Did I find a bug or did I make a configuration mistake?

RonpfS

Do you have suppression enabled ? It removes 127.0.0.1 from the tables.

grep "127.0.0.1" /var/db/pfblockerng/deny/* /var/db/aliastables/*

Then check the NAT rules for DNSBL and Floating FW rule for DSNBLIP.

guardian

@RonpfS:

Do you have suppression enabled ? It removes 127.0.0.1 from the tables.

No I didn't, but I added it now and still have the same problem.

Note to devs:

Just as an aside, why would the default for that setting not be on rather than off?

I imported list which had local addresses and got really screwed… didn't realise that it was important to have that checked.... I would think based on what I know about most block lists that if someone doesn't turn it on they are asking for real trouble.

Also the text: This will prevent Selected IPs from being blocked. Only for IPv4 lists (/32 and /24). could be better. My thinking was, that because I wasn't using any suppression lists that I created, I didn't need this checked. I missed This will also remove any RFC1918 addresses from all lists.

How about:
Leave this checked to prevent RFC1918 addresses in lists from breaking the firewall
and then whatever you want under the (i) bubble.

@RonpfS:

grep "127.0.0.1" /var/db/pfblockerng/deny/* /var/db/aliastables/*

Done… Nothing found. even looked manually just to be double sure.

@RonpfS:

Then check the NAT rules for DNSBL and Floating FW rule for DSNBLIP.

The rules seem to be there. They were at the bottom, and I moved them to the topl

I wonder if the problem is that I keep DNS (and NTP) captive to prevent a program from using it's own DNS server and going around the firewall.

Here's what I'm doing:

Rules
Interface 	Protocol 	Source Address 	Source Ports 	Dest. Address 	Dest. Ports 	NAT IP 		NAT Ports 	Description 	Actions
LAN 		TCP 		* 		* 		172.17.0.1 	443 (HTTPS) 	127.0.0.1 	8443 		pfB DNSBL - DO NOT EDIT 	
LAN 		TCP 		* 		* 		172.17.0.1 	80 (HTTP) 	127.0.0.1 	8081 		pfB DNSBL - DO NOT EDIT 	
LAN 		TCP/UDP 	* 		* 		!LAN address 	53 (DNS) 	127.0.0.1 	53 (DNS) 	Redirect DNS Requests 	
LAN 		TCP/UDP 	* 		* 		!LAN address 	123 (NTP) 	127.0.0.1 	123 (NTP) 	Redirect NTP Requests 	
DATA 		TCP/UDP 	* 		* 		!DATA address 	53 (DNS) 	127.0.0.1 	53 (DNS) 	Redirect DNS Requests 	
DATA 		TCP/UDP 	* 		* 		!DATA address 	123 (NTP) 	127.0.0.1 	123 (NTP) 	Redirect NTP Requests 	
VLAN1 		TCP/UDP 	* 		* 		!VLAN1 address 	53 (DNS) 	127.0.0.1 	53 (DNS) 	Redirect DNS Requests 	
VLAN1 		TCP/UDP 	* 		* 		!VLAN1 address 	123 (NTP) 	127.0.0.1 	123 (NTP) 	Redirect NTP Requests

Any suggestions?

Do I have a use case that pfBlocker isn't supposed to handle automatically, or did my non-standard setup discover a bug?

With pass rules for 127.0.0.1:8081 / 127.0.0.1:8443 in the DATA interface, things work fine. If there is a better way, of if I've found a bug, please let me know.

I could just let this go, but I want to provide the devs as good quality feedback as I can.

RonpfS

I don't know if this is the same on 2.1.1_6, but do you have multiple interface choice in Permit Firewall Rules

The DNSBL IP Floating FW rule is on LAN & TEST interfaces

DNSBLFWRule.JPG_thumb

RonpfS

@guardian:

@RonpfS:

Then check the NAT rules for DNSBL and Floating FW rule for DSNBLIP.

The rules seem to be there. They were at the bottom, and I moved them to the topl

The rules are autogenerated by pfBlockerNG, so they will be reordered when at next Update.

guardian

@RonpfS:

The rules are autogenerated by pfBlockerNG, so they will be reordered when at next Update.

Thanks…

@RonpfS:

I don't know if this is the same on 2.1.1_6, but do you have multiple interface choice in Permit Firewall Rules

The DNSBL IP Floating FW rule is on LAN & TEST interfaces

I have a drop down that let's me pick a single interface for the listening interface: Set to LAN

I can make multiple selections on the firewall rule: Single selection DATA (VLAN I'm using to browse with).

RonpfS

The VIP is 172.17.0.1 ?

And did you try add LAN to the Permit Firewall Rules

guardian

@RonpfS:

The VIP is 172.17.0.1 ?

Yes

@RonpfS:

And did you try add LAN to the Permit Firewall Rules

Not originally, but I just tried it. It didn't fix the issue. I coudn't see any changes to the rules / LAN / DATA VLAN or NAT.

RonpfS

Not sure, but I remember seeing some changes about the rules in the DEV version.
Wait until BBcan177 get back to read the forum.

BBcan177

@guardian:

I experienced some very slow page loads, so I looked at the firewall and found blocked traffic that I had to unblock (samples below):

My configuration don't really use the LAN 172.16.0.1/24, all traffic is on VLANS, and the 172.16.30.1/24 network contains the PCs that browse the web.

DNSBL Listening Interface: LAN
DNSBL Firewall Rule: DATA

You need to ensure that the vlans devices can ping and browse to the DNSBL IP. The default Permit rule is an optional rule to allow multiple lan segments to access the dnsbl vip address. So you can skip this option and create your own rule if that's easier.

For the optional rule, you should be able to select all of the vlans in the select options (ctrl-click) and allow traffic to the dnsbl Web server on the dnsbl listening interface.

guardian

@BBcan177:

You need to ensure that the vlans devices can ping and browse to the DNSBL IP. The default Permit rule is an optional rule to allow multiple lan segments to access the dnsbl vip address. So you can skip this option and create your own rule if that's easier.

For the optional rule, you should be able to select all of the vlans in the select options (ctrl-click) and allow traffic to the dnsbl Web server on the dnsbl listening interface.

In my case I am hitting the default deny rule IPv4 (1000000103) on 127.0.0.1:8081 / :8443 NOT the VIP. Any thoughts on that?

At least I've learned enough to unblock them, but I'm wondering if I screwed something up, or if there is an issue that pfBlockerNG is overlooking?

I posted my rules above, but in my case I'm keeping DNS/NTP caged with port forwarding rules so that programs can go around the firewall with their own server settings.