Pfr_update_stats: assertion failed.

someone965

That message fills my logs and eventually pfSense completely stops responding and I have to reboot it.

All I did was add a custom list under IPv4 to block specific domains.

I also noticed that firewall rules I make have no effect.  As far as I can tell, I made the rules correctly but no matter what priority I set them to, they have no effect at all.  pfBlockerNG is the only package I have installed and my setup is fairly close to the default settings.  I can only guess pfBlockerNG is somehow overriding my rules.

Anyone have any advice on how to resolve this?

BBcan177

This is usually caused by a Feed adding "127.0.0.1" …  goto the General Tab and enabled "Suppression", then run a "Force Reload - All".... That will remove any loopback or RFC1918 addresses...

However, you don't want to add Domains to the IPv4/6 Tabs... Domains are added to the DNSBL Tab... If you are manually entering domains in the customlist... Don't add "127.0.0.1" before the domain.... Its not required.... Just list the domain one per line.

someone965

Thanks!

I'll give that a try some time tomorrow.  I'm too tired to deal with it right now.

someone965

So, I enabled De-Duplication, CIDR Aggregation, and Suppression.  I'm down to only about 4-12 of those assertion failed notices a day, instead of it completely filling my logs and then crashing my router.  I'm not entirely sure if all those are necessary/helpful (don't even know what a CIDR is) but I'd read elsewhere that they all help to reduce that error.  I've been occasionally (about once a week) going in and forcing a reload just to prevent the errors from getting worse.

I'll have to try moving the list to the DNSLB tab, when I figure out how to do that.  I've just been too busy to mess with it really.

I never put the loopback address anywhere in my custom domain block list.  It just doesn't seem to like when I add custom lists to the IPv4 section.  My list was nothing but a handful of domains used for logging into certain services that couldn't be blocked at the device itself.  I'm just not a fan of phone home behavior, especially when there's no option to turn it off.

BBcan177

I believe that you added a loopback address in the IPv4 Customlist. The customlist is not filtered by the  "Suppression" feature.

The IPv4/6/GeoIP tabs are primarily used to add IP based Feeds. You can also manually add IPs to the customlist at the bottom of any Alias.

The DNSBL Feeds tab is used for Domain based Feeds. There is also a customlist at the bottom of each group, where you can manually add domains to be blocked.

You can run these commands to see if there are any loopback addresses:

grep "^127\." /var/db/pfblockerng/deny/*
grep "^127\." /var/db/aliastables/*

If there are no Loopback addresses, then your "pfr_update_stats: assertion failed." error could be caused by something else?

Hope that helps…

someone965

The first command returned nothing but the second one returned the following at least a hundred times.

/var/db/aliastables/pfB_BlockListMalware.txt:127.0.0.1

I checked my malware lists and this one seems to be the problem.

http://www.malwaredomainlist.com/hostslist/hosts.txt

I deleted it, forced a reload and it continued to show the loopback address listed in the malware block list.  So, I disabled the entire list, forced a reload, re-enabled it, forced another reload and, while I'm not entirely sure it's still using the malware blocklist, at least it's not returning the loopback address when I enter the command anymore.

I might try rebooting my router, just to see if that sorts everything out.

Either way, thanks for the help.