Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlocker service not restarting after cron or manual update.

    Scheduled Pinned Locked Moved pfBlockerNG
    6 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GBillR
      last edited by

      Hi everyone. I've searched the forum and haven't been able to find a similar thread… hopefully this question hasn't been solved already. I've been using pfSense 2.3 for about a month now, and this is my first post. Please excuse my lack of knowledge  :).

      I've installed pfBlockerNG on my 2.3 installation. The service runs fine, and I'm only using some block lists that were recommended. It's been running okay for about a week now. I haven't configured DNSBL (I started to, but it slowed everything way down, so I turned it back off for now). I'll tackle that after I resolve this...

      My problem is this: When the cron job runs to update the block lists, it never restarts. I can replicate this by forcing a manual update as well. The logs that I've seen aren't very useful. The pfBlockerNG log is attached, and the error log and dnsbl log are empty.

      My system log is attached as well. No other logs seem to provide any relevant info.

      Any thoughts?
      Capture.JPG
      Capture.JPG_thumb
      pfBlockernglog.txt

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        @GBillR:

        I haven't configured DNSBL (I started to, but it slowed everything way down, so I turned it back off for now).

        I answered this in this thread and also in reddit today. DNSBL is only slow if the LAN devices have incorrect DNS settings, or issues w/ Multi-Subnets:
        https://www.reddit.com/r/PFSENSE/comments/4jrnkw/pfblockerng_dns_traffic_not_sure_what_this_is/

        My problem is this: When the cron job runs to update the block lists, it never restarts. I can replicate this by forcing a manual update as well. The logs that I've seen aren't very useful. The pfBlockerNG log is attached, and the error log and dnsbl log are empty.

        I am not following… What do you mean by "never restarts"?  The pfblockerng.log looks fine. Did you define the "Frequency" setting for each alias, so that it updates as per a specific Time?

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • G
          GBillR
          last edited by

          Thanks for replying BB. I was hoping you would.  :)

          I am not following… What do you mean by "never restarts"?

          Maybe it is I who doesn't understand, but the dnsbl service (pfBlockerNG DNSBL Web Server) listed under "services status" does not restart… maybe since I am not using the DNSBL function of pfBlocker, this service shouldn't start? Without this service running, is pfBlocker (as I have it currently configured) still blocking the blacklisted IP addresses? When I manually start it, it runs without error until the next cron or manual update. If it's not needed in my current config, then there is no issue... Will I still see the blocking of blacklisted IPs without this service running?

          Did you define the "Frequency" setting for each alias, so that it updates as per a specific Time?

          I have 2 aliases, both with an update frequency of daily. See attached screenprint. In my config file (config.xml), here are the 2 cron entries related to pfBlocker:

           <minute>0</minute>
          			<hour>19</hour>
          			<mday>1,2,3,4,5,6,7</mday>
          			<month>*</month>
          			<wday>2</wday>
          			<who>root</who>
          			<command></command>/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> /var/log/pfblockerng/extras.log 2>&1 
          		 <minute>15</minute>
          			<hour>0</hour>
          			<mday>*</mday>
          			<month>*</month>
          			<wday>*</wday>
          			<who>root</who>
          			<command></command>/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1 
          

          I answered this in this thread and also in reddit today. DNSBL is only slow if the LAN devices have incorrect DNS settings, or issues w/ Multi-Subnets

          I admit that I have not invested the time to troubleshoot DNSBL… however, my configuration doesn't seem too complex. I do have multiple subnets and VLANS setup. I am using unbound, and it is working. I have a NAT redirect rule on each VLAN interface to redirect all DNS queries back to the firewall, and I am not using the forwarder. I've attached my resolver settings tab.

          I do appreciate your help. Thank you for taking the time to reply.

          DNS.JPG
          DNS.JPG_thumb
          pfBlocker.JPG
          pfBlocker.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            If DNSBL is not enabled, then don't worry about the DNSBL service.

            When you do get back to re-enabling it, you can select the option in the "DNSBL" Tab to auto-create a floating permit rule that will allow the local LAN interfaces to hit the DNSBL VIP (you need to select the LAN interfaces there too). Ultimately, each LAN device should be able to ping and browse to the DNSBL VIP (1x1 pix). If that doesn't happen, then you need to figure out what it blocking the LAN from seeing the DNSBL VIP…

            For CRON, It looks like it will run at Midnight... So review the pfblockerng.log at that time, as the log will be different than what you have posted... If midnight hasn't occurred yet for you, then goto the Update tab before midnight and hit the "View" button and wait for the Cron to run... You will see the logs populate live. Otherwise review the logs from that time period to be able to get more info.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • G
              GBillR
              last edited by

              If DNSBL is not enabled, then don't worry about the DNSBL service.

              So I can confirm that the floating pfBlocker firewall rules based on the downloaded IP lists (in my aliases) DO work even when the dnsbl service is not running. I probably should have realized that before asking my initial question.  :o

              For CRON, It looks like it will run at Midnight… So review the pfblockerng.log at that time, as the log will be different than what you have posted

              My log output for the CRON update is shown below. The dnsbl service does not restart following this update. I assume that is because I have it disabled on the DNSBL Tab. Once I re-enable it I will report back as to whether or not the service restarts under those conditions.

               CRON  PROCESS  START [ 05/18/16 00:15:00 ]
              [ BT_Hijacked ]
                Remote timestamp: Tue, 17 May 2016 08:00:02 GMT
                Local  timestamp: Mon, 16 May 2016 07:50:01 GMT	Update found
              [ BT_dshield ]
                Remote timestamp: Tue, 17 May 2016 04:30:02 GMT
                Local  timestamp: Mon, 16 May 2016 04:20:06 GMT	Update found
              [ BT_forumspam ]
                Remote timestamp: Tue, 17 May 2016 14:40:45 GMT
                Local  timestamp: Mon, 16 May 2016 14:30:02 GMT	Update found
              [ BT_webexploit ]
                Remote timestamp: Tue, 17 May 2016 08:20:13 GMT
                Local  timestamp: Mon, 16 May 2016 08:10:01 GMT	Update found
              [ BT_Hijacked2 ]
              				( md5 changed )		Update found
              [ Spamhaus_DROP ]
                Remote timestamp: Wed, 18 May 2016 02:31:11 GMT
                Local  timestamp: Tue, 17 May 2016 02:30:02 GMT	Update found
              [ BT_spyware ]
                Remote timestamp: Tue, 17 May 2016 08:30:02 GMT
                Local  timestamp: Mon, 16 May 2016 08:20:05 GMT	Update found
              [ CI_malicious ]
                Remote timestamp: Tue, 17 May 2016 16:40:10 GMT
                Local  timestamp: Mon, 16 May 2016 16:30:02 GMT	Update found
              [ malc0de ]
                Remote timestamp: Tue, 17 May 2016 10:20:02 GMT
                Local  timestamp: Mon, 16 May 2016 10:10:02 GMT	Update found
              [ abuse_ZeuS ]
                Remote timestamp: Tue, 17 May 2016 07:30:02 GMT
                Local  timestamp: Mon, 16 May 2016 07:20:02 GMT	Update found
              [ abuse_SpyEye ]
                Remote timestamp: Tue, 17 May 2016 10:20:02 GMT
                Local  timestamp: Mon, 16 May 2016 10:10:02 GMT	Update found
              [ abuse_Palevo ]
                Remote timestamp: Tue, 17 May 2016 10:20:02 GMT
                Local  timestamp: Mon, 16 May 2016 10:10:02 GMT	Update found
              [ BT_badpeers ]
                Remote timestamp: Tue, 17 May 2016 15:10:38 GMT
                Local  timestamp: Mon, 16 May 2016 15:00:32 GMT	Update found
              [ Onion ]
                Remote timestamp: Tue, 17 May 2016 15:10:08 GMT
                Local  timestamp: Mon, 16 May 2016 15:00:04 GMT	Update found
              [ Blocked ]
                Remote timestamp: Tue, 15 Mar 2016 04:30:01 GMT
                Local  timestamp: Tue, 15 Mar 2016 04:30:01 GMT	Update not required
              [ Compromised ]
                Remote timestamp: Tue, 17 May 2016 16:54:33 GMT
                Local  timestamp: Tue, 15 Mar 2016 04:30:10 GMT	Update found
              [ ciarmy ]
                Remote timestamp: Wed, 18 May 2016 03:16:35 GMT
                Local  timestamp: Tue, 17 May 2016 03:16:50 GMT	Update found
               UPDATE PROCESS START [ 05/18/16 00:15:05 ]
              
              Clearing all DNSBL Feeds... Stop Service DNSBL
              
              ** DNSBL Disabled **
              
              ===[  Continent Process  ]============================================
              
              ===[  IPv4 Process  ]=================================================
              
              [ BT_Hijacked ]		 Downloading update [ 05/18/16 00:15:07 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                495      685        532         [  ==> FAILED <==  ]
                -----------------------------------------------------------------
              
              [ BT_dshield ]		 Downloading update [ 05/18/16 00:15:08 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                40       40         40          [ Pass ] 
                -----------------------------------------------------------------
              
              [ BT_forumspam ]	 Downloading update  .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                461      479        479         [ Pass ] 
                -----------------------------------------------------------------
              
              [ BT_webexploit ]	 Downloading update [ 05/18/16 00:15:09 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                2177     1480       1480        [ Pass ] 
                -----------------------------------------------------------------
              
              [ BT_Hijacked2 ]	 Downloading update [ 05/18/16 00:15:10 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                562      152        152         [ Pass ] 
                -----------------------------------------------------------------
              
              [ Spamhaus_DROP ]	 Downloading update  .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                799      343        343         [ Pass ] 
                -----------------------------------------------------------------
              
              [ BT_spyware ]		 Downloading update [ 05/18/16 00:15:11 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                3305     3604       3604        [ Pass ] 
                -----------------------------------------------------------------
              
              [ CI_malicious ]	 Downloading update [ 05/18/16 00:15:12 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                921      811        811         [ Pass ] 
                -----------------------------------------------------------------
              
              [ malc0de ]		 Downloading update  .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                123      123        123         [ Pass ] 
                -----------------------------------------------------------------
              
              [ abuse_ZeuS ]		 Downloading update [ 05/18/16 00:15:13 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                212      194        194         [ Pass ] 
                -----------------------------------------------------------------
              
              [ abuse_SpyEye ]	 Downloading update  .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                84       79         79          [ Pass ] 
                -----------------------------------------------------------------
              
              [ abuse_Palevo ]	 Downloading update [ 05/18/16 00:15:14 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                12       11         11          [ Pass ] 
                -----------------------------------------------------------------
              
              [ BT_badpeers ]		 Downloading update [ 05/18/16 00:15:15 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                48237    48768      48768       [ Pass ] 
                -----------------------------------------------------------------
              
              [ Onion ]		 Downloading update [ 05/18/16 00:15:23 ] .. 200 OK.. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                6798     6759       6759        [ Pass ] 
                -----------------------------------------------------------------
              
              [ Blocked ]		 exists. [ 05/18/16 00:15:25 ]
              [ Compromised ]		 Downloading update  .. 200 OK. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                1102     1081       1081        [ Pass ] 
                -----------------------------------------------------------------
              
              [ ciarmy ]		 Downloading update  .. 200 OK. completed ..
                ------------------------------
                Original Master     Final     
                ------------------------------
                886      216        216         [ Pass ] 
                -----------------------------------------------------------------
              
              ===[  IPv6 Process  ]=================================================
              
              ===[ Suppression Stats ]===================================
              
              List                 Pre        Suppress   Master    
              -----------------------------------------------------------
              BT_Hijacked          532        532        65323     
              BT_dshield           40         40         65323     
              BT_forumspam         479        479        65323     
              BT_webexploit        1480       1480       65323     
              BT_Hijacked2         152        152        65323     
              Spamhaus_DROP        343        343        65323     
              BT_spyware           3604       3604       65323     
              CI_malicious         811        811        65323     
              malc0de              123        123        65323     
              abuse_ZeuS           194        194        65323     
              abuse_SpyEye         79         79         65323     
              abuse_Palevo         11         11         65323     
              BT_badpeers          48768      48768      65323     
              Onion                6759       6759       65323     
              Blocked              611        611        65323     
              Compromised          1081       1081       65323     
              ciarmy               216        216        65323     
              
              ===[  Aliastables / Rules  ]==========================================
              
              No changes to Firewall rules, skipping Filter Reload
              
               Updating: pfB_Badguys
              482 addresses added.644 addresses deleted.
               Updating: pfB_ET
              1171 addresses added.1155 addresses deleted.
              
              ===[  Kill States  ]==================================================
              
               No matching states found
              ======================================================================
              
              ===[ FINAL Processing ]=====================================
              
                 [ Original IP count   ]  [ 67716 ]
              
                 [ Final IP Count  ]  [ 65323 ]
              
              ===[ Deny List IP Counts ]===========================
              
                 65283 total
                 48768 /var/db/pfblockerng/deny/BT_badpeers.txt
                  6759 /var/db/pfblockerng/deny/Onion.txt
                  3604 /var/db/pfblockerng/deny/BT_spyware.txt
                  1480 /var/db/pfblockerng/deny/BT_webexploit.txt
                  1081 /var/db/pfblockerng/deny/Compromised.txt
                   811 /var/db/pfblockerng/deny/CI_malicious.txt
                   611 /var/db/pfblockerng/deny/Blocked.txt
                   532 /var/db/pfblockerng/deny/BT_Hijacked.txt
                   479 /var/db/pfblockerng/deny/BT_forumspam.txt
                   343 /var/db/pfblockerng/deny/Spamhaus_DROP.txt
                   216 /var/db/pfblockerng/deny/ciarmy.txt
                   194 /var/db/pfblockerng/deny/abuse_ZeuS.txt
                   152 /var/db/pfblockerng/deny/BT_Hijacked2.txt
                   123 /var/db/pfblockerng/deny/malc0de.txt
                    79 /var/db/pfblockerng/deny/abuse_SpyEye.txt
                    40 /var/db/pfblockerng/deny/BT_dshield.txt
                    11 /var/db/pfblockerng/deny/abuse_Palevo.txt
              
              ====================[ Last Updated List Summary ]==============
              
              Mar 15	00:30	Blocked
              May 17	00:30	BT_dshield
              May 17	03:30	abuse_ZeuS
              May 17	04:00	BT_Hijacked
              May 17	04:20	BT_webexploit
              May 17	04:30	BT_spyware
              May 17	06:20	malc0de
              May 17	06:20	abuse_SpyEye
              May 17	06:20	abuse_Palevo
              May 17	10:40	BT_forumspam
              May 17	11:10	Onion
              May 17	11:10	BT_badpeers
              May 17	12:40	CI_malicious
              May 17	12:54	Compromised
              May 17	19:15	BT_Hijacked2
              May 17	22:31	Spamhaus_DROP
              May 17	23:16	ciarmy
              ===============================================================
              
              Database Sanity check [  PASSED  ]
              ------------------------
              Masterfile/Deny folder uniq check
              Deny folder/Masterfile uniq check
              
              Sync check (Pass=No IPs reported)
              ----------
              
              IPv4 alias tables IP count
              -----------------------------
              65283
              
              IPv6 alias tables IP count
              -----------------------------
              0
              
              Alias table IP Counts
              -----------------------------
                 65283 total
                 63375 /var/db/aliastables/pfB_Badguys.txt
                  1908 /var/db/aliastables/pfB_ET.txt
              
              pfSense Table Stats
              -------------------
              table-entries hard limit  2000000
              Table Usage Count         69137
              
               UPDATE PROCESS ENDED [ 05/18/16 00:15:30 ]
              
              

              you can select the option in the "DNSBL" Tab to auto-create a floating permit rule that will allow the local LAN interfaces to hit the DNSBL VIP

              I will attempt to get this running over the next day or two. Should I also select the "loopback" interface listed at the bottom of the interface list? See below screen prints. Also, I currently have rules at the top of all my interfaces to redirect all NTP and DNS back to the firewall (as seen in below screen print)… will I, or should I, change those rules once I enable DNSBL? In case it isn't obvious, the first two rules are there to suppress log entries, as described in this post: https://forum.pfsense.org/index.php?topic=107115.msg596677#msg596677

              Thank you again!

              ![DNSBL Tab.JPG](/public/imported_attachments/1/DNSBL Tab.JPG)
              ![DNSBL Tab.JPG_thumb](/public/imported_attachments/1/DNSBL Tab.JPG_thumb)
              Rules.JPG
              Rules.JPG_thumb

              1 Reply Last reply Reply Quote 0
              • G
                GBillR
                last edited by

                Once I re-enable it I will report back as to whether or not the service restarts under those conditions.

                So I got around to enabling DNSBL, and I think I have it working.  ;D  The DNSBL service does indeed remain running now after a CRON or forced update. I did have to add a rule to pass traffic to the DNSBL VIP as you instructed… THANK YOU for that.

                I do have a question: what should I see in my browser if I navigate to the VIP? All I see is a blank page, but the title bar tells me it is resolved... is that normal? See attached.

                I would like you to take a look at a sample of the top of my firewall rules (I am a default block guy), and tell me if you see any issues. I wan't sure about my NAT redirect for DNS (as I asked above), so I left it.

                I also have one VLAN interface where I have the NAT redirect pointing to opendns (my kid's clients), and that seems to still work as well. I am very happy with the adblocking that I see now, and I will be adding to the DNSBL lists as you discussed here: https://forum.pfsense.org/index.php?topic=102470.msg573159#msg573159

                Please review the attached sample rule set and let me know if you see any problems with the DNS redirect or otherwise.

                Thank you so much for your work on this package, and for your help!

                -Bill

                1x1.JPG
                1x1.JPG_thumb
                Rules2.JPG
                Rules2.JPG_thumb

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.