------- [ BT_dshield ] Downloading update [ 05/18/16 00:15:08 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 40 40 40 [ Pass ] ----------------------------------------------------------------- [ BT_forumspam ] Downloading update .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 461 479 479 [ Pass ] ----------------------------------------------------------------- [ BT_webexploit ] Downloading update [ 05/18/16 00:15:09 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 2177 1480 1480 [ Pass ] ----------------------------------------------------------------- [ BT_Hijacked2 ] Downloading update [ 05/18/16 00:15:10 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 562 152 152 [ Pass ] ----------------------------------------------------------------- [ Spamhaus_DROP ] Downloading update .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 799 343 343 [ Pass ] ----------------------------------------------------------------- [ BT_spyware ] Downloading update [ 05/18/16 00:15:11 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 3305 3604 3604 [ Pass ] ----------------------------------------------------------------- [ CI_malicious ] Downloading update [ 05/18/16 00:15:12 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 921 811 811 [ Pass ] ----------------------------------------------------------------- [ malc0de ] Downloading update .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 123 123 123 [ Pass ] ----------------------------------------------------------------- [ abuse_ZeuS ] Downloading update [ 05/18/16 00:15:13 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 212 194 194 [ Pass ] ----------------------------------------------------------------- [ abuse_SpyEye ] Downloading update .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 84 79 79 [ Pass ] ----------------------------------------------------------------- [ abuse_Palevo ] Downloading update [ 05/18/16 00:15:14 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 12 11 11 [ Pass ] ----------------------------------------------------------------- [ BT_badpeers ] Downloading update [ 05/18/16 00:15:15 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 48237 48768 48768 [ Pass ] ----------------------------------------------------------------- [ Onion ] Downloading update [ 05/18/16 00:15:23 ] .. 200 OK.. completed .. ------------------------------ Original Master Final ------------------------------ 6798 6759 6759 [ Pass ] ----------------------------------------------------------------- [ Blocked ] exists. [ 05/18/16 00:15:25 ] [ Compromised ] Downloading update .. 200 OK. completed .. ------------------------------ Original Master Final ------------------------------ 1102 1081 1081 [ Pass ] ----------------------------------------------------------------- [ ciarmy ] Downloading update .. 200 OK. completed .. ------------------------------ Original Master Final ------------------------------ 886 216 216 [ Pass ] ----------------------------------------------------------------- ===[ IPv6 Process ]================================================= ===[ Suppression Stats ]=================================== List Pre Suppress Master ----------------------------------------------------------- BT_Hijacked 532 532 65323 BT_dshield 40 40 65323 BT_forumspam 479 479 65323 BT_webexploit 1480 1480 65323 BT_Hijacked2 152 152 65323 Spamhaus_DROP 343 343 65323 BT_spyware 3604 3604 65323 CI_malicious 811 811 65323 malc0de 123 123 65323 abuse_ZeuS 194 194 65323 abuse_SpyEye 79 79 65323 abuse_Palevo 11 11 65323 BT_badpeers 48768 48768 65323 Onion 6759 6759 65323 Blocked 611 611 65323 Compromised 1081 1081 65323 ciarmy 216 216 65323 ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload Updating: pfB_Badguys 482 addresses added.644 addresses deleted. Updating: pfB_ET 1171 addresses added.1155 addresses deleted. ===[ Kill States ]================================================== No matching states found ====================================================================== ===[ FINAL Processing ]===================================== [ Original IP count ] [ 67716 ] [ Final IP Count ] [ 65323 ] ===[ Deny List IP Counts ]=========================== 65283 total 48768 /var/db/pfblockerng/deny/BT_badpeers.txt 6759 /var/db/pfblockerng/deny/Onion.txt 3604 /var/db/pfblockerng/deny/BT_spyware.txt 1480 /var/db/pfblockerng/deny/BT_webexploit.txt 1081 /var/db/pfblockerng/deny/Compromised.txt 811 /var/db/pfblockerng/deny/CI_malicious.txt 611 /var/db/pfblockerng/deny/Blocked.txt 532 /var/db/pfblockerng/deny/BT_Hijacked.txt 479 /var/db/pfblockerng/deny/BT_forumspam.txt 343 /var/db/pfblockerng/deny/Spamhaus_DROP.txt 216 /var/db/pfblockerng/deny/ciarmy.txt 194 /var/db/pfblockerng/deny/abuse_ZeuS.txt 152 /var/db/pfblockerng/deny/BT_Hijacked2.txt 123 /var/db/pfblockerng/deny/malc0de.txt 79 /var/db/pfblockerng/deny/abuse_SpyEye.txt 40 /var/db/pfblockerng/deny/BT_dshield.txt 11 /var/db/pfblockerng/deny/abuse_Palevo.txt ====================[ Last Updated List Summary ]============== Mar 15 00:30 Blocked May 17 00:30 BT_dshield May 17 03:30 abuse_ZeuS May 17 04:00 BT_Hijacked May 17 04:20 BT_webexploit May 17 04:30 BT_spyware May 17 06:20 malc0de May 17 06:20 abuse_SpyEye May 17 06:20 abuse_Palevo May 17 10:40 BT_forumspam May 17 11:10 Onion May 17 11:10 BT_badpeers May 17 12:40 CI_malicious May 17 12:54 Compromised May 17 19:15 BT_Hijacked2 May 17 22:31 Spamhaus_DROP May 17 23:16 ciarmy =============================================================== Database Sanity check [ PASSED ] ------------------------ Masterfile/Deny folder uniq check Deny folder/Masterfile uniq check Sync check (Pass=No IPs reported) ---------- IPv4 alias tables IP count ----------------------------- 65283 IPv6 alias tables IP count ----------------------------- 0 Alias table IP Counts ----------------------------- 65283 total 63375 /var/db/aliastables/pfB_Badguys.txt 1908 /var/db/aliastables/pfB_ET.txt pfSense Table Stats ------------------- table-entries hard limit 2000000 Table Usage Count 69137 UPDATE PROCESS ENDED [ 05/18/16 00:15:30 ]you can select the option in the "DNSBL" Tab to auto-create a floating permit rule that will allow the local LAN interfaces to hit the DNSBL VIP
I will attempt to get this running over the next day or two. Should I also select the "loopback" interface listed at the bottom of the interface list? See below screen prints. Also, I currently have rules at the top of all my interfaces to redirect all NTP and DNS back to the firewall (as seen in below screen print)… will I, or should I, change those rules once I enable DNSBL? In case it isn't obvious, the first two rules are there to suppress log entries, as described in this post: https://forum.pfsense.org/index.php?topic=107115.msg596677#msg596677
Thank you again!
-
Once I re-enable it I will report back as to whether or not the service restarts under those conditions.
So I got around to enabling DNSBL, and I think I have it working. ;D The DNSBL service does indeed remain running now after a CRON or forced update. I did have to add a rule to pass traffic to the DNSBL VIP as you instructed… THANK YOU for that.
I do have a question: what should I see in my browser if I navigate to the VIP? All I see is a blank page, but the title bar tells me it is resolved... is that normal? See attached.
I would like you to take a look at a sample of the top of my firewall rules (I am a default block guy), and tell me if you see any issues. I wan't sure about my NAT redirect for DNS (as I asked above), so I left it.
I also have one VLAN interface where I have the NAT redirect pointing to opendns (my kid's clients), and that seems to still work as well. I am very happy with the adblocking that I see now, and I will be adding to the DNSBL lists as you discussed here: https://forum.pfsense.org/index.php?topic=102470.msg573159#msg573159
Please review the attached sample rule set and let me know if you see any problems with the DNS redirect or otherwise.
Thank you so much for your work on this package, and for your help!
-Bill
