pfBlockerNG v3.0.0_6 update
-
pfBlockerNG v3.0.0_6 update
Will hopefully be approved and merged
Mondaythis week.- Fix incorrect function name call
- Add safety belt for DNS Python mode and the DNS Resolver OpenVPN Client Registration option.
- Add a Phishing Army alternative feed.
- Remove any empty < config >< /config > config.xml entries
Updated:
-
DNSBL - NAT / Floating rule modifications when Localhost interface is selected
-
Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LAN IPs
-
This post is deleted! -
Looks like the fix to restart unbound automatically did not make it into pfBlockerNG v3.0.0_6. I just updated to v3.0.0_6 and still had to manually start unbound after the update finished.
-
@jdeloach said in pfBlockerNG v3.0.0_6 update:
@bbcan177
Looks like the fix to restart unbound automatically did not make it into pfBlockerNG v3.0.0_6. I just updated to v3.0.0_6 and still had to manually start unbound after the update finished.There is an issue in pfSense pkg-static that causes Unbound to go into a <defunct> state during Installation since on pkg Installation, the first step is to de-install and that stops Unbound, and then an installation, which re-enables the pkg and starts Unbound again. But the process tree map shows that Unbound is stopping/starting in the pkg installation tree which is causing this issue.
I am trying to find a temporary workaround until the devs can look at it.
You can try to disable the pkg before updating to any new versions, and then re-enable post installation to see if that helps. -
Thanks, I'll follow your advice for any future updates.
As always, thanks for your work on this great package.
-
I have a strange issue since I updated to this version. Whenever I try to edit a DNSBL Group object the edit menu of the object above appears instead. Anybody encountered this issue?
Opening them from the Feeds menu works just fine.Editing BBCan177 opens an empty DNSBL group edit page
Editing Malicious opens the BBCan177 edit page
etc.
-
@mind12 what is the URL shown when you hover the mouse over the 'pencil-edit' buttons
?My list :
When I hover over edit button of the BBcan177 feed, I see a ....&rowid=0
The Pishing (row 4) shows a rowid=3.Editing BBcan177 opens the BBcan177 settings. Etc.
For my Cryptojackers - the id is 2 :
Did you re arrange the rows without hitting Save button ?
-
@gertjan I have not rearranged them. To be honest this list was empty on the .5 version however I used all of them on the Feeds menu.
The ids are 0-3 in the same order as in my picture in the Group menu but BBCan has rowid 1 in the link on the Feeds menu.
I will try to rearrange them to have the same rowid as in Feeds.
-
@mind12 After I rearranged, saved and reloaded it opens the correct feed now.
-
@BBcan177
I upgraded from 2.2.5_37 -> 3.0.0_6 tonight on my SG-2100 at home and have a question. Was DShield removed? I just set that up for all our clients a couple months ago when I saw it in the notes on Github. :) We used to have our own feed generator script. In v3 it shows up under "Unknown user defined Feeds."After upgrading, it completed fine but the DNS resolver had stopped. All I had to do was start it. [arg, I posted then reread your message yesterday about this issue...never mind just +1 me]
-
A lot has happened over the past few weeks. Want to make sure I understand how things are at the moment (3.0.0_6). As best I can tell:
-
Issue during install/upgrade killing unbound. It's only an upgrade/install issue NOT an ongoing problem. So, install/upgrade should be viewed as a planned, albeit short, outage.
-
Using python integration mode is incompatible with views in unbound. This is an unbound issue on pfsense 2.4.5_p1. Not sure it's fixed with the more current version of unbound on pfsense 2.5.
Other than that things are good?
-
-
@jwj Yes you are correct.
Regarding 2. not just views but DHCP Registration and OpenVPN Clients is also incomatible with python mode.
-
@mind12 Thanks! Is the problem with registering dhcp leases only dynamic leases? In other words, registering static leases is ok.
-
@jwj That's a good question. If I could guess, both.
Original release notes:
"The DNS Resolver (Unbound) DHCP Registration option is not compatible with DNSBL Python mode. The pfSense devs are aware and changes are required to be made to the dhcpleases binary to stop/start Unbound instead of sending a SIGHUP. The use of this option and the Unbound Python mode will cause an Unbound crash.
If DHCP Registration is enabled in Unbound Python mode, or DHCP Registration enabled after Unbound Python mode is enabled, Unbound Python mode will be downgraded to Unbound mode to prevent Unbound from crashing." -
@mind12 Yeah.
First and third are a no go for sure, I can live with that. The second, static leases, would be a show stopper. I need to be able to resolve those devices and do reverse lookup for them.
Of course using the non python mode removes these restrictions.
-
@teamits said in pfBlockerNG v3.0.0_6 update:
Was DShield removed
Looks like it was renamed to the ISC Block list.
-
Hello,
Today I found an alert in PfblockerNG alerts - "DNSBL (Python mode) is out of sync. Perform a Force Reload to correct."
Screenshot 2020-12-21 at 10.27.31.pngI've done a few force reloads but this wont change. Also disabled/enable pfblockerng but no change.
Am I missing something?I'm using 3.0.0._6 version, python mode enabled.
Thanks
-
You can check what happens in the log, shown during the force update :
This it would should show :.... Database Sanity check [ PASSED ] ------------------------ Masterfile/Deny folder uniq check Deny folder/Masterfile uniq check ....Your shows :
Database Sanity check [ FAILED ] ** These two counts should match! **Normally, you shouldn't leave log messages with text like 'FAILED' .... ;)
When you see FAILED somewhere it will pop up elsewhere .... like in the middle of the dashboard.You can see the file here : /var/unbound/var/log/pfblockerng/pfblockerng.log
What counts is the last PASSED or FAILED occurrence.
You could also see here Firewall > pfBlockerNG > Log Browser and view this file.I guess you have a feed/list that fails or contains invalid info - check them one by one.
Make sure that " ** These two counts should match! ** " (whatever that may means) goes away.Or pastebin the log, and show it here.
-
-
I detect no problems in the log... Searching for "FAILED" detects no results:
Database Sanity check [ PASSED ] ------------------------ Masterfile/Deny folder uniq check Deny folder/Masterfile uniq check Sync check (Pass=No IPs reported) ----------I have no TLD custom blacklist and whitelist, and I checked all the feed Headers and they are unique.
Assembling DNSBL database...... completed [ 12/21/20 15:30:32 ] TLD: TLD analysis...xxxxx completed [ 12/21/20 15:30:36 ] ** TLD Domain count exceeded. [ 300000 ] All subsequent Domains listed as-is ** TLD finalize... ---------------------------------------- Original Matches Removed Final ---------------------------------------- 674635 236040 28482 646153 ----------------------------------------- TLD finalize... completed [ 12/21/20 15:30:38 ] Saving DNSBL statistics... completed [ 12/21/20 15:30:39 ] Reloading Unbound Resolver (DNSBL python). Stopping Unbound Resolver. Unbound stopped in 2 sec. Additional mounts (DNSBL python): No changes required. Starting Unbound Resolver... completed [ 12/21/20 15:30:42 ] Resolver cache restored [ 12/21/20 15:30:43 ] *** DNSBL update [ 646153 ] [ 571350 ] ... OUT OF SYNC ! ***Edit: forgot to add the full log:
log@pastebin
