PfBlockerNG 2.1.1_5 / Pfsense 2.4



  • This is whats in the pfblockerng.log:

    UPDATE PROCESS START [ 12/20/16 18:23:57 ]
    
    ===[  DNSBL Process  ]================================================
    
    [ easylist ]		 Reload . completed ..
      ----------------------------------------------------------------------
      Orig.    Unique     # Dups     # White    # Alexa    Final                
      ----------------------------------------------------------------------
      6546     6211       0          0          0          6211                 
      ----------------------------------------------------------------------
    
    [ easylistprivacy ]	 Reload . completed ..
      ----------------------------------------------------------------------
      Orig.    Unique     # Dups     # White    # Alexa    Final                
      ----------------------------------------------------------------------
      2680     2661       20         0          0          2641                 
      ----------------------------------------------------------------------
    
    [ hphosts ]		 Reload [ 12/20/16 18:23:58 ] . completed ..
      ----------------------------------------------------------------------
      Orig.    Unique     # Dups     # White    # Alexa    Final                
      ----------------------------------------------------------------------
      47965    47962      1333       0          0          46629                
      ----------------------------------------------------------------------
    
    [ yoyo ]		 Reload [ 12/20/16 18:23:59 ] . completed ..
      ----------------------------------------------------------------------
      Orig.    Unique     # Dups     # White    # Alexa    Final                
      ----------------------------------------------------------------------
      2364     2364       1445       0          0          919                  
      ----------------------------------------------------------------------
    
    [ adaway ]		 Reload [ 12/20/16 18:24:00 ] . completed ..
      ----------------------------------------------------------------------
      Orig.    Unique     # Dups     # White    # Alexa    Final                
      ----------------------------------------------------------------------
      411      409        282        0          0          127                  
      ----------------------------------------------------------------------
    
    [ cameleon ]		 Reload . completed ..
      ----------------------------------------------------------------------
      Orig.    Unique     # Dups     # White    # Alexa    Final                
      ----------------------------------------------------------------------
      21194    21194      6124       0          0          15070                
      ----------------------------------------------------------------------
    
    ------------------------------------------
    Assembling database... completed
    Validating database... completed [ 12/20/16 18:24:02 ]
    Reloading Unbound.... completed
    DNSBL update [ 71597 | PASSED  ]... completed [ 12/20/16 18:24:03 ]
    ------------------------------------------Restarting Service DNSBL...
    
    ===[  Continent Process  ]============================================
    
    ===[  Aliastables / Rules  ]==========================================
    
    No changes to Firewall rules, skipping Filter Reload
    No Changes to Aliases, Skipping pfctl Update
    
    ===[ FINAL Processing ]=====================================
    
       [ Original IP count   ]  [ 0 ]
    
    ===[ DNSBL Domain/IP Counts ] ===================================
    
       71597 total
       46629 /var/db/pfblockerng/dnsbl/hphosts.txt
       15070 /var/db/pfblockerng/dnsbl/cameleon.txt
        6211 /var/db/pfblockerng/dnsbl/easylist.txt
        2641 /var/db/pfblockerng/dnsbl/easylistprivacy.txt
         919 /var/db/pfblockerng/dnsbl/yoyo.txt
         127 /var/db/pfblockerng/dnsbl/adaway.txt
    
    IPv4 alias tables IP count
    -----------------------------
    0
    
    IPv6 alias tables IP count
    -----------------------------
    0
    
    Alias table IP Counts
    -----------------------------
    
    pfSense Table Stats
    -------------------
    table-entries hard limit  2000000
    Table Usage Count         83312
    
     UPDATE PROCESS ENDED
    
    

    And just got this on my GUI:

    Crash report begins.  Anonymous machine information:
    
    amd64
    11.0-RELEASE-p5
    FreeBSD 11.0-RELEASE-p5 #249 3443a71(RELENG_2_4): Sun Dec 18 04:25:13 CST 2016     root@buildbot2.netgate.com:/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense
    
    Crash report details:
    
    PHP Errors:
    [20-Dec-2016 18:15:30 America/New_York] PHP Warning:  array_map(): Argument #2 should be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:15:30 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:15:30 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:15:30 America/New_York] PHP   2\. array_map() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    [20-Dec-2016 18:15:30 America/New_York] PHP Warning:  implode(): Argument must be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:15:30 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:15:30 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:15:30 America/New_York] PHP   2\. implode() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    [20-Dec-2016 18:15:49 America/New_York] PHP Warning:  array_map(): Argument #2 should be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:15:49 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:15:49 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:15:49 America/New_York] PHP   2\. array_map() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    [20-Dec-2016 18:15:49 America/New_York] PHP Warning:  implode(): Argument must be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:15:49 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:15:49 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:15:49 America/New_York] PHP   2\. implode() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    [20-Dec-2016 18:15:52 America/New_York] PHP Warning:  array_map(): Argument #2 should be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:15:52 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:15:52 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:15:52 America/New_York] PHP   2\. array_map() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    [20-Dec-2016 18:15:52 America/New_York] PHP Warning:  implode(): Argument must be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:15:52 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:15:52 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:15:52 America/New_York] PHP   2\. implode() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    [20-Dec-2016 18:16:14 America/New_York] PHP Warning:  array_map(): Argument #2 should be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:16:14 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:16:14 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:16:14 America/New_York] PHP   2\. array_map() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    [20-Dec-2016 18:16:14 America/New_York] PHP Warning:  implode(): Argument must be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:16:14 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:16:14 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:16:14 America/New_York] PHP   2\. implode() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    [20-Dec-2016 18:16:16 America/New_York] PHP Warning:  array_map(): Argument #2 should be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:16:16 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:16:16 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:16:16 America/New_York] PHP   2\. array_map() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    [20-Dec-2016 18:16:16 America/New_York] PHP Warning:  implode(): Argument must be an array in /usr/local/www/pfblockerng/pfblockerng_log.php on line 184
    [20-Dec-2016 18:16:16 America/New_York] PHP Stack trace:
    [20-Dec-2016 18:16:16 America/New_York] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng_log.php:0
    [20-Dec-2016 18:16:16 America/New_York] PHP   2\. implode() /usr/local/www/pfblockerng/pfblockerng_log.php:184
    
    


  • The crash report was probably generated when you looked at pfBlockerng.log.
    The update output looks ok, if you go to Status / Service can you start dnsbl?



  • The cog wheel spins for a short while then just stops with the Service never starting, and nothing more in any of the logs.



  • The log file might be because you tried to open a missing file. What was the file you were trying to look at?

    On the DNSBL side, what is you VIP configuration ? Did you try to ping the VIP?



  • I get the Crash Report whenever I look at Firewall/pfBlockerNG/Log Browser/dnsbl.log in the GUI.  Its blank btw.

    VIP Config is 10.10.10.1

    PING 10.10.10.1 (10.10.10.1): 56 data bytes
    64 bytes from 10.10.10.1: icmp_seq=0 ttl=64 time=0.044 ms
    64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.022 ms
    64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.021 ms
    
    --- 10.10.10.1 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.021/0.029/0.044/0.011 ms
    


  • Quick fix for the crash

    touch /var/log/pfblockerng/dnsbl.log

    And 10.10.10.1 is outside the LAN interfaces networks range.



  • Yup the Touch command fixed that nasty Crash Report.  dnsbl.log is still blank after trying to restart service which still doesnt start.

    Used the Touch command for the error.log as well, that was causing a Crash Report as well.

    LAN is in the 192.168.xxx.yyy/24



  • Check the NAT and Floating rules to see 10.10.10.1 is defined correctly.

    Look at /var/log/pfblockerng/dnsbl_error.log

    2016-12-20 18:54:49: (configfile-glue.c.694) === start of 2016-12-20 19:20:02: (server.c.1820) server stopped by UID = 0 PID = 2357
    2016-12-20 19:20:05: (log.c.217) server started
    
    


  • 1. Port Forward rules look proper

    LAN TCP * * 10.10.10.1 80 (HTTP)         127.0.0.1   8081 pfB DNSBL - DO NOT EDIT  
    LAN TCP * * 10.10.10.1 443 (HTTPS) 127.0.0.1   8443 pfB DNSBL - DO NOT EDIT

    2. I have the DNSBL Firewall Rule checkbox enabled with all interfaces selected but there are no rules listed in my Floating Rules Tab.

    3. dnsbl_error.log is empty.



  • And your  /var/unbound/pfb_dnsbl_lighty.conf looks like this ?

    #
    #pfBlockerNG Lighttpd DNSBL configuration file
    #
    server.bind			= "0.0.0.0"
    server.port			= "8081"
    server.event-handler		= "freebsd-kqueue"
    server.network-backend		= "freebsd-sendfile"
    server.dir-listing		= "disable"
    server.document-root		= "/usr/local/www/pfblockerng/www/"
    server.errorlog			= "/var/log/pfblockerng/dnsbl_error.log"
    server.pid-file			= "/var/run/dnsbl.pid"
    server.modules			= ( "mod_access", "mod_fastcgi", "mod_rewrite" )
    
    server.indexfiles		= ( "index.php" )
    mimetype.assign			= ( ".html" => "text/html", ".gif" => "image/gif" )
    url.access-deny			= ( "~", ".inc" )
    fastcgi.server			= ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) )
    
    debug.log-condition-handling	= "enable"
    
    $HTTP["host"] =~ ".*" {
    	url.rewrite-once = ( ".*" => "index.php" )
    }
    
    $SERVER["socket"] == "0.0.0.0:8443" {
    	ssl.engine		= "enable"
    	ssl.pemfile		= "/var/unbound/dnsbl_cert.pem"
    	ssl.use-sslv2		= "disable"
    	ssl.use-sslv3		= "disable"
    	ssl.honor-cipher-order	= "enable"
    	ssl.cipher-list		= "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"
    
    	$HTTP["host"] =~ ".*" {
    		url.rewrite-once = ( ".*" => "index.php" )
    	}
    }
    
    $SERVER["socket"] == "10.10.10.1:80" {
    	$HTTP["host"] =~ ".*" {
    		url.rewrite-once = ( ".*" => "index.php" )
    	}
    }
    
    $SERVER["socket"] == "10.10.10.1:443" {
    	ssl.engine		= "enable"
    	ssl.pemfile		= "/var/unbound/dnsbl_cert.pem"
    	ssl.use-sslv2		= "disable"
    	ssl.use-sslv3		= "disable"
    	ssl.honor-cipher-order	= "enable"
    	ssl.cipher-list		= "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"
    
    	$HTTP["host"] =~ ".*" {
    		url.rewrite-once = ( ".*" => "index.php" )
    	}
    }
    
    

    Also check to see if there is other /usr/local/sbin/lighttpd_pfb running

    ps aux | grep lighttpd



  • No.

    I'm missing the ending of your version.  The below is omitted from mine:

    $SERVER["socket"] == "10.10.10.1:80" {
    	$HTTP["host"] =~ ".*" {
    		url.rewrite-once = ( ".*" => "index.php" )
    	}
    }
    
    $SERVER["socket"] == "10.10.10.1:443" {
    	ssl.engine		= "enable"
    	ssl.pemfile		= "/var/unbound/dnsbl_cert.pem"
    	ssl.use-sslv2		= "disable"
    	ssl.use-sslv3		= "disable"
    	ssl.honor-cipher-order	= "enable"
    	ssl.cipher-list		= "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"
    
    	$HTTP["host"] =~ ".*" {
    		url.rewrite-once = ( ".*" => "index.php" )
    	}
    }
    


  • Well I am running the Dev version  ::)

    I would disable pfBlockerNG AND DNSBL, then reinstall pfBlockerNG and check the installation log to see if something breaks.



  • Thx for your help.  I'll start from scratch and report back.



  • One last thing ? Are you using Unbound (and not DNS Forwarder)?



  • Yes, I am using Unbound

    Unchecked retain settings, Saved and uninstalled/reinstalled.  Not getting any errors at all but still cant get the DNSBL service to start.  Maybe someone else can chime in who's on 2.4 who is possibly getting the same issue to confirm.



  • Check Diagnostics / Sockets to see if some other process would have the same ports open

    root 	lighttpd_p 	4228 	5 	tcp4 	*:8081 	*:*
    root 	lighttpd_p 	4228 	6 	tcp4 	*:8443 	*:*
    

    You can also try this in a shell to see if it report error.

    /usr/local/etc/rc.d/dnsbl.sh restart
    


  • No other services using those ports

    Using the restart command gives me:

    2016-12-20 21:00:48: (network.c.603) SSL: couldn't read X509 certificate from '/var/unbound/dnsbl_cert.pem'



  • Does /var/unbound/dnsbl_cert.pem exist?



  • Yup, its there.



  • and it looks like a certificate with

    -----BEGIN PRIVATE KEY-----
    
    ...
    
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    
    ...
    
    -----END CERTIFICATE-----
    
    


  • Looks like this:

    –---BEGIN PRIVATE KEY-----

    .....

    -----END PRIVATE KEY-----



  • Delete the file and do a Force Update to see if this fixes it.



  • I've confirmed that it was deleted, Force Updated and confirmed that it get recreated.

    Recreates the same type of format of key with just Begin and End Private Key.

    Comes up with the same couldnt read x509 certificate error as before when trying to restart



  • Can you try to use the pem from another 2.3.2 system an test with it.



  • Progress!!

    Yup, that let me start the service and its showing up green now, but I'm not seeing any packets being blocked though.

    ****Disregard that, I see some packet drops, its working.  Sweet, thank you.





  • Blank page and the browser title bar says 10.10.10.1 (1x1)

    That correct?



  • Yes



  • Thanks again, Ron.  Is this easily resolved for a permanent fix?

    2.1.1_6?



  • Can't tell,
    maybe we will get a patch, or another release, or back to 2.1.1_4, only BBcan177 can tell.

    But now we know where the problem is.


  • Moderator

    @RonpfS:

    Can't tell,
    maybe we will get a patch, or another release, or back to 2.1.1_4, only BBcan177 can tell.

    But now we know where the problem is.

    Testing a patch now… Will update in a day or so...



  • PM sent, code changes seem to fix the problem perfectly.



  • Just wanted to chime in for the people trying to get this to work before the patch and wanted a code solution.

    I at least solved this by modifying pfblockerng.inc to use a created config file. Modification were around ln 937 of pfblockerng.inc in /usr/local/pkg/pfblockerng:

    before
    –--------------------

    exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
    

    after
    –--------------------

    		        exec("echo '[req]' > request.cfg");
    			exec("echo 'default_bits=3072' >> request.cfg");
    			exec("echo 'default_md=sha256' >> request.cfg");
    			exec("echo 'prompt=no' >> request.cfg");
    			exec("echo 'distinguished_name=req_distinguished_name' >> request.cfg");
    			exec("echo '' >> request.cfg");
    			exec("echo '[req_distinguished_name]' >> request.cfg");
    			exec("echo 'commonName=unbound' >> request.cfg");
    			exec("/usr/bin/openssl req -new -x509 -config request.cfg -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
    			exec("rm -f request.cfg");
    

    I'm sure your patch does this far more gracefully however



  • I failed to post the manual fix by BBcan177 because I thought the patch would have been out relatively quickly but just realized it has been over 2 weeks since the last correspondence involving this.  The following is the instructions BBcan177 gave me to test that worked perfectly.

    1. Backup file:

    cp /usr/local/pkg/pfblockerng/pfblockerng.inc /tmp/pfblockerng.inc.bk

    1. Edit:

    /usr/local/pkg/pfblockerng/pfblockerng.inc  and remove line 937

    exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");

    Here is what Line 937 looks like:
    https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L937

    1. Then at line 937 add the following code:

    $dn = array (  'countryName'          => 'CA',
                                            'stateOrProvinceName'  => 'ST_DNSBL',
                                            'localityName'          => 'LN_DNSBL',
                                            'organizationName'      => 'ON_DNSBL',
                                            'organizationalUnitName'=> 'OU_DNSBL',
                                            'commonName'            => 'CN_DNSBL',
                                            'emailAddress'          => 'dnsbl@dnsbl.com'
                                            );

    $pkey  = openssl_pkey_new();
                            $csr    = openssl_csr_new($dn, $pkey);
                            $cert  = openssl_csr_sign($csr, NULL, $pkey, 3650);

    openssl_pkey_export($pkey, $privatekey);
                            openssl_x509_export($cert, $publickey);
                            @file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);

    The final changes should look like this:

    // Create DNSBL SSL certificate
                    if (!file_exists ("{$pfb['dnsbl_cert']}")) {
                            $log = "\nNew DNSBL cert created";
                            pfb_logger("{$log}", 1);

    //exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");

    $dn = array (  'countryName'          => 'CA',
                                            'stateOrProvinceName'  => 'ST_DNSBL',
                                            'localityName'          => 'LN_DNSBL',
                                            'organizationName'      => 'ON_DNSBL',
                                            'organizationalUnitName'=> 'OU_DNSBL',
                                            'commonName'            => 'CN_DNSBL',
                                            'emailAddress'          => 'dnsbl@dnsbl.com'
                                            );

    $pkey  = openssl_pkey_new();
                            $csr    = openssl_csr_new($dn, $pkey);
                            $cert  = openssl_csr_sign($csr, NULL, $pkey, 3650);

    openssl_pkey_export($pkey, $privatekey);
                            openssl_x509_export($cert, $publickey);
                            @file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);
                    }

    1. Delete the old PEM file

    rm /var/unbound/dnsbl_cert.pem

    1. Goto Update Tab and run a "Force Update" which should rebuild the PEM file

    2. Check to see if the service is running and that the DNBSL Logs are still working (Alerts Tab)

    3. Manually try to restart the DNSBL Service to see if its working as expected

    /usr/local/etc/rc.d/dnsbl.sh restart



  • Thank you this has now worked for me
    Which I have also added to the page https://www.facebook.com/groups/pfsense.official/ to help others…


Log in to reply