Rules not auto-generating.
-
I believe I have pfBlockerNG mostly setup, but it doesn't appear to be generating the rules. I have the box checked that says the rules should be put into floating, but no matter what I do, they never generate in either floating or the LAN or WAN rules tabs.
Dashboard shows both the pfBlockerNG DNSBL Web Server with green checkmark and the pfBlocker DNSBL as having 11746 rules but nothing is working - presumably because the rules are not auto-generating.
I have both pfBlocker and DNSBL enabled and I am definitely using the Unbound Resolver and not the forwarder or in forwarder mode.
I've updated all the rules and restarted both pfBlocker and Unbound multiple times.
I do see this in my logs:
/rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:93: multiple binat ip addresses - The line in question reads [93]: binat on ovpns1 from { 192.168.1.0/24 10.10.10.1/32 } to any -> 172.20.1.0
and I do see this Alias ins URLs:
pfB_DNSBLIP https://127.0.0.1:445/pfblockerng/pfblockerng.php?pfb=pfB_DNSBLIP
pfBlockerNG auto DNSBL IP AliasI've restarted, I've tried checking the DNSBL Firewall Rule for my LAN1 because I do have multiple LANS. Nothing works.
-
It might help to post up screenshots of your settings in pfBlocker, specifically the "General" tab and the "DNSBL" tab.
Some thoughts that helped me getting DNSBL to work are:
- Make sure you can navigate to 10.10.10.1…a blank page with "pixel -10.10.10.1" should come up
- Have you selected the interfaces you want DNSBL to work on? Firewall -> pfBlockerNG -> DNSBL...then scroll to "DNSBL Firewall Rule", make sure the interfaces you want are selected.
- I had a "quirky" configuration rule to allow access to the "pixel -10.10.10.1" page...had to make this easy, yet intimating change: https://forum.pfsense.org/index.php?topic=132072.0
Here is a recent conversation on some of the lists to use:
https://forum.pfsense.org/index.php?topic=131394.0Hope this helps...
V
-
I will see about posting those images, but for now I have removed pfBlocker because it was causing me to lose all internet connectivity.
The bottom line though - shouldn't it be generating rules that would go in either the WAN or LAN pages or, if the appropriate check box were ticked, into Floating? Those are never generated for me at all, no matter what I do.
-
Hi Mike,
Thanks for the follow on Twitter ;)
I will see about posting those images, but for now I have removed pfBlocker because it was causing me to lose all internet connectivity.
Everything that is blocked (Either IP or Domain) is shown in the Alerts Tab. Sometimes IP feeds contain RFC1918 and loopback addresses… So best to enable the "Suppression" feature which will remove those... Force Reload required to take effect...
The bottom line though - shouldn't it be generating rules that would go in either the WAN or LAN pages or, if the appropriate check box were ticked, into Floating? Those are never generated for me at all, no matter what I do.
IP and Domain blocking are two completely separate processes… Only exception is the DNSBL IP which is a firewall rule created when the Domain feeds contain IP addresses, as those cannot be blocked by the DNS Resolver.
So if you are just using DNSBL, then it won't create any rules except for the DNSBL IP one... Also ensure that you defined the Interface settings in the General tab so that it knows which interfaces to apply the rules to...
For DNSBL it is a DNS based blocker using the DNS Resolver Unbound.... If you review the Feeds that your using, or review the Log Tab.... You can check to see if a site is getting blocked with a simple "host" command which should reply with the DNSBL VIP address (10.10.10.1)
host -t A example.comI do see this in my logs:
/rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:93: multiple binat ip addresses - The line in question reads [93]: binat on ovpns1 from { 192.168.1.0/24 10.10.10.1/32 } to any -> 172.20.1.0
With the pkg disabled, goto pfSense > Status > Filter Reload….
Do you get any errors? The Binat error for your OpenVPN is not related to the pkg.... So if pfBlockerNG is trying to create IP rules with the above error, then it won't complete.... Need to fix that issue first... Not sure why the rule also has the DNSBL VIP in it?
-
With the pkg disabled, goto pfSense > Status > Filter Reload….
Do you get any errors? The Binat error for your OpenVPN is not related to the pkg.... So if pfBlockerNG is trying to create IP rules with the above error, then it won't complete.... Need to fix that issue first... Not sure why the rule also has the DNSBL VIP in it?
I've completely uninstalled pfBlocker. When I do filter reload, I get no errors.
I did have the much older version of pfBlocker installed a long time ago, but have since removed it. I have installed pfBlockerNG two or three times and could never get it to work. At this point, my only interest is in DNSBL, but I cannot figure out why it won't work.
One thought I had was that I never explicitly clicked on the interfaces to apply the rules to. The LAN and WAN I wanted seemed to be selected in the box as indicated by the grey background. I assumed it had already selected those, but perhaps I need to explicitly click them?
One other point is that when I had it installed and found it wasn't working, I rebooted. After that my WAN connection was completely dead. The only way I could get it back was to disable pfBlocker.
Shall I reinstall again and explicitly click those interfaces, or is there something else going on?
-
BBcan177: Thanks for the help.
I have posted this in the OpenVPN section:
https://forum.pfsense.org/index.php?topic=138081.0 -
@BBcan177 Hello,
I seem to be having this issue as well. iI have pfBlockerNG-devel and the feeds set to "Alias Deny" running both the DNSBL and IPBL and I tick to auto generate the Floating rules but no rules are being generated.
pfsense 2.5.2 and current devel package
All grey arrows saying the rules are not used
-
@BBcan177 Ohhhhhh I see.
"Alias Deny" doesn't create an alias and set deny rules........ I had to actually tell it to Block instead of create an Alias then it made the rules.
To confirm then, what is the point of "Alias Deny"??? I get it makes the Alias, but what does it deny?
