Did I find a bug or did I make a configuration mistake?



  • I experienced some very slow page loads, so I looked at the firewall and found blocked traffic that I had to unblock (samples below):

    Feb 27 04:40:10 	DATA 	DATA: Allow pfBlocker to Access it's web server (1488139862) 	172.16.30.10:35204		127.0.0.1:8443		TCP:S
    Feb 27 04:40:10 	DATA 	DATA: Allow pfBlocker to Access it's web server (1488139862) 	172.16.30.10:58728		127.0.0.1:8081		TCP:S
    Feb 27 04:40:10 	DATA 	DATA: Allow pfBlocker to Access it's web server (1488139862) 	172.16.30.10:58726		127.0.0.1:8081		TCP:S
    Feb 27 04:40:10 	DATA 	DATA: Allow pfBlocker to Access it's web server (1488139862) 	172.16.30.10:35192		127.0.0.1:8443		TCP:S 
    

    My configuration don't really use the LAN 172.16.0.1/24, all traffic is on VLANS, and the 172.16.30.1/24 network contains the PCs that browse the web.

    DNSBL Listening Interface: LAN
    DNSBL Firewall Rule: DATA

    Should pfBlocker be generating rules to pass traffic to 127.0.0.1?  I found a work around, that seems to be doing the job, but If I've found a bug I want to make sure the devs know about it.

    Can someone please advise me.


  • Banned

    DNSBL - DNSBL Firewall Rule



  • @doktornotor:

    DNSBL - DNSBL Firewall Rule

    Can you please be more specific… I do have DNSBL firewall rule enabled.

    The help says:
    This will create a 'Floating' Firewall rule to allow traffic from the Selected Interface(s) below
    to access the DNSBL VIP on the LAN interface. This is only required for multiple LAN Segments.

    This is a multi LAN use case:
    DNSBL Listening Interface is LAN
    So I have selected  DATA the name of the VLAN that I want to use for web browsing.

    Is that correct?



  • Do you have suppression enabled ?  It removes 127.0.0.1 from the tables.

    grep "127.0.0.1"  /var/db/pfblockerng/deny/*  /var/db/aliastables/*

    Then check the NAT rules for DNSBL and Floating FW rule for DSNBLIP.



  • @RonpfS:

    Do you have suppression enabled ?  It removes 127.0.0.1 from the tables.

    No I didn't, but I added it now and still have the same problem.

    Note to devs:

    Just as an aside, why would the default for that setting not be on rather than off?

    I imported  list which had local addresses and got really screwed… didn't realise that it was important to have that checked.... I would think based on what I know about most block lists that if someone doesn't turn it on they are asking for real trouble.

    Also the text: This will prevent Selected IPs from being blocked. Only for IPv4 lists (/32 and /24). could be better.  My thinking was, that because I wasn't using any suppression lists that I created, I didn't need this checked.  I missed This will also remove any RFC1918 addresses from all lists.

    How about:
    Leave this checked to prevent RFC1918 addresses in lists from breaking the firewall
    and then whatever you want under the (i) bubble.

    @RonpfS:

    grep "127.0.0.1"  /var/db/pfblockerng/deny/*  /var/db/aliastables/*

    Done… Nothing found.  even looked manually just to be double sure.

    @RonpfS:

    Then check the NAT rules for DNSBL and Floating FW rule for DSNBLIP.

    The rules seem to be there.  They were at the bottom, and I moved them to the topl

    I wonder if the problem is that I keep DNS (and NTP) captive to prevent a program from using it's own DNS server and going around the firewall.

    Here's what I'm doing:

    Rules
    Interface 	Protocol 	Source Address 	Source Ports 	Dest. Address 	Dest. Ports 	NAT IP 		NAT Ports 	Description 	Actions
    LAN 		TCP 		* 		* 		172.17.0.1 	443 (HTTPS) 	127.0.0.1 	8443 		pfB DNSBL - DO NOT EDIT 	
    LAN 		TCP 		* 		* 		172.17.0.1 	80 (HTTP) 	127.0.0.1 	8081 		pfB DNSBL - DO NOT EDIT 	
    LAN 		TCP/UDP 	* 		* 		!LAN address 	53 (DNS) 	127.0.0.1 	53 (DNS) 	Redirect DNS Requests 	
    LAN 		TCP/UDP 	* 		* 		!LAN address 	123 (NTP) 	127.0.0.1 	123 (NTP) 	Redirect NTP Requests 	
    DATA 		TCP/UDP 	* 		* 		!DATA address 	53 (DNS) 	127.0.0.1 	53 (DNS) 	Redirect DNS Requests 	
    DATA 		TCP/UDP 	* 		* 		!DATA address 	123 (NTP) 	127.0.0.1 	123 (NTP) 	Redirect NTP Requests 	
    VLAN1 		TCP/UDP 	* 		* 		!VLAN1 address 	53 (DNS) 	127.0.0.1 	53 (DNS) 	Redirect DNS Requests 	
    VLAN1 		TCP/UDP 	* 		* 		!VLAN1 address 	123 (NTP) 	127.0.0.1 	123 (NTP) 	Redirect NTP Requests 	
    
    

    Any suggestions?

    Do I have a use case that pfBlocker isn't supposed to handle automatically, or did my non-standard setup discover a bug?

    With pass rules for 127.0.0.1:8081 /  127.0.0.1:8443 in the DATA interface, things work fine.  If there is a better way, of if I've found a bug, please let me know.

    I could just let this go, but I want to provide the devs as good quality feedback as I can.



  • I don't know if this is the same on 2.1.1_6, but do you have multiple interface choice in Permit Firewall Rules

    The DNSBL IP Floating FW rule is on LAN & TEST interfaces




  • @guardian:

    @RonpfS:

    Then check the NAT rules for DNSBL and Floating FW rule for DSNBLIP.

    The rules seem to be there.  They were at the bottom, and I moved them to the topl

    The rules are autogenerated by pfBlockerNG, so they will be reordered when at next Update.



  • @RonpfS:

    The rules are autogenerated by pfBlockerNG, so they will be reordered when at next Update.

    Thanks…

    @RonpfS:

    I don't know if this is the same on 2.1.1_6, but do you have multiple interface choice in Permit Firewall Rules

    The DNSBL IP Floating FW rule is on LAN & TEST interfaces

    I have a drop down that let's me pick a single interface for the listening interface: Set to LAN

    I can make multiple selections on the firewall rule: Single selection DATA (VLAN I'm using to browse with).



  • The VIP is 172.17.0.1 ?

    And did you try add LAN to the Permit Firewall Rules



  • @RonpfS:

    The VIP is 172.17.0.1 ?

    Yes

    @RonpfS:

    And did you try add LAN to the Permit Firewall Rules

    Not originally, but I just tried it. It didn't fix the issue. I coudn't see any changes to the rules / LAN / DATA VLAN or NAT.



  • Not sure, but I remember seeing some changes about the rules in the DEV version.
    Wait until BBcan177 get back to read the forum.


  • Moderator

    @guardian:

    I experienced some very slow page loads, so I looked at the firewall and found blocked traffic that I had to unblock (samples below):

    My configuration don't really use the LAN 172.16.0.1/24, all traffic is on VLANS, and the 172.16.30.1/24 network contains the PCs that browse the web.

    DNSBL Listening Interface: LAN
    DNSBL Firewall Rule: DATA

    You need to ensure that the vlans devices can ping and browse to the DNSBL IP. The default Permit rule is an optional rule to allow multiple lan segments to access the dnsbl vip address. So you can skip this option and create your own rule if that's easier.

    For the optional rule, you should be able to select all of the vlans in the select options (ctrl-click) and allow traffic to the dnsbl Web server on the dnsbl listening interface.



  • @BBcan177:

    You need to ensure that the vlans devices can ping and browse to the DNSBL IP. The default Permit rule is an optional rule to allow multiple lan segments to access the dnsbl vip address. So you can skip this option and create your own rule if that's easier.

    For the optional rule, you should be able to select all of the vlans in the select options (ctrl-click) and allow traffic to the dnsbl Web server on the dnsbl listening interface.

    In my case I am hitting the default deny rule IPv4 (1000000103) on 127.0.0.1:8081 / :8443 NOT the VIP.  Any thoughts on that?

    At least I've learned enough to unblock them, but I'm wondering if I screwed something up, or if there is an issue that pfBlockerNG is overlooking?

    I posted my rules above, but in my case I'm keeping DNS/NTP caged with port forwarding rules so that programs can go around the firewall with their own server settings.


Log in to reply