PfBlockerNG XMLRPC Replication error
-
Hello,
it seems that the XMLRPC in webConfigurator does not work correctly.
/xmlrpc.php: webConfigurator authentication error for 'admin' from xxx.xxx.xxx.xxxManual logon with 'admin' works. CARP-Sync works also.
I have this problem with the new pfBlocker since pfsense 2.2.pfBlockerNG: 1.08
pfsense: 2.2.2Has anyone the same problem?
-
Hi Ruddimaster,
Which option did you select for "Enable Sync"? I would expect you to use "Sync to hosts(s) defined below"
Did you configure the proper Protocol, IP, Port? I assume you used "admin" with the applicable password?
The error shown above is a pfSense error and not from pfBlockerNG..
All pfBlockerNG XMLRPC errors will start with "[pfBlockerNG]" -
Hi BBcan177,
thanks for your reply….
I would expect you to use "Sync to hosts(s) defined below"
Your right…
Set this options (attached)... enabled and save. Then I become on the backup node this message:
Message from syslogd@pfsense_backup at Apr 28 14:15:45 ... pfsense_backup php-fpm[44128]: /xmlrpc.php: webConfigurator authentication error for 'admin' from 10.100.4.252To be sure that the user pwd combination is right, I log on the pfsense_backup with the same credentials.
Dirk
-
Try to click the "enable" checkbox at the bottom. Also, I have seen another user who was having issues with credentials that had 'special characters' in the password that the XMLRPC sync is stripping out.
-
yes, there are special charcters in it. I think this is a must have on administrative accounts…
I can't test it, because I must use the same user to run the other syncs (CARP, Snort,...).So, I have created a user 'carp' with password 'pfsense123'... check the user synchronisation on pfsense_backup.... changed the pfBlockerNG XMLRPC configuration... enabled... and click Save. At this moment I have a message on th console on pfsense_backup:
Message from syslogd@pfsense_backup at Apr 28 16:47:12 ... pfsense_backup php-fpm[97900]: /xmlrpc.php: webConfigurator authentication error for 'admin' from 10.100.4.252 -
Hi Ruddimaster,
You can remove the function that sanitizes the Password input here:
/usr/local/pkg/pfblockerng/pfblockerng.inc
Line 2596Original
$password = htmlspecialchars($sh['varsyncpassword']);Patched
$password = $sh['varsyncpassword']; -
Hi Ruddimaster
I have struggled with the same issue for quite a while, testing all sort of solutions.
And unless there has been a change since 2.2 and up, only the build in admin user works for XMLRPC sync. (other packages suffer the same limitation).If you would enable debugging and/or follow logs files, you would notice that whatever you hand in, the user "admin" is always passed over as the username.
It has even been mentioned in the CARP/PFSYNC/XMLRPC guide :
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)#KVM.2BQEMU_UsersEnter admin for the Remote System Username (other usernames will not work)
If you are syncing locally (LAN / admin network), I would just go with the build in admin account.
If you are syncing to boxes over WAN links (which is inherently unsafe however you look at it)- manually sync once when changing settings in a master setup. Avoiding spamming syncs/logins every xyz seconds.
- use VPN tunnels.
- consider using self hosted lists to use in pfblockerng as white-lists or other custom usages. Update a list, all linked boxes will update.
- …
I use both 1 and 3 quite extensively. Nowadays I often only sync on initial setup. And let my lists do the exclusions.
The more setups you have, the more different they become. So a "one setup for all" will start to fade very quickly :).
-
And unless there has been a change since 2.2 and up, only the build in admin user works for XMLRPC sync. (other packages suffer the same limitation).
Bingo. https://redmine.pfsense.org/issues/809
