PfBlockerNG 2.1.1_5 / Pfsense 2.4
-
Check the NAT and Floating rules to see 10.10.10.1 is defined correctly.
Look at /var/log/pfblockerng/dnsbl_error.log
2016-12-20 18:54:49: (configfile-glue.c.694) === start of 2016-12-20 19:20:02: (server.c.1820) server stopped by UID = 0 PID = 2357 2016-12-20 19:20:05: (log.c.217) server started -
1. Port Forward rules look proper
LAN TCP * * 10.10.10.1 80 (HTTP) 127.0.0.1 8081 pfB DNSBL - DO NOT EDIT
LAN TCP * * 10.10.10.1 443 (HTTPS) 127.0.0.1 8443 pfB DNSBL - DO NOT EDIT2. I have the DNSBL Firewall Rule checkbox enabled with all interfaces selected but there are no rules listed in my Floating Rules Tab.
3. dnsbl_error.log is empty.
-
And your /var/unbound/pfb_dnsbl_lighty.conf looks like this ?
# #pfBlockerNG Lighttpd DNSBL configuration file # server.bind = "0.0.0.0" server.port = "8081" server.event-handler = "freebsd-kqueue" server.network-backend = "freebsd-sendfile" server.dir-listing = "disable" server.document-root = "/usr/local/www/pfblockerng/www/" server.errorlog = "/var/log/pfblockerng/dnsbl_error.log" server.pid-file = "/var/run/dnsbl.pid" server.modules = ( "mod_access", "mod_fastcgi", "mod_rewrite" ) server.indexfiles = ( "index.php" ) mimetype.assign = ( ".html" => "text/html", ".gif" => "image/gif" ) url.access-deny = ( "~", ".inc" ) fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) ) debug.log-condition-handling = "enable" $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "index.php" ) } $SERVER["socket"] == "0.0.0.0:8443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.honor-cipher-order = "enable" ssl.cipher-list = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS" $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "index.php" ) } } $SERVER["socket"] == "10.10.10.1:80" { $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "index.php" ) } } $SERVER["socket"] == "10.10.10.1:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.honor-cipher-order = "enable" ssl.cipher-list = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS" $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "index.php" ) } }Also check to see if there is other /usr/local/sbin/lighttpd_pfb running
ps aux | grep lighttpd
-
No.
I'm missing the ending of your version. The below is omitted from mine:
$SERVER["socket"] == "10.10.10.1:80" { $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "index.php" ) } } $SERVER["socket"] == "10.10.10.1:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.honor-cipher-order = "enable" ssl.cipher-list = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS" $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "index.php" ) } } -
Well I am running the Dev version ::)
I would disable pfBlockerNG AND DNSBL, then reinstall pfBlockerNG and check the installation log to see if something breaks.
-
Thx for your help. I'll start from scratch and report back.
-
One last thing ? Are you using Unbound (and not DNS Forwarder)?
-
Yes, I am using Unbound
Unchecked retain settings, Saved and uninstalled/reinstalled. Not getting any errors at all but still cant get the DNSBL service to start. Maybe someone else can chime in who's on 2.4 who is possibly getting the same issue to confirm.
-
Check Diagnostics / Sockets to see if some other process would have the same ports open
root lighttpd_p 4228 5 tcp4 *:8081 *:* root lighttpd_p 4228 6 tcp4 *:8443 *:*You can also try this in a shell to see if it report error.
/usr/local/etc/rc.d/dnsbl.sh restart -
No other services using those ports
Using the restart command gives me:
2016-12-20 21:00:48: (network.c.603) SSL: couldn't read X509 certificate from '/var/unbound/dnsbl_cert.pem'
-
Does /var/unbound/dnsbl_cert.pem exist?
-
Yup, its there.
-
and it looks like a certificate with
-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -
Looks like this:
–---BEGIN PRIVATE KEY-----
.....
-----END PRIVATE KEY-----
-
Delete the file and do a Force Update to see if this fixes it.
-
I've confirmed that it was deleted, Force Updated and confirmed that it get recreated.
Recreates the same type of format of key with just Begin and End Private Key.
Comes up with the same couldnt read x509 certificate error as before when trying to restart
-
Can you try to use the pem from another 2.3.2 system an test with it.
-
Progress!!
Yup, that let me start the service and its showing up green now, but I'm not seeing any packets being blocked though.
****Disregard that, I see some packet drops, its working. Sweet, thank you.
-
Try http://10.10.10.1
-
Blank page and the browser title bar says 10.10.10.1 (1x1)
That correct?
