Kernel: pfr_update_stats: assertion failed - caused by PFBlockNG ?



  • Hi

    Have started getting a long list of these:

    
    Sep 24 16:11:32 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:32 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:32 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:32 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:32 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:32 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:32 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:44 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:44 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:44 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:44 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:44 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:44 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:44 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:44 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:45 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:45 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:45 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:45 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:46 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:46 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:47 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:47 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:47 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:47 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:48 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:56 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:56 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:56 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:56 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:56 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:56 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:56 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:56 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:57 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:57 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:57 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:11:57 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:12:13 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:12:13 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:12:13 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:12:14 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:12:14 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:12:14 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:12:14 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:12:14 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:12:15 firewall kernel: pfr_update_stats: assertion failed.
    
    

    When they occur - Squid stops processing access to HTTP sites.

    If I disable Squid - I can access HTTP sites, and the errors slow down - but still continue

    Sep 24 16:24:11 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:25:53 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:25:54 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:25:55 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:27:17 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:28:01 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:31:00 firewall kernel: pfr_update_stats: assertion failed.
    Sep 24 16:33:58 firewall kernel: pfr_update_stats: assertion failed.
    
    

    I have made no changes to the setup - it has just started today.

    I have tried clearing the squid cache, thinking maybe it was corrupt - but the messages continue even with squid stopped.

    A reboot of the server has made no difference.

    Thanks for any advice on how to solve this.

    EDIT:

    Version info:

    2.3.2-RELEASE (amd64)
    built on Tue Jul 19 12:44:43 CDT 2016
    FreeBSD 10.3-RELEASE-p5
    

    Update 2:

    If I disable pfblockng and enable squid - everything is good. - no assertion failed messages.

    As soon as I re-enable pfblockng - the assertion failed messages return.

    Update 4:

    If I disable PFBlockerNG -> DNSBL -> DNSBL Feeds -> http://someonewhocares.org/hosts/hosts

    Then the error messages go away, and everything works fine.  I did a force reload, and /var/db/pfblockng/someWhoCares.txt was refreshed.  The only difference I could see between the updated one, and the old one was the old one contained 127.0.0.1.  With that local address removed everything seems to be ok.



  • Hi,

    Thank you so much! I had the very same problem, it started Sep 23 00:16:01, I got my logs full of this "kernel: pfr_update_stats: assertion failed." error and finally I found out pfBlockerNG was blocking my NTP NAT rules.

    On my ELK server a lot of these:

    
    {
           "message" => "pfr_update_stats: assertion failed.",
          "@version" => "1",
        "@timestamp" => "2016-09-23T14:04:47.000Z",
              "type" => "syslog",
              "host" => "172.21.10.1",
              "tags" => [
            [0] "PFSense",
            [1] "firewall"
        ],
             "evtid" => "2",
              "prog" => "kernel"
    }
    {
            "message" => "125,16777216,,1770009015,igb0,match,block,in,4,0x0,,64,28117,0,none,17,udp,76,172.21.10.7,127.0.0.1,123,123,56",
           "@version" => "1",
         "@timestamp" => "2016-09-23T14:04:48.000Z",
               "type" => "syslog",
               "host" => "172.21.10.1",
               "tags" => [
            [0] "PFSense",
            [1] "firewall"
        ],
              "evtid" => "134",
               "prog" => "filterlog",
               "rule" => "125",
           "sub_rule" => "16777216",
            "tracker" => "1770009015",
              "iface" => "igb0",
             "reason" => "match",
             "action" => "block",
          "direction" => "in",
             "ip_ver" => "4",
                "tos" => "0x0",
                "ttl" => "64",
                 "id" => "28117",
             "offset" => "0",
              "flags" => "none",
           "proto_id" => "17",
              "proto" => "udp",
             "length" => "76",
             "src_ip" => "172.21.10.7",
            "dest_ip" => "127.0.0.1",
           "src_port" => "123",
          "dest_port" => "123",
        "data_length" => "56"
    }
    
    

    So I tried the same trick, disabled DNSBL Feeds -> http://someonewhocares.org/hosts/hosts and did force reload. Problem solved!

    I think a sort of problem is to find feeds you can trust, orherwise you never know what you get to your firewall..

    Many thanks, you post saved my day!  ;)


  • Moderator

    This is caused by the feed listing a loopback IP address. So I assume that you enabled the DNSBL IP option?

    Goto the General Tab and enable suppression and Force Reload all. This will ensure that any RFC1918 or loopback addresses that might get added are removed. I am going to force this option as enabled on the next release for new user installations of the package.



  • Hi,

    I was not aware the option was allready there.. Thanks for your tip. Enabled suppression now.  :) A sort of must.

    I really appreciate the work you have done with this package, a separate section on pfSense wiki for this would be great..



  • Wen I enable supression and update/reload I have these errors:

    
    [ DNSBL FAIL ] [ Skipping : GJTech ]
    
    [1475662664] unbound-checkconf[35784:0] error: error parsing local-data at 30 '}).filter(' 60 IN A 10.10.11.1': Syntax error, could not parse the RR's TTL
    [1475662664] unbound-checkconf[35784:0] error: Bad local-data RR }).filter(' 60 IN A 10.10.11.1
    [1475662664] unbound-checkconf[35784:0] fatal error: failed local-zone, local-data configuration
    [ dshield_SD ]		 Reload [ 10/05/16 12:17:44 ] . completed ..
      ----------------------------------------------------------------------
    
    


  • I think i solved it.

    I removed the GJTech and http://someonewhocares.org/hosts/hosts lists updated and reloaded pfblocker-ng now the problems are gone.


Log in to reply