PfBlockerNG 2.1.1_5 / Pfsense 2.4



  • Just wanted to chime in for the people trying to get this to work before the patch and wanted a code solution.

    I at least solved this by modifying pfblockerng.inc to use a created config file. Modification were around ln 937 of pfblockerng.inc in /usr/local/pkg/pfblockerng:

    before
    –--------------------

    exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
    

    after
    –--------------------

    		        exec("echo '[req]' > request.cfg");
    			exec("echo 'default_bits=3072' >> request.cfg");
    			exec("echo 'default_md=sha256' >> request.cfg");
    			exec("echo 'prompt=no' >> request.cfg");
    			exec("echo 'distinguished_name=req_distinguished_name' >> request.cfg");
    			exec("echo '' >> request.cfg");
    			exec("echo '[req_distinguished_name]' >> request.cfg");
    			exec("echo 'commonName=unbound' >> request.cfg");
    			exec("/usr/bin/openssl req -new -x509 -config request.cfg -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
    			exec("rm -f request.cfg");
    

    I'm sure your patch does this far more gracefully however



  • I failed to post the manual fix by BBcan177 because I thought the patch would have been out relatively quickly but just realized it has been over 2 weeks since the last correspondence involving this.  The following is the instructions BBcan177 gave me to test that worked perfectly.

    1. Backup file:

    cp /usr/local/pkg/pfblockerng/pfblockerng.inc /tmp/pfblockerng.inc.bk

    1. Edit:

    /usr/local/pkg/pfblockerng/pfblockerng.inc  and remove line 937

    exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");

    Here is what Line 937 looks like:
    https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L937

    1. Then at line 937 add the following code:

    $dn = array (  'countryName'          => 'CA',
                                            'stateOrProvinceName'  => 'ST_DNSBL',
                                            'localityName'          => 'LN_DNSBL',
                                            'organizationName'      => 'ON_DNSBL',
                                            'organizationalUnitName'=> 'OU_DNSBL',
                                            'commonName'            => 'CN_DNSBL',
                                            'emailAddress'          => 'dnsbl@dnsbl.com'
                                            );

    $pkey  = openssl_pkey_new();
                            $csr    = openssl_csr_new($dn, $pkey);
                            $cert  = openssl_csr_sign($csr, NULL, $pkey, 3650);

    openssl_pkey_export($pkey, $privatekey);
                            openssl_x509_export($cert, $publickey);
                            @file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);

    The final changes should look like this:

    // Create DNSBL SSL certificate
                    if (!file_exists ("{$pfb['dnsbl_cert']}")) {
                            $log = "\nNew DNSBL cert created";
                            pfb_logger("{$log}", 1);

    //exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");

    $dn = array (  'countryName'          => 'CA',
                                            'stateOrProvinceName'  => 'ST_DNSBL',
                                            'localityName'          => 'LN_DNSBL',
                                            'organizationName'      => 'ON_DNSBL',
                                            'organizationalUnitName'=> 'OU_DNSBL',
                                            'commonName'            => 'CN_DNSBL',
                                            'emailAddress'          => 'dnsbl@dnsbl.com'
                                            );

    $pkey  = openssl_pkey_new();
                            $csr    = openssl_csr_new($dn, $pkey);
                            $cert  = openssl_csr_sign($csr, NULL, $pkey, 3650);

    openssl_pkey_export($pkey, $privatekey);
                            openssl_x509_export($cert, $publickey);
                            @file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);
                    }

    1. Delete the old PEM file

    rm /var/unbound/dnsbl_cert.pem

    1. Goto Update Tab and run a "Force Update" which should rebuild the PEM file

    2. Check to see if the service is running and that the DNBSL Logs are still working (Alerts Tab)

    3. Manually try to restart the DNSBL Service to see if its working as expected

    /usr/local/etc/rc.d/dnsbl.sh restart



  • Thank you this has now worked for me
    Which I have also added to the page https://www.facebook.com/groups/pfsense.official/ to help others…


Log in to reply