pfSense Plus and SG-3100
-
Thanks, I will give it a go later. See if I can make them go away. It might also be haproxy, but it might be worth a shot trying
-
Yes, this looks like it's almost certainly php choking on a large list parsing function for as yet unknown reasons. Loading fewer or smaller lists in pfBlocker will likely avoid it.
-
@mcury the pfsense config you refer to the one in /conf?
-
I reinstalled the pfBlocker. I though I cleaned it out pretty well, but it still picked up the PRI1 list (I do not remember this being automatic anyways). So far I do not see any issues in the logging. so it looks good so far. I will give an update later if I see any php errors.
-
@nokkief I saved the xml through the GUI settings:
@mcury the pfsense config you refer to the one in /conf?
Save the XML, edit it and search for pfblockerng
You will find a few of these:
<config> <aliasname>ADs_Basic</aliasname> <description><![CDATA[ADs Basic - Collection of ADvertisement Domain Feeds.]]></description> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts</url> <header>StevenBlack_ADs</header> </row> <action>unbound</action> <cron>EveryDay</cron> <logging>enabled</logging> <order>default</order> <dow>1</dow> </config> <config> <aliasname>EasyList</aliasname> <description><![CDATA[EasyList Feeds - Utilizing only the domains which are listed to be blocked in full.]]></description> <action>unbound</action> <cron>EveryDay</cron> <dow>1</dow> <sort>sort</sort> <logging>enabled</logging> <order>default</order> <filter_alexa></filter_alexa> <custom></custom> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://easylist-downloads.adblockplus.org/easylist_noelemhide.txt</url> <header>EasyList</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://easylist-downloads.adblockplus.org/easylistportuguese.txt</url> <header>EasyList_Portuguese</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://easylist.to/easylist/easyprivacy.txt</url> <header>EasyPrivacy</header> </row> </config> </pfblockerngdnsbl>Remove the pfblockernng package without the `keep settings' option.
Remove everything related to pfblockerng from the XML file, and then restore the config to the firewall through the GUI, this will clean all the feeds from the config.Note: It will take a few minutes to complete, your internet will be down during this period.
Once the config restore/boot completes, install pfblockerng again, run the wizard, and add a few feeds you like, but don't add too many feeds..
I reinstalled the pfBlocker. I though I cleaned it out pretty well, but it still picked up the PRI1 list
PRI1 is OK to have, it's installed during the wizard in 3.0.0_16
I'm using the following lists: (I added Easylist manually, it isn't there by default).
-
@mcury thanks for the help, i am not seeing the php errors anymore. :)
-
Can I change the maximum memory consumption for php somewhere? Seems the 3100 has plenty of memory left for some more lists?
-
I sadly was wrong, just did not pay well enough attention (and probably was hoping it was fixed). I still see the errors every 15 minutes.
-
Unfortunately this is not directly a memory issue that could be solved like that as I understand it.
-
@nocling Is Snort fixed in this version?
-
@nokkief said in pfSense Plus and SG-3100:
I sadly was wrong, just did not pay well enough attention (and probably was hoping it was fixed). I still see the errors every 15 minutes.
Strange, I'm not getting those here.. More than a week running pfblocker, in several vlans..
15 minutes? Do you have a cron set to run every 15 minutes?
-
@biggy823 said in pfSense Plus and SG-3100:
@nocling Is Snort fixed in this version?
No. Snort and Suricata both are still victims of the PHP bug on ARM 32-bit hardware such as the SG-3100.
-
@mcury Not that I am aware of. Where can I see the cronjobs listed for the pfSense? crontab -l shows no cronjobs for root
cat of /etc/crontab shows
*/1 * * * * root /usr/sbin/newsyslog -
@nokkief said in pfSense Plus and SG-3100:
@mcury Not that I am aware of. Where can I see the cronjobs listed for the pfSense? crontab -l shows no cronjobs for root
cat of /etc/crontab shows
*/1 * * * * root /usr/sbin/newsyslogThere is a package in package manager, cron
Install cron and check what is running every 15 minutes.. It will show all cron tasks
Did you set pfblockerng to update the lists every 15 minutes? -
@mcury No, once a day. I will instal cron and see what it does
-
Looks like it's doing this
0,15,30,45 * * * * root /etc/rc.filter_configure_sync -
@nokkief said in pfSense Plus and SG-3100:
Looks like it's doing this
0,15,30,45 * * * * root /etc/rc.filter_configure_synchm.. are you on 21.02 p2, right?
Because the problem with filter reload was happening only in 21.02 p1 -
@mcury Yeah, I am
21.02.2-RELEASE (arm)
built on Mon Apr 12 07:50:07 EDT 2021
FreeBSD 12.2-STABLEThe system is on the latest version.
Version information updated at Mon Apr 26 9:02:50 CEST 2021 -
@nokkief said in pfSense Plus and SG-3100:
@mcury Yeah, I am
21.02.2-RELEASE (arm)
built on Mon Apr 12 07:50:07 EDT 2021
FreeBSD 12.2-STABLEThe system is on the latest version.
Version information updated at Mon Apr 26 9:02:50 CEST 2021hm, it is strange..
now I'm not sure if there is something particular about your setup that is triggering it, or if I'm not triggering it by luck and this bug is waiting to happen here, hidden..Edit: Did you enable these options in DNS Resolver?
-
@mcury No, but I did enable the python module. But with or without is not making a difference.
