<![CDATA[States Not Being Killed PFblockerNG]]>We're experiencing a problem where existing states are not being killed by pfBlockerNG when a new IP is added to an IPv4 alias list.

Running pfSense 2.3.4-RELEASE-p1 on Netgate hardware with pfBlockerNG 2.1.1_10

In Firewall > pfBlockerNG > General, Kill States is checked.

The Alias List config here Firewall > pfBlockerNG > Edit > IPv4 is as follows:
Alias Name: HTTP_Blocked_dynamic_2
IPv4 Lists: Format: Auto, State: ON, Source: http://host/url.txt, Header/Label: HTTP_Blocked
List Action: Alias Deny
Update Frequency: Every Hour
Enable Logging: Enable
States Removal: Enable

When a new IP is added to the HTTP Source and the Cron job runs, the IP is added to the alias list and new connections from this IP are being handled appropriately. However existing states are not being matched and/or killed.

Here is an example from the pfblockerng.log:

===[  Aliastables / Rules  ]==========================================

No changes to Firewall rules, skipping Filter Reload

Updating: pfB_HTTP_Blocked_dynamic_2
1 addresses added.

===[  Kill States  ]==================================================

No matching states found

We know the states for the IP are still there because we can still see them by filtering here: Diagnostics > States > States. If we manually kill the states then the IP's get blocked immediately.

We also attempted this in a lab using the latest builds of pfSense 2.4.0 with pfBlockerNG 2.1.2 and experienced the same issue. The last time we know this was working was with pfSense 2.2.6 which we recently upgraded from.

Any help or suggestions with this would be appreciated.

]]>https://forum.netgate.com/topic/121921/states-not-being-killed-pfblockerngRSS for NodeWed, 17 Jun 2026 07:27:16 GMTTue, 24 Oct 2017 17:10:33 GMT60<![CDATA[Reply to States Not Being Killed PFblockerNG on Wed, 25 Oct 2017 14:01:38 GMT]]>@BBcan177:

Thanks for reporting this… Looks like it wasn't picking up Alias type rules with "pfb_" in the Rule descriptions.

Can you edit:  /usr/local/pkg/pfblockerng/pfblockerng.inc

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L5099

and change Line #5099

from:

if ($alias['type'] == 'urltable' && strpos($alias['name'], 'pfB_') !== FALSE && strpos($alias['descr'], '[s]') === FALSE) {

to:
[code]
if ($alias['type'] == 'urltable' &&
    (strpos($alias['name'], 'pfB_') !== FALSE || strpos($alias['name'], 'pfb_') !== FALSE) &&
    strpos($alias['descr'], '[s]') === FALSE) {

Please report back ... Thanks!

I am still having the same issue after changing the code [/s][/code][/s]
]]>https://forum.netgate.com/post/730553https://forum.netgate.com/post/730553Wed, 25 Oct 2017 14:01:38 GMT<![CDATA[Reply to States Not Being Killed PFblockerNG on Wed, 25 Oct 2017 02:09:55 GMT]]>Thanks for reporting this… Looks like it wasn't picking up Alias type rules with "pfb_" in the Rule descriptions.

Can you edit:  /usr/local/pkg/pfblockerng/pfblockerng.inc

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L5099

and change Line #5099

from:

if ($alias['type'] == 'urltable' && strpos($alias['name'], 'pfB_') !== FALSE && strpos($alias['descr'], '[s]') === FALSE) {

to:
[code]
if ($alias['type'] == 'urltable' &&
    (strpos($alias['name'], 'pfB_') !== FALSE || strpos($alias['name'], 'pfb_') !== FALSE) &&
    strpos($alias['descr'], '[s]') === FALSE) {

Please report back ... Thanks![/s][/code][/s]
]]>https://forum.netgate.com/post/730490https://forum.netgate.com/post/730490Wed, 25 Oct 2017 02:09:55 GMT