PfBlockerNG 2.1.1_5 / Pfsense 2.4
-
Progress!!
Yup, that let me start the service and its showing up green now, but I'm not seeing any packets being blocked though.
****Disregard that, I see some packet drops, its working. Sweet, thank you.
-
Try http://10.10.10.1
-
Blank page and the browser title bar says 10.10.10.1 (1x1)
That correct?
-
Yes
-
Thanks again, Ron. Is this easily resolved for a permanent fix?
2.1.1_6?
-
Can't tell,
maybe we will get a patch, or another release, or back to 2.1.1_4, only BBcan177 can tell.But now we know where the problem is.
-
Can't tell,
maybe we will get a patch, or another release, or back to 2.1.1_4, only BBcan177 can tell.But now we know where the problem is.
Testing a patch now… Will update in a day or so...
-
PM sent, code changes seem to fix the problem perfectly.
-
Just wanted to chime in for the people trying to get this to work before the patch and wanted a code solution.
I at least solved this by modifying pfblockerng.inc to use a created config file. Modification were around ln 937 of pfblockerng.inc in /usr/local/pkg/pfblockerng:
before
–--------------------exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
after
–--------------------exec("echo '[req]' > request.cfg"); exec("echo 'default_bits=3072' >> request.cfg"); exec("echo 'default_md=sha256' >> request.cfg"); exec("echo 'prompt=no' >> request.cfg"); exec("echo 'distinguished_name=req_distinguished_name' >> request.cfg"); exec("echo '' >> request.cfg"); exec("echo '[req_distinguished_name]' >> request.cfg"); exec("echo 'commonName=unbound' >> request.cfg"); exec("/usr/bin/openssl req -new -x509 -config request.cfg -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes"); exec("rm -f request.cfg");
I'm sure your patch does this far more gracefully however
-
I failed to post the manual fix by BBcan177 because I thought the patch would have been out relatively quickly but just realized it has been over 2 weeks since the last correspondence involving this. The following is the instructions BBcan177 gave me to test that worked perfectly.
- Backup file:
cp /usr/local/pkg/pfblockerng/pfblockerng.inc /tmp/pfblockerng.inc.bk
- Edit:
/usr/local/pkg/pfblockerng/pfblockerng.inc and remove line 937
exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
Here is what Line 937 looks like:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L937- Then at line 937 add the following code:
$dn = array ( 'countryName' => 'CA',
'stateOrProvinceName' => 'ST_DNSBL',
'localityName' => 'LN_DNSBL',
'organizationName' => 'ON_DNSBL',
'organizationalUnitName'=> 'OU_DNSBL',
'commonName' => 'CN_DNSBL',
'emailAddress' => 'dnsbl@dnsbl.com'
);$pkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $pkey);
$cert = openssl_csr_sign($csr, NULL, $pkey, 3650);openssl_pkey_export($pkey, $privatekey);
openssl_x509_export($cert, $publickey);
@file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);The final changes should look like this:
// Create DNSBL SSL certificate
if (!file_exists ("{$pfb['dnsbl_cert']}")) {
$log = "\nNew DNSBL cert created";
pfb_logger("{$log}", 1);//exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
$dn = array ( 'countryName' => 'CA',
'stateOrProvinceName' => 'ST_DNSBL',
'localityName' => 'LN_DNSBL',
'organizationName' => 'ON_DNSBL',
'organizationalUnitName'=> 'OU_DNSBL',
'commonName' => 'CN_DNSBL',
'emailAddress' => 'dnsbl@dnsbl.com'
);$pkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $pkey);
$cert = openssl_csr_sign($csr, NULL, $pkey, 3650);openssl_pkey_export($pkey, $privatekey);
openssl_x509_export($cert, $publickey);
@file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);
}- Delete the old PEM file
rm /var/unbound/dnsbl_cert.pem
-
Goto Update Tab and run a "Force Update" which should rebuild the PEM file
-
Check to see if the service is running and that the DNBSL Logs are still working (Alerts Tab)
-
Manually try to restart the DNSBL Service to see if its working as expected
/usr/local/etc/rc.d/dnsbl.sh restart
-
Thank you this has now worked for me
Which I have also added to the page https://www.facebook.com/groups/pfsense.official/ to help others…