PfBlocker service not restarting after cron or manual update.



  • Hi everyone. I've searched the forum and haven't been able to find a similar thread… hopefully this question hasn't been solved already. I've been using pfSense 2.3 for about a month now, and this is my first post. Please excuse my lack of knowledge  :).

    I've installed pfBlockerNG on my 2.3 installation. The service runs fine, and I'm only using some block lists that were recommended. It's been running okay for about a week now. I haven't configured DNSBL (I started to, but it slowed everything way down, so I turned it back off for now). I'll tackle that after I resolve this...

    My problem is this: When the cron job runs to update the block lists, it never restarts. I can replicate this by forcing a manual update as well. The logs that I've seen aren't very useful. The pfBlockerNG log is attached, and the error log and dnsbl log are empty.

    My system log is attached as well. No other logs seem to provide any relevant info.

    Any thoughts?


    pfBlockernglog.txt


  • Moderator

    @GBillR:

    I haven't configured DNSBL (I started to, but it slowed everything way down, so I turned it back off for now).

    I answered this in this thread and also in reddit today. DNSBL is only slow if the LAN devices have incorrect DNS settings, or issues w/ Multi-Subnets:
    https://www.reddit.com/r/PFSENSE/comments/4jrnkw/pfblockerng_dns_traffic_not_sure_what_this_is/

    My problem is this: When the cron job runs to update the block lists, it never restarts. I can replicate this by forcing a manual update as well. The logs that I've seen aren't very useful. The pfBlockerNG log is attached, and the error log and dnsbl log are empty.

    I am not following… What do you mean by "never restarts"?  The pfblockerng.log looks fine. Did you define the "Frequency" setting for each alias, so that it updates as per a specific Time?



  • Thanks for replying BB. I was hoping you would.  :)

    I am not following… What do you mean by "never restarts"?

    Maybe it is I who doesn't understand, but the dnsbl service (pfBlockerNG DNSBL Web Server) listed under "services status" does not restart… maybe since I am not using the DNSBL function of pfBlocker, this service shouldn't start? Without this service running, is pfBlocker (as I have it currently configured) still blocking the blacklisted IP addresses? When I manually start it, it runs without error until the next cron or manual update. If it's not needed in my current config, then there is no issue... Will I still see the blocking of blacklisted IPs without this service running?

    Did you define the "Frequency" setting for each alias, so that it updates as per a specific Time?

    I have 2 aliases, both with an update frequency of daily. See attached screenprint. In my config file (config.xml), here are the 2 cron entries related to pfBlocker:

     <minute>0</minute>
    			<hour>19</hour>
    			<mday>1,2,3,4,5,6,7</mday>
    			<month>*</month>
    			<wday>2</wday>
    			<who>root</who>
    			<command></command>/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> /var/log/pfblockerng/extras.log 2>&1 
    		 <minute>15</minute>
    			<hour>0</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1 
    

    I answered this in this thread and also in reddit today. DNSBL is only slow if the LAN devices have incorrect DNS settings, or issues w/ Multi-Subnets

    I admit that I have not invested the time to troubleshoot DNSBL… however, my configuration doesn't seem too complex. I do have multiple subnets and VLANS setup. I am using unbound, and it is working. I have a NAT redirect rule on each VLAN interface to redirect all DNS queries back to the firewall, and I am not using the forwarder. I've attached my resolver settings tab.

    I do appreciate your help. Thank you for taking the time to reply.





  • Moderator

    If DNSBL is not enabled, then don't worry about the DNSBL service.

    When you do get back to re-enabling it, you can select the option in the "DNSBL" Tab to auto-create a floating permit rule that will allow the local LAN interfaces to hit the DNSBL VIP (you need to select the LAN interfaces there too). Ultimately, each LAN device should be able to ping and browse to the DNSBL VIP (1x1 pix). If that doesn't happen, then you need to figure out what it blocking the LAN from seeing the DNSBL VIP…

    For CRON, It looks like it will run at Midnight... So review the pfblockerng.log at that time, as the log will be different than what you have posted... If midnight hasn't occurred yet for you, then goto the Update tab before midnight and hit the "View" button and wait for the Cron to run... You will see the logs populate live. Otherwise review the logs from that time period to be able to get more info.



  • If DNSBL is not enabled, then don't worry about the DNSBL service.

    So I can confirm that the floating pfBlocker firewall rules based on the downloaded IP lists (in my aliases) DO work even when the dnsbl service is not running. I probably should have realized that before asking my initial question.  :o

    For CRON, It looks like it will run at Midnight… So review the pfblockerng.log at that time, as the log will be different than what you have posted

    My log output for the CRON update is shown below. The dnsbl service does not restart following this update. I assume that is because I have it disabled on the DNSBL Tab. Once I re-enable it I will report back as to whether or not the service restarts under those conditions.

     CRON  PROCESS  START [ 05/18/16 00:15:00 ]
    [ BT_Hijacked ]
      Remote timestamp: Tue, 17 May 2016 08:00:02 GMT
      Local  timestamp: Mon, 16 May 2016 07:50:01 GMT	Update found
    [ BT_dshield ]
      Remote timestamp: Tue, 17 May 2016 04:30:02 GMT
      Local  timestamp: Mon, 16 May 2016 04:20:06 GMT	Update found
    [ BT_forumspam ]
      Remote timestamp: Tue, 17 May 2016 14:40:45 GMT
      Local  timestamp: Mon, 16 May 2016 14:30:02 GMT	Update found
    [ BT_webexploit ]
      Remote timestamp: Tue, 17 May 2016 08:20:13 GMT
      Local  timestamp: Mon, 16 May 2016 08:10:01 GMT	Update found
    [ BT_Hijacked2 ]
    				( md5 changed )		Update found
    [ Spamhaus_DROP ]
      Remote timestamp: Wed, 18 May 2016 02:31:11 GMT
      Local  timestamp: Tue, 17 May 2016 02:30:02 GMT	Update found
    [ BT_spyware ]
      Remote timestamp: Tue, 17 May 2016 08:30:02 GMT
      Local  timestamp: Mon, 16 May 2016 08:20:05 GMT	Update found
    [ CI_malicious ]
      Remote timestamp: Tue, 17 May 2016 16:40:10 GMT
      Local  timestamp: Mon, 16 May 2016 16:30:02 GMT	Update found
    [ malc0de ]
      Remote timestamp: Tue, 17 May 2016 10:20:02 GMT
      Local  timestamp: Mon, 16 May 2016 10:10:02 GMT	Update found
    [ abuse_ZeuS ]
      Remote timestamp: Tue, 17 May 2016 07:30:02 GMT
      Local  timestamp: Mon, 16 May 2016 07:20:02 GMT	Update found
    [ abuse_SpyEye ]
      Remote timestamp: Tue, 17 May 2016 10:20:02 GMT
      Local  timestamp: Mon, 16 May 2016 10:10:02 GMT	Update found
    [ abuse_Palevo ]
      Remote timestamp: Tue, 17 May 2016 10:20:02 GMT
      Local  timestamp: Mon, 16 May 2016 10:10:02 GMT	Update found
    [ BT_badpeers ]
      Remote timestamp: Tue, 17 May 2016 15:10:38 GMT
      Local  timestamp: Mon, 16 May 2016 15:00:32 GMT	Update found
    [ Onion ]
      Remote timestamp: Tue, 17 May 2016 15:10:08 GMT
      Local  timestamp: Mon, 16 May 2016 15:00:04 GMT	Update found
    [ Blocked ]
      Remote timestamp: Tue, 15 Mar 2016 04:30:01 GMT
      Local  timestamp: Tue, 15 Mar 2016 04:30:01 GMT	Update not required
    [ Compromised ]
      Remote timestamp: Tue, 17 May 2016 16:54:33 GMT
      Local  timestamp: Tue, 15 Mar 2016 04:30:10 GMT	Update found
    [ ciarmy ]
      Remote timestamp: Wed, 18 May 2016 03:16:35 GMT
      Local  timestamp: Tue, 17 May 2016 03:16:50 GMT	Update found
     UPDATE PROCESS START [ 05/18/16 00:15:05 ]
    
    Clearing all DNSBL Feeds... Stop Service DNSBL
    
    ** DNSBL Disabled **
    
    ===[  Continent Process  ]============================================
    
    ===[  IPv4 Process  ]=================================================
    
    [ BT_Hijacked ]		 Downloading update [ 05/18/16 00:15:07 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      495      685        532         [  ==> FAILED <==  ]
      -----------------------------------------------------------------
    
    [ BT_dshield ]		 Downloading update [ 05/18/16 00:15:08 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      40       40         40          [ Pass ] 
      -----------------------------------------------------------------
    
    [ BT_forumspam ]	 Downloading update  .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      461      479        479         [ Pass ] 
      -----------------------------------------------------------------
    
    [ BT_webexploit ]	 Downloading update [ 05/18/16 00:15:09 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      2177     1480       1480        [ Pass ] 
      -----------------------------------------------------------------
    
    [ BT_Hijacked2 ]	 Downloading update [ 05/18/16 00:15:10 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      562      152        152         [ Pass ] 
      -----------------------------------------------------------------
    
    [ Spamhaus_DROP ]	 Downloading update  .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      799      343        343         [ Pass ] 
      -----------------------------------------------------------------
    
    [ BT_spyware ]		 Downloading update [ 05/18/16 00:15:11 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      3305     3604       3604        [ Pass ] 
      -----------------------------------------------------------------
    
    [ CI_malicious ]	 Downloading update [ 05/18/16 00:15:12 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      921      811        811         [ Pass ] 
      -----------------------------------------------------------------
    
    [ malc0de ]		 Downloading update  .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      123      123        123         [ Pass ] 
      -----------------------------------------------------------------
    
    [ abuse_ZeuS ]		 Downloading update [ 05/18/16 00:15:13 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      212      194        194         [ Pass ] 
      -----------------------------------------------------------------
    
    [ abuse_SpyEye ]	 Downloading update  .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      84       79         79          [ Pass ] 
      -----------------------------------------------------------------
    
    [ abuse_Palevo ]	 Downloading update [ 05/18/16 00:15:14 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      12       11         11          [ Pass ] 
      -----------------------------------------------------------------
    
    [ BT_badpeers ]		 Downloading update [ 05/18/16 00:15:15 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      48237    48768      48768       [ Pass ] 
      -----------------------------------------------------------------
    
    [ Onion ]		 Downloading update [ 05/18/16 00:15:23 ] .. 200 OK.. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      6798     6759       6759        [ Pass ] 
      -----------------------------------------------------------------
    
    [ Blocked ]		 exists. [ 05/18/16 00:15:25 ]
    [ Compromised ]		 Downloading update  .. 200 OK. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      1102     1081       1081        [ Pass ] 
      -----------------------------------------------------------------
    
    [ ciarmy ]		 Downloading update  .. 200 OK. completed ..
      ------------------------------
      Original Master     Final     
      ------------------------------
      886      216        216         [ Pass ] 
      -----------------------------------------------------------------
    
    ===[  IPv6 Process  ]=================================================
    
    ===[ Suppression Stats ]===================================
    
    List                 Pre        Suppress   Master    
    -----------------------------------------------------------
    BT_Hijacked          532        532        65323     
    BT_dshield           40         40         65323     
    BT_forumspam         479        479        65323     
    BT_webexploit        1480       1480       65323     
    BT_Hijacked2         152        152        65323     
    Spamhaus_DROP        343        343        65323     
    BT_spyware           3604       3604       65323     
    CI_malicious         811        811        65323     
    malc0de              123        123        65323     
    abuse_ZeuS           194        194        65323     
    abuse_SpyEye         79         79         65323     
    abuse_Palevo         11         11         65323     
    BT_badpeers          48768      48768      65323     
    Onion                6759       6759       65323     
    Blocked              611        611        65323     
    Compromised          1081       1081       65323     
    ciarmy               216        216        65323     
    
    ===[  Aliastables / Rules  ]==========================================
    
    No changes to Firewall rules, skipping Filter Reload
    
     Updating: pfB_Badguys
    482 addresses added.644 addresses deleted.
     Updating: pfB_ET
    1171 addresses added.1155 addresses deleted.
    
    ===[  Kill States  ]==================================================
    
     No matching states found
    ======================================================================
    
    ===[ FINAL Processing ]=====================================
    
       [ Original IP count   ]  [ 67716 ]
    
       [ Final IP Count  ]  [ 65323 ]
    
    ===[ Deny List IP Counts ]===========================
    
       65283 total
       48768 /var/db/pfblockerng/deny/BT_badpeers.txt
        6759 /var/db/pfblockerng/deny/Onion.txt
        3604 /var/db/pfblockerng/deny/BT_spyware.txt
        1480 /var/db/pfblockerng/deny/BT_webexploit.txt
        1081 /var/db/pfblockerng/deny/Compromised.txt
         811 /var/db/pfblockerng/deny/CI_malicious.txt
         611 /var/db/pfblockerng/deny/Blocked.txt
         532 /var/db/pfblockerng/deny/BT_Hijacked.txt
         479 /var/db/pfblockerng/deny/BT_forumspam.txt
         343 /var/db/pfblockerng/deny/Spamhaus_DROP.txt
         216 /var/db/pfblockerng/deny/ciarmy.txt
         194 /var/db/pfblockerng/deny/abuse_ZeuS.txt
         152 /var/db/pfblockerng/deny/BT_Hijacked2.txt
         123 /var/db/pfblockerng/deny/malc0de.txt
          79 /var/db/pfblockerng/deny/abuse_SpyEye.txt
          40 /var/db/pfblockerng/deny/BT_dshield.txt
          11 /var/db/pfblockerng/deny/abuse_Palevo.txt
    
    ====================[ Last Updated List Summary ]==============
    
    Mar 15	00:30	Blocked
    May 17	00:30	BT_dshield
    May 17	03:30	abuse_ZeuS
    May 17	04:00	BT_Hijacked
    May 17	04:20	BT_webexploit
    May 17	04:30	BT_spyware
    May 17	06:20	malc0de
    May 17	06:20	abuse_SpyEye
    May 17	06:20	abuse_Palevo
    May 17	10:40	BT_forumspam
    May 17	11:10	Onion
    May 17	11:10	BT_badpeers
    May 17	12:40	CI_malicious
    May 17	12:54	Compromised
    May 17	19:15	BT_Hijacked2
    May 17	22:31	Spamhaus_DROP
    May 17	23:16	ciarmy
    ===============================================================
    
    Database Sanity check [  PASSED  ]
    ------------------------
    Masterfile/Deny folder uniq check
    Deny folder/Masterfile uniq check
    
    Sync check (Pass=No IPs reported)
    ----------
    
    IPv4 alias tables IP count
    -----------------------------
    65283
    
    IPv6 alias tables IP count
    -----------------------------
    0
    
    Alias table IP Counts
    -----------------------------
       65283 total
       63375 /var/db/aliastables/pfB_Badguys.txt
        1908 /var/db/aliastables/pfB_ET.txt
    
    pfSense Table Stats
    -------------------
    table-entries hard limit  2000000
    Table Usage Count         69137
    
     UPDATE PROCESS ENDED [ 05/18/16 00:15:30 ]
    
    

    you can select the option in the "DNSBL" Tab to auto-create a floating permit rule that will allow the local LAN interfaces to hit the DNSBL VIP

    I will attempt to get this running over the next day or two. Should I also select the "loopback" interface listed at the bottom of the interface list? See below screen prints. Also, I currently have rules at the top of all my interfaces to redirect all NTP and DNS back to the firewall (as seen in below screen print)… will I, or should I, change those rules once I enable DNSBL? In case it isn't obvious, the first two rules are there to suppress log entries, as described in this post: https://forum.pfsense.org/index.php?topic=107115.msg596677#msg596677

    Thank you again!

    ![DNSBL Tab.JPG](/public/imported_attachments/1/DNSBL Tab.JPG)
    ![DNSBL Tab.JPG_thumb](/public/imported_attachments/1/DNSBL Tab.JPG_thumb)



  • Once I re-enable it I will report back as to whether or not the service restarts under those conditions.

    So I got around to enabling DNSBL, and I think I have it working.  ;D  The DNSBL service does indeed remain running now after a CRON or forced update. I did have to add a rule to pass traffic to the DNSBL VIP as you instructed… THANK YOU for that.

    I do have a question: what should I see in my browser if I navigate to the VIP? All I see is a blank page, but the title bar tells me it is resolved... is that normal? See attached.

    I would like you to take a look at a sample of the top of my firewall rules (I am a default block guy), and tell me if you see any issues. I wan't sure about my NAT redirect for DNS (as I asked above), so I left it.

    I also have one VLAN interface where I have the NAT redirect pointing to opendns (my kid's clients), and that seems to still work as well. I am very happy with the adblocking that I see now, and I will be adding to the DNSBL lists as you discussed here: https://forum.pfsense.org/index.php?topic=102470.msg573159#msg573159

    Please review the attached sample rule set and let me know if you see any problems with the DNS redirect or otherwise.

    Thank you so much for your work on this package, and for your help!

    -Bill





Log in to reply