pfblockerng-devel error: Unknown Not listed!



  • Hi,

    Can somebody explain, pls, why I get Unknown Not listed in this case:
    56882566-2cc2-4b36-82f0-2bd5f83bb9b9-image.png

    # grep 113.1.135.78 /var/db/pfblockerng/* -r
    /var/db/pfblockerng/deny/CINS_army_v4.txt:113.1.135.78
    /var/db/pfblockerng/mastercat:113.1.135.78
    /var/db/pfblockerng/masterfile:CINS_army_v4 113.1.135.78
    /var/db/pfblockerng/original/CINS_army_v4.orig:113.1.135.78
    

    Why if this IP is not listed, it's still getting blocked?

    Is there a description of what all of those files/folders under /var/db/pfblockerng/ are intended for?

    Thanks in advance!

    PS The old thread was https://forum.netgate.com/topic/131939/pfblockerng-error-unknown-not-listed
    PPS pfBlockerng-devel 2.2.5_27



  • Are you saying you wanted to go to that address and it were blocked? To me intuitively, it seems that the IP address belongs to a GeoIP list of known bad actors but not to a DNSBL feed...so; the IP address will never resolve to a domain name. It seems that you'll need to wait for BBcan177 to explain further!



  • @jazzl0ver said in pfblockerng-devel error: Unknown Not listed!:

    grep 113.1.135.78 /var/db/pfblockerng/*

    Unknow Not Listed normally occur when a IP has been removed and no longer present in /var/db/pfblockerng/deny/*.txt. It can also happen when a Update is running that the file is being rebuilt.

    Example my cron start at 14:15:00, the IP table was being built around 14:20:24 :

    Line 10238: Dec 8 14:19:38,1770009444,xl0,WAN,block,4,6,TCP-S,92.118.37.97,AAA.BBB.CCC.DDD,40887,56027,in,RO,pfB_PRI2_v4,92.118.37.0/24,PRI2_Alienvault_v4,Unknown,wan,| 35606 | IPDONNEROLEG | Donner Oleg Alexeevich |,+
    	Line 10244: Dec 8 14:20:24,1770009444,xl0,WAN,block,4,6,TCP-S,92.118.37.97,AAA.BBB.CCC.DDD,40887,47202,in,RO,pfB_PRI2_v4,Unknown,Unknown,Unknown,wan,| 35606 | IPDONNEROLEG | Donner Oleg Alexeevich |,+
    	Line 10248: Dec 8 14:21:32,1770009444,xl0,WAN,block,4,6,TCP-S,92.118.37.97,AAA.BBB.CCC.DDD,40887,59847,in,RO,pfB_PRI2_v4,92.118.37.0/24,PRI2_Alienvault_v4,Unknown,wan,| 35606 | IPDONNEROLEG | Donner Oleg Alexeevich |,+
    

    Also when searching for IP in /var/db/pfblockerng, you should maybe search for networks instead of hosts : grep 113.1.135. /var/db/pfblockerng/*



  • Oh, so, somehow, somewhere, pfBlockerNG has a list of IP's that doesn't belong to any list and is active and blocking them...in your case 113.1.135.79!



  • Nope.

    During the update process, the FW continue blocking as per the FW rules and Aliases.

    Update fetch the URLs, gather IP data, does De-Duplication, CIDR Aggregation, Suppression etc, it re-creates the /var/dg/pfblockerng/deny/*.txt and some other files.
    At the End of the IP phase, it Update the Aliases for the IP tables in /var/db/aliastables/, reload as per the log

    ===[  Aliastables / Rules  ]==========================================
    
    No changes to Firewall rules, skipping Filter Reload
    
     Updating: pfB_PRI1_v4
    444 addresses added.1073 addresses deleted.
     Updating: pfB_PRI2_v4
    79 addresses added.23 addresses deleted.
     Updating: pfB_PRI3_v4
    494 addresses added.455 addresses deleted.
     Updating: pfB_PRI4_v4
    388 addresses added.31 addresses deleted.
     Updating: pfB_PRI5_v4
    no changes.
     Updating: pfB_Abuse_PS_v4
    no changes.
     Updating: pfB_PFB_Whitelist_v4
    no changes.
     Updating: pfB_DNSBLIP_v4
    413 addresses added.76 addresses deleted.
    

    So during the Update process, if a pfblockerNG FW rules is triggered, (still using the Alias present before the Update started), pfBlockerNG firewall filter service , try to find the feed and update /var/log/pfblockerng/ip_block.log.

    So there is always a window of time when some files go missing from /var/db/pfblockerNG/deny/*.txt, the service will then report the feed as Not listed



  • Thank you very much, @RonpfS !

    Can you pls shed some light on the purpose of other files/folders under /var/db/pfblockerng?



  • @RonpfS said in pfblockerng-devel error: Unknown Not listed!:

    So there is always a window of time when some files go missing from /var/db/pfblockerNG/deny/*.txt, the service will then report the feed as Not listed

    Okay, thank you for thoughtful explanation...awesome!


Log in to reply