pfblockerng-devel error: Unknown Not listed!
-
Hi,
Can somebody explain, pls, why I get Unknown Not listed in this case:
# grep 113.1.135.78 /var/db/pfblockerng/* -r /var/db/pfblockerng/deny/CINS_army_v4.txt:113.1.135.78 /var/db/pfblockerng/mastercat:113.1.135.78 /var/db/pfblockerng/masterfile:CINS_army_v4 113.1.135.78 /var/db/pfblockerng/original/CINS_army_v4.orig:113.1.135.78Why if this IP is not listed, it's still getting blocked?
Is there a description of what all of those files/folders under /var/db/pfblockerng/ are intended for?
Thanks in advance!
PS The old thread was https://forum.netgate.com/topic/131939/pfblockerng-error-unknown-not-listed
PPS pfBlockerng-devel 2.2.5_27 -
Are you saying you wanted to go to that address and it were blocked? To me intuitively, it seems that the IP address belongs to a GeoIP list of known bad actors but not to a DNSBL feed...so; the IP address will never resolve to a domain name. It seems that you'll need to wait for BBcan177 to explain further!
-
@jazzl0ver said in pfblockerng-devel error: Unknown Not listed!:
grep 113.1.135.78 /var/db/pfblockerng/*
Unknow Not Listed normally occur when a IP has been removed and no longer present in /var/db/pfblockerng/deny/*.txt. It can also happen when a Update is running that the file is being rebuilt.
Example my cron start at 14:15:00, the IP table was being built around 14:20:24 :
Line 10238: Dec 8 14:19:38,1770009444,xl0,WAN,block,4,6,TCP-S,92.118.37.97,AAA.BBB.CCC.DDD,40887,56027,in,RO,pfB_PRI2_v4,92.118.37.0/24,PRI2_Alienvault_v4,Unknown,wan,| 35606 | IPDONNEROLEG | Donner Oleg Alexeevich |,+ Line 10244: Dec 8 14:20:24,1770009444,xl0,WAN,block,4,6,TCP-S,92.118.37.97,AAA.BBB.CCC.DDD,40887,47202,in,RO,pfB_PRI2_v4,Unknown,Unknown,Unknown,wan,| 35606 | IPDONNEROLEG | Donner Oleg Alexeevich |,+ Line 10248: Dec 8 14:21:32,1770009444,xl0,WAN,block,4,6,TCP-S,92.118.37.97,AAA.BBB.CCC.DDD,40887,59847,in,RO,pfB_PRI2_v4,92.118.37.0/24,PRI2_Alienvault_v4,Unknown,wan,| 35606 | IPDONNEROLEG | Donner Oleg Alexeevich |,+Also when searching for IP in /var/db/pfblockerng, you should maybe search for networks instead of hosts : grep 113.1.135. /var/db/pfblockerng/*
-
Oh, so, somehow, somewhere, pfBlockerNG has a list of IP's that doesn't belong to any list and is active and blocking them...in your case 113.1.135.79!
-
Nope.
During the update process, the FW continue blocking as per the FW rules and Aliases.
Update fetch the URLs, gather IP data, does De-Duplication, CIDR Aggregation, Suppression etc, it re-creates the /var/dg/pfblockerng/deny/*.txt and some other files.
At the End of the IP phase, it Update the Aliases for the IP tables in /var/db/aliastables/, reload as per the log===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload Updating: pfB_PRI1_v4 444 addresses added.1073 addresses deleted. Updating: pfB_PRI2_v4 79 addresses added.23 addresses deleted. Updating: pfB_PRI3_v4 494 addresses added.455 addresses deleted. Updating: pfB_PRI4_v4 388 addresses added.31 addresses deleted. Updating: pfB_PRI5_v4 no changes. Updating: pfB_Abuse_PS_v4 no changes. Updating: pfB_PFB_Whitelist_v4 no changes. Updating: pfB_DNSBLIP_v4 413 addresses added.76 addresses deleted.So during the Update process, if a pfblockerNG FW rules is triggered, (still using the Alias present before the Update started), pfBlockerNG firewall filter service , try to find the feed and update /var/log/pfblockerng/ip_block.log.
So there is always a window of time when some files go missing from /var/db/pfblockerNG/deny/*.txt, the service will then report the feed as Not listed
2.4.5-RELEASE-p1 (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5 -
Thank you very much, @RonpfS !
Can you pls shed some light on the purpose of other files/folders under /var/db/pfblockerng?
-
@RonpfS said in pfblockerng-devel error: Unknown Not listed!:
So there is always a window of time when some files go missing from /var/db/pfblockerNG/deny/*.txt, the service will then report the feed as Not listed
Okay, thank you for thoughtful explanation...awesome!
