pfBlockerNG firewall filter service will not start latest snapshot

kiokoman

it's working for me, do you have anything on the logs?

provels

I have the same issue after upgrading from some July version to 2.5.0-DEVELOPMENT (amd64) built on Tue Sep 03 08:57:57 EDT 2019. Restarting the daemon only throws a line in the syslog that it's been started, but it doesn't. Should I check out another log?

kiokoman

pfblockerng-devel have his on log, check it

Firewall / pfBlockerNG / Log Browser

what i can see on my system is

root  94903   0.0  0.1   50536    2268  -  I    23:02       0:00.00 /usr/local/sbin/clog_pfb -f /var/log/filter.log
root  94965   0.0  1.0   59184   38968  -  S    23:02       0:00.34 /usr/local/bin/php_pfb -f /usr/local/pkg/pfblockerng/pfblockerng.inc filterlog

maybe it's not working because it still use clog and after the last update the log file are no more circular?
i personally don't use it so i don't know if it work or not but it seems to start at least to me

JeGr

As @jimp wrote in the post, that the CLOG binary would be removed I'm curious as to why the process is running after all. But I suppose pfBNG brought its own version or copy called clog_pfb? On a 2.4.4 those two (clog and clog_pfb) are identical size and date so could be hardlinked or just copied (whysoever?)

kiokoman

@JeGr i have uninstalled pfblockerng and that clog is no more so it's part of the pfblockerng package. It have its own copy

JeGr

Did you check the file system if theres a clog_pfb binary left over? Then pfB is bringing its own (what I'm curious about as to why - and why it even has its own php?) and if that's the case the logging should still work.

The problem is/could be, that with changing the logging structure in 2.5 snapshots, @BBcan177 would have to roll out another fork package of pfBlockerNG like -snapshots for it to incorporate the changes for logging as those would not work in 2.4.4 or less (as they are still clog based). So to accomodate that it would have its log part rewritten and be incompatible with <2.5 versions and as the development is still ongoing (and not pushed to the -stable package), that would be a bit complicated.

IMHO the best course would be to push the current -stable to sth. like "-old", push -devel to -stable and then use "-devel" für development of new versions matching things like snapshots but that's not something easily done and the workload is already high for him.

kiokoman

pfblockerng_install.inc

update_status(" done.\n\nCreating Firewall filter service...");
pfb_filter_service();
stop_service('pfb_filter');
update_status(" done.\nRenew Firewall filter executables...");
unlink_if_exists('/usr/local/bin/php_pfb');
link('/usr/local/bin/php', '/usr/local/bin/php_pfb');
unlink_if_exists('/usr/local/sbin/clog_pfb');
link('/usr/local/sbin/clog', '/usr/local/sbin/clog_pfb');

i have update pfsense
reinstalled pfblockerng
i don't have /usr/local/sbin/clog
of course there isn't also /usr/local/sbin/clog_pfb
it was removed
ending with a non working pfBlockerNG
redmine https://redmine.pfsense.org/issues/9724

in the meantime i'm testing this solution if it work .. from clog to tail

root  26168   0.0  0.1   10648    2264  0  S    12:01      0:00.01 /usr/bin/tail -f /var/log/filter.log

JeGr

@kiokoman said in pfBlockerNG firewall filter service will not start latest snapshot:

of course there isn't also /usr/local/sbin/clog_pfb

Aaah so my hunch was right and he is/was using hardlinks that now won't work on current snapshots as there's no clog binary anymore. Curious though as to why he uses a hardlink at all.

But yeah, that's why the log view isn't visible at present with newer snapshots :)

kiokoman

if someone is interested he can try to modify
/usr/local/etc/rc.d/pfb_filter.sh

on line 38

change it from

/usr/local/sbin/clog_pfb -f /var/log/filter.log | /usr/local/bin/php_pfb -f /usr/local/pkg/pfblockerng/pfblockerng.inc filterlog &

to

/usr/bin/tail -f /var/log/filter.log | /usr/local/bin/php_pfb -f /usr/local/pkg/pfblockerng/pfblockerng.inc filterlog &

i can't test dnsbl as i don't have unbound but i can see that if i try to go to an ip address in the black list it will redirect

PR https://github.com/pfsense/FreeBSD-ports/pull/670

provels

It appears this has been fixed in the latest PFBNG devel release.

JeGr

Quick reaction by @BBcan177 as (almost) always. Nicely done :) and thanks for the details @kiokoman

chrcoluk

Got same issue but in my case no error is generated, all I see is after I added to watchdog it is been started every minute in the system log, no errors, just stopping right after started.

If I check logs inside pfblockerng-devel, is no errors.

Any ideas?

What does the service even do? as the actual functionality seems fine otherwise.

2.5-snapshot, on my 2.4.5 unit it is running.