PfBlockerNG v2.1 w/TLD
-
First of all sorry if this is not in the right forum thread, there is now 3+ active threads for pfbng…
My problem is with the latest release (2.1.1_4) so I figured this is the right location to post.
This morning I got the notification that 2.1.1_4 was released which would fix the late php error problems caused by MaxMind. I immediately updated my package then started pfblockerNG. Then I went to the force update and did a force update. All went well, then I did a force reload. At this moment, the hard drive went crazy for 10min+ and I lost all network connectivity. Lost contact with pfsense, LAN connectivity and of course lost connectivity to the internet.
I rebooted the firewall (reset button) then it came back online. I immediately deactivated pfbng. After that I got these errors by email:
There were error(s) loading the rules: /tmp/rules.debug:53: cannot define table pfB_Top_v6: Cannot allocate memory - The line in question reads [53]: table <pfb_top_v6>persist file "/var/db/aliastables/pfB_Top_v6.txt" There were error(s) loading the rules: /tmp/rules.debug:199: macro 'pfB_Africa_v4' not defined - The line in question reads [199]: block log quick on { em5 } inet from $pfB_Africa_v4 to any tracker 1770009617 label "USER_RULE: pfB_Africa_v4 auto rule"</pfb_top_v6> -
Take a look a /var/log/pfblockerng/extras.log, /var/log/pfblockerng/pfblockerng.log, Status / System Logs / System / General, Status / System Logs / System / DNS Resolver, Dashboard for crash report.
Resolver log won't tell much. On reboot you have to go to Status / Services and restart the unbound service. After the restart, the log will have unbound messages.
-
@lpallard:
First of all sorry if this is not in the right forum thread, there is now 3+ active threads for pfbng…
My problem is with the latest release (2.1.1_4) so I figured this is the right location to post.
This morning I got the notification that 2.1.1_4 was released which would fix the late php error problems caused by MaxMind. I immediately updated my package then started pfblockerNG. Then I went to the force update and did a force update. All went well, then I did a force reload. At this moment, the hard drive went crazy for 10min+ and I lost all network connectivity. Lost contact with pfsense, LAN connectivity and of course lost connectivity to the internet.
I rebooted the firewall (reset button) then it came back online. I immediately deactivated pfbng. After that I got these errors by email:
There were error(s) loading the rules: /tmp/rules.debug:53: cannot define table pfB_Top_v6: Cannot allocate memory - The line in question reads [53]: table <pfb_top_v6>persist file "/var/db/aliastables/pfB_Top_v6.txt" There were error(s) loading the rules: /tmp/rules.debug:199: macro 'pfB_Africa_v4' not defined - The line in question reads [199]: block log quick on { em5 } inet from $pfB_Africa_v4 to any tracker 1770009617 label "USER_RULE: pfB_Africa_v4 auto rule"</pfb_top_v6>I'm having a very similar problem. I had uninstalled pfblockerng using the package manager and was waiting for an update to fix the memory problems. When I installed the latest version, I began getting the following errors:
There were error(s) loading the rules: /tmp/rules.debug:27: cannot load "/var/db/aliastables/pfB_NAmerica_v4.txt": No such file or directory - The line in question reads [27]: table <pfB_NAmerica_v4> persist file "/var/db/aliastables/pfB_NAmerica_v4.txt" @ 2016-08-24 21:03:13 There were error(s) loading the rules: /tmp/rules.debug:27: cannot load "/var/db/aliastables/pfB_NAmerica_v6.txt": No such file or directory - The line in question reads [27]: table <pfB_NAmerica_v6> persist file "/var/db/aliastables/pfB_NAmerica_v6.txt" @ 2016-08-24 21:03:24 There were error(s) loading the rules: /tmp/rules.debug:178: macro 'pfB_NAmerica_v4' not defined - The line in question reads [178]: block in log quick on $WAN reply-to ( re0 174.49.92.1 ) inet from ! $pfB_NAmerica_v4 to any tracker 1770009560 label "USER_RULE: pfB_NAmerica_v4 auto rule" @ 2016-08-24 21:03:27 There were error(s) loading the rules: /tmp/rules.debug:178: macro 'pfB_NAmerica_v4' not defined - The line in question reads [178]: block in log quick on $WAN reply-to ( re0 174.49.92.1 ) inet from ! $pfB_NAmerica_v4 to any tracker 1770009560 label "USER_RULE: pfB_NAmerica_v4 auto rule" @ 2016-08-24 21:03:30The end result for me is that my white list rule allowing only inbound traffic from the U.S. fails to load. However, I have no problems with other features, (e.g., adblocking). No errors show up in extras.log or pfblockerng.log.
-
When you uninstalled the pkg previously, did you uncheck "Keep Settings"… If not, some files may have remained.
I would suggest you goto the pfBlockerNG General tab, and uncheck "Enable pfBlockerNG" and uncheck "Keep Settings", followed by "Save"... Then reverse this by re-checking both options and "Save".
Goto the Dashboard and clear any notices so that you are starting fresh...
Then goto the Update tab and run a "Force Update".
Then review the pfblockerng.log for any issues (if any).
-
OK so I tried unchecking the "Keep settings" and "Enable pfb" checkboxes then saving. Then I checked them back on and did a force update. The process never ended. 45minutes later, everything was dead and the last thing I could see on the WebUI was "Rstsarting Unbound".
The hard drive gpoes completely off charts while this happens. I tried getting the system logs after the hard reset but it goes only up to 22:35 which is already 5 minutes after I manually reset the pfsense box.
Tomorrow I will try to simulate this once more, and gather all logs I will be able to find. My feeling, somehow, since I lose all network connectivity, is that unbound crashes hard probably due to lack of RAM?? Is it even possible? I am saying that because when this happens I have network connectivity for a few minutes then everything drops. Then I cant even connect to my internal clients (same subnet).
-
If outbound crashes, you should still be able to access the FW by it's IP. So open one tab in your browser using the FW IP and have Diagnostics / System activity open so you can see what is happening while you run Force Reload on another tab with the FW FQDN.
Again, you won't get any log from Resolver(unbound) if you do not restart it right after reboot.Could you be running out of disk space ? Do you have /var in RAM Disk? Maybe your hard disk is failing.
Before enabling pfBlockerNG, disable the tables and enable them progressively to pinpoint the problem.
Then before enabling DSNBL, disable the tables and go progressively until the issue appears.
-
BBcan177, private email sent.
-
Same issues as lpallard. I mostly resolved this by bumping Max table entries above 2MM and disabling/enabling PFBNG.
-
Trying to figure out pfblocker on CARP….
I've used this extensively on single installs but not via CARP. Are there any considerations I should take into account? I was told by pfsense support when I first installed that firewalls should mirror (ie. have pfblocker installed on both, etc.)
Am I ok to configure FW1 on 10.0.10.1 with whatever pfblocker stuff I want then simply sync to 10.0.10.2 (FW2?) I don't have to worry about the CARP interface or sync issues between this package and that right (let's say CARP interface is on 10.0.10.250) -
Trying to figure out pfblocker on CARP….
I've used this extensively on single installs but not via CARP. Are there any considerations I should take into account? I was told by pfsense support when I first installed that firewalls should mirror (ie. have pfblocker installed on both, etc.)
Am I ok to configure FW1 on 10.0.10.1 with whatever pfblocker stuff I want then simply sync to 10.0.10.2 (FW2?) I don't have to worry about the CARP interface or sync issues between this package and that right (let's say CARP interface is on 10.0.10.250)Hi blueduckdock,
You can use CARP/HA in pfSense without issue. The package has an XMLRPC sync Tab that allows for the configuration of the package to be sync'd to other boxes… But with the current DNSBL code, this will cause issues with the DNSBL VIP, as both pfSense boxes will have the same DNSBL VIP address..
I had one user several months ago ask if this could be addressed and I did create a patch to get this addressed... If you are able to test it out, shoot me a PM if that works for you...
-
Trying to figure out pfblocker on CARP….
I've used this extensively on single installs but not via CARP. Are there any considerations I should take into account? I was told by pfsense support when I first installed that firewalls should mirror (ie. have pfblocker installed on both, etc.)
Am I ok to configure FW1 on 10.0.10.1 with whatever pfblocker stuff I want then simply sync to 10.0.10.2 (FW2?) I don't have to worry about the CARP interface or sync issues between this package and that right (let's say CARP interface is on 10.0.10.250)Hi blueduckdock,
You can use CARP/HA in pfSense without issue. The package has an XMLRPC sync Tab that allows for the configuration of the package to be sync'd to other boxes… But with the current DNSBL code, this will cause issues with the DNSBL VIP, as both pfSense boxes will have the same DNSBL VIP address..
I had one user several months ago ask if this could be addressed and I did create a patch to get this addressed... If you are able to test it out, shoot me a PM if that works for you...
Yeah, I saw that post about DNSBL. Sucks because that's a big part of what I'm looking for with this.
Unfortunately I cannot test on that (it's prod.) If I get to it, I'll try to set either my home up with CARP (was thinking about doing it in the future between proxmox and physical anyway) or at least two pfsense VMs in my homelab.
I will let you know as I'd like to test it and help out. I've used pfblocker for so long it's the least I can do.
Thanks BBcan
-
Yeah, I saw that post about DNSBL. Sucks because that's a big part of what I'm looking for with this.
Unfortunately I cannot test on that (it's prod.) If I get to it, I'll try to set either my home up with CARP (was thinking about doing it in the future between proxmox and physical anyway) or at least two pfsense VMs in my homelab.
I will let you know as I'd like to test it and help out. I've used pfblocker for so long it's the least I can do.
Thanks BBcan
Thanks, if/when you have a test environement setup, shoot me a PM and we can go from there!
I've used pfblocker for so long it's the least I can do.
Thanks, I appreciate that! ;)
-
Running the latest 2.1.1_4
When force updates via the GUI all control is lost but I can see the updates. The only way to get it back is to ssh and reset using 11 and 16, or close the browser and wait a while before login back in. If I run the updates via console do not have the same issue, I think it's has something to do with the live logs.
Thanks
Tony -
Running the latest 2.1.1_4
When force updates via the GUI all control is lost but I can see the updates. The only way to get it back is to ssh and reset using 11 and 16, or close the browser and wait a while before login back in. If I run the updates via console do not have the same issue, I think it's has something to do with the live logs.
Your back from the netherworld ;)
With the change to NGINX, the "View" button in the Update Tab is not working 100% …. I have that on the list of things to fix, but it might be removed from future releases as I don't think there is a good resolution for that one...
-
Running the latest 2.1.1_4
When force updates via the GUI all control is lost but I can see the updates. The only way to get it back is to ssh and reset using 11 and 16, or close the browser and wait a while before login back in. If I run the updates via console do not have the same issue, I think it's has something to do with the live logs.
Thanks
TonyIt's just your browser that is sometimes unable to open any connections to the FW FQDN when you run Force Update. You can still access the FW in another tab using the FW IP, or with another browser, or from another computer.
-
Malvertising in Action:
Published on Sep 1, 2016
Exploit kits are a class of threat that indiscriminately attempt to compromise all users. Malicious advertisements, or malvertising, are a common vector adversaries use to try and redirect users to an exploit kit.
https://www.youtube.com/watch?v=-E56rSF01no&feature=youtu.be
-
Hi all
I am looking for some IP/DNSBL blocklist / blacklist with very small false positive and was wondering from your experience with using different block lists which one would you recommend.Thanks in advance for taking the time to respond.
-
can someone help me on that:
i bave many firewall log entries likeSep 26 11:05:04 LAN 10.0.0.80:45511 127.0.0.1:8443
why is it blocked by pfblock rule?
and why 127.0.0.1?? -
can someone help me on that:
i bave many firewall log entries likeSep 26 11:05:04 LAN 10.0.0.80:45511 127.0.0.1:8443
why is it blocked by pfblock rule?
and why 127.0.0.1??Goto the General tab, and enable "Suppression", the Force Reload - All…. This will remove all RFC1918 and loopback addresses...
-
Okay thank you. Did that 8)
