pfBlockerNG v3.0.0_6 update
-
@gertjan I have not rearranged them. To be honest this list was empty on the .5 version however I used all of them on the Feeds menu.
The ids are 0-3 in the same order as in my picture in the Group menu but BBCan has rowid 1 in the link on the Feeds menu.
I will try to rearrange them to have the same rowid as in Feeds.
-
@mind12 After I rearranged, saved and reloaded it opens the correct feed now.
-
@BBcan177
I upgraded from 2.2.5_37 -> 3.0.0_6 tonight on my SG-2100 at home and have a question. Was DShield removed? I just set that up for all our clients a couple months ago when I saw it in the notes on Github. :) We used to have our own feed generator script. In v3 it shows up under "Unknown user defined Feeds."After upgrading, it completed fine but the DNS resolver had stopped. All I had to do was start it. [arg, I posted then reread your message yesterday about this issue...never mind just +1 me]
-
A lot has happened over the past few weeks. Want to make sure I understand how things are at the moment (3.0.0_6). As best I can tell:
-
Issue during install/upgrade killing unbound. It's only an upgrade/install issue NOT an ongoing problem. So, install/upgrade should be viewed as a planned, albeit short, outage.
-
Using python integration mode is incompatible with views in unbound. This is an unbound issue on pfsense 2.4.5_p1. Not sure it's fixed with the more current version of unbound on pfsense 2.5.
Other than that things are good?
-
-
@jwj Yes you are correct.
Regarding 2. not just views but DHCP Registration and OpenVPN Clients is also incomatible with python mode.
-
@mind12 Thanks! Is the problem with registering dhcp leases only dynamic leases? In other words, registering static leases is ok.
-
@jwj That's a good question. If I could guess, both.
Original release notes:
"The DNS Resolver (Unbound) DHCP Registration option is not compatible with DNSBL Python mode. The pfSense devs are aware and changes are required to be made to the dhcpleases binary to stop/start Unbound instead of sending a SIGHUP. The use of this option and the Unbound Python mode will cause an Unbound crash.
If DHCP Registration is enabled in Unbound Python mode, or DHCP Registration enabled after Unbound Python mode is enabled, Unbound Python mode will be downgraded to Unbound mode to prevent Unbound from crashing." -
@mind12 Yeah.
First and third are a no go for sure, I can live with that. The second, static leases, would be a show stopper. I need to be able to resolve those devices and do reverse lookup for them.
Of course using the non python mode removes these restrictions.
-
@teamits said in pfBlockerNG v3.0.0_6 update:
Was DShield removed
Looks like it was renamed to the ISC Block list.
-
Hello,
Today I found an alert in PfblockerNG alerts - "DNSBL (Python mode) is out of sync. Perform a Force Reload to correct."
Screenshot 2020-12-21 at 10.27.31.png
I've done a few force reloads but this wont change. Also disabled/enable pfblockerng but no change.
Am I missing something?I'm using 3.0.0._6 version, python mode enabled.
Thanks
-
You can check what happens in the log, shown during the force update :
This it would should show :.... Database Sanity check [ PASSED ] ------------------------ Masterfile/Deny folder uniq check Deny folder/Masterfile uniq check ....
Your shows :
Database Sanity check [ FAILED ] ** These two counts should match! **
Normally, you shouldn't leave log messages with text like 'FAILED' .... ;)
When you see FAILED somewhere it will pop up elsewhere .... like in the middle of the dashboard.You can see the file here : /var/unbound/var/log/pfblockerng/pfblockerng.log
What counts is the last PASSED or FAILED occurrence.
You could also see here Firewall > pfBlockerNG > Log Browser and view this file.I guess you have a feed/list that fails or contains invalid info - check them one by one.
Make sure that " ** These two counts should match! ** " (whatever that may means) goes away.Or pastebin the log, and show it here.
-
-
I detect no problems in the log... Searching for "FAILED" detects no results:
Database Sanity check [ PASSED ] ------------------------ Masterfile/Deny folder uniq check Deny folder/Masterfile uniq check Sync check (Pass=No IPs reported) ----------
I have no TLD custom blacklist and whitelist, and I checked all the feed Headers and they are unique.
Assembling DNSBL database...... completed [ 12/21/20 15:30:32 ] TLD: TLD analysis...xxxxx completed [ 12/21/20 15:30:36 ] ** TLD Domain count exceeded. [ 300000 ] All subsequent Domains listed as-is ** TLD finalize... ---------------------------------------- Original Matches Removed Final ---------------------------------------- 674635 236040 28482 646153 ----------------------------------------- TLD finalize... completed [ 12/21/20 15:30:38 ] Saving DNSBL statistics... completed [ 12/21/20 15:30:39 ] Reloading Unbound Resolver (DNSBL python). Stopping Unbound Resolver. Unbound stopped in 2 sec. Additional mounts (DNSBL python): No changes required. Starting Unbound Resolver... completed [ 12/21/20 15:30:42 ] Resolver cache restored [ 12/21/20 15:30:43 ] *** DNSBL update [ 646153 ] [ 571350 ] ... OUT OF SYNC ! ***
Edit: forgot to add the full log:
log@pastebin -
I disabled all DNSLB feeds, and enabled them one by one (after doing a force reload for each one) and now I dont have the problem.
-
@xppx99 So something is definatly going on, because after a few hours the same issue arises:
-
@xppx99
Run a Force Reload - DNSBL and post the log for review. -
@bbcan177 said in pfBlockerNG v3.0.0_6 update:
- Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LAN IPs
Thank god for this new functionality, thank god! (well, thank bbcan177!!!)
Sure looking forward to the CIDR notation -
-