PFBlockerNG Errors Loading Rules - "Macro Not Defined"



  • I've seen some weird errors showing up in my logs related to PFBlockerNG.  They have been showing up periodically for the last few weeks.  I've posted a recent sample of them below (with my WAN IP address scrubbed):

    
    There were error(s) loading the rules: /tmp/rules.debug:181: macro 'pfB_NAmerica_v4' not defined - The line in question reads [181]: block in log quick on $WAN reply-to ( re0 ###.###.###.### ) inet from ! $pfB_NAmerica_v4 to any tracker 1770009560 label "USER_RULE: pfB_NAmerica_v4 auto rule" @ 2016-09-15 22:30:13
    There were error(s) loading the rules: /tmp/rules.debug:179: macro 'pfB_NAmerica_v4' not defined - The line in question reads [179]: block in log quick on $WAN reply-to ( re0 ###.###.###.### ) inet from ! $pfB_NAmerica_v4 to any tracker 1770009560 label "USER_RULE: pfB_NAmerica_v4 auto rule" @ 2016-09-15 22:30:16
    There were error(s) loading the rules: /tmp/rules.debug:179: macro 'pfB_NAmerica_v4' not defined - The line in question reads [179]: block in log quick on $WAN reply-to ( re0 ###.###.###.### ) inet from ! $pfB_NAmerica_v4 to any tracker 1770009560 label "USER_RULE: pfB_NAmerica_v4 auto rule" @ 2016-09-15 22:30:18
    
    

    These errors are weird.  They don't look good, but PFBlocker still seems to be blocking all inbound IPv4 traffic not from North America.  Anyone have an idea what these error messages mean and what may be going on?

    Thanks.


  • Moderator

    Are you on the latest version of the package?

    If you are blocking the world, minus a few Countries, you will need to bump the pfSense Adv. Max Table Entries to 10M…

    Follow that with a pkg Disable/Enable (save) and a "Force Reload"



  • Thanks for the advice.  I'm running the latest version, so I'll bump the max table entries up to 10m (currently set at 4m) and Force Reload like you suggested.  I'll see what happens and report back in a few days.



  • @rajl:

    Thanks for the advice.  I'm running the latest version, so I'll bump the max table entries up to 10m (currently set at 4m) and Force Reload like you suggested.  I'll see what happens and report back in a few days.

    I've done this as well and it still hasn't resolved my issue.

    Are you getting these dpinger errors when this happens in your logs?

    send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr xx.xx.xx.xx bind_add xx.xxx.xx.xx identifier "TPWANGW "

    I get these errors but only on my CARP Backup device, not the main.

    For me all of my gateways go down every 6 hours and that's when this error occurs and I have to run a CRON in pfBlocker to fix it.

    The only CRON that runs every 6 hours is Snort, but I've set it to run :05 minutes after the hour and I still see errors.

    This happens as well, I'm not sure if it's directly related

    Oct 17 00:01:03 kernel ovpns2: link state changed to DOWN
    Oct 17 00:01:03 php-fpm 32369 /xmlrpc.php: Resyncing OpenVPN instances.
    Oct 17 00:01:02 php-fpm 32369 /xmlrpc.php: ROUTING: setting default route to xx.xx.xx.xx
    Oct 17 00:01:02 check_reload_status Reloading filter
    Oct 17 00:01:02 check_reload_status Syncing firewall

    When that ROUTING entry happens all my OpenVPN interfaces reset.

    I don't mean to hijack and I need to start my own thread but I was just curious if you had the same issues.

    I have Snort and Squid running as well, but this only happens every 6 hours which leads me to think it's related to Snort in some way.