PfBlockerNG causing a network reset error.



  • Trying to troubleshoot a network reset error we have between an external server that backup files to an internal server behind PFsense with snort and PfBlockerNG. Our configuration is PFsense 2.4.5, Snort 3.2.9.11 and PfBlockerNG 2.2.5_32 with IP, some Geo and DNSBL with safe search activated. We have tried searching for the IP for both servers in the report logs and neither server appears in the blocked log.

    I need some help to find what is the cause of the "Connection reset" error . This started after the last update to PFBlockerNG. When we turn off PFblockerNG the backups work perfectly. The Backup use a TLS connection. When we turn on PFBlockerNG the backups fail with the error "Connection reset". We tried turning off DNSBL with same results We tried turning off the IP blacklist with same results. The only way we seem not to get the error is we turnoff PFBlockerNG entirely.

    Any suggestion on how we can debug and find what configuration may be causing this error?

    Thanks



  • @cjbujold said in PfBlockerNG causing a network reset error.:

    Trying to troubleshoot a network reset error we have between an external server that backup files to an internal server behind PFsense with snort and PfBlockerNG. Our configuration is PFsense 2.4.5, Snort 3.2.9.11 and PfBlockerNG 2.2.5_32 with IP, some Geo and DNSBL with safe search activated. We have tried searching for the IP for both servers in the report logs and neither server appears in the blocked log.

    I need some help to find what is the cause of the "Connection reset" error . This started after the last update to PFBlockerNG. When we turn off PFblockerNG the backups work perfectly. The Backup use a TLS connection. When we turn on PFBlockerNG the backups fail with the error "Connection reset". We tried turning off DNSBL with same results We tried turning off the IP blacklist with same results. The only way we seem not to get the error is we turnoff PFBlockerNG entirely.

    Any suggestion on how we can debug and find what configuration may be causing this error?

    @cjbujold I can't say for sure, but a couple of things that you might look at.

    Firstly have you checked the log files?

    I was having some DNS issues which I think I might have solved, and they were due to a frequent number of reloads of the DNS resolver caused by expired block lists.

    How long does the backup take--could pfBlocker be updating during that time? If so it may clear the state table which will break any open connections. Unless that process is robust enought to reestablish the connection, it will fail.

    Hope that is of some help. Best of luck.



  • @cjbujold said in PfBlockerNG causing a network reset error.:

    The only way we seem not to get the error is we turnoff PFBlockerNG entirely.

    There are other options, and using them will show you your issue.
    For example : when you install PfBlockerNG-devel 2.2.5_32, and you activated it - just activate, nothing else, you won't see any issues.
    And things get better : I'll tell you a secret : PfBlockerNG-devel normally does : nothing. Thousands of DNS requests are handled every hour or even every minute, and still : PfBlockerNG-devel does ... nothing. It barely runs.
    Ok, something is running - it's even a PHP srcipt that runs continuesly in the background :
    These :
    afd0cb6e-e651-4dc0-b74d-f267a6d15bfa-image.png

    The first one collects DNS logs, so the widget continues to show updated data.
    The other one monitors firewall reloading - as pfBlockerNG tend to 'mess' with firewall reload rules, aliases etc.
    These two are just internal maintenance tasks.

    What PfBlockerNG does :
    Ones in a while, it tries to reload the feeds that you have set up.
    It parses them all, remove all the doubles.
    It builds a big list (file) with 'forbidden' IP address.
    Sam with with forbidden domain names.

    Then it (re)starts unbound, the DNS resolver, that uses these two files to do the actual job.
    So, if the real blocker should reveal himself : it's unbound ....

    @cjbujold said in PfBlockerNG causing a network reset error.:

    network reset error

    Most probably : because the IP or URL you use contains a domain name (DNS) that's on one of your lists.
    Remove all the lists, force update reload PfBlockerNG and problem one.
    Or remove them one by one to see what lit it is.

    Time to get your fingers a little bit active, grep into your feeds to check who contains this IP and or domain DNS name.

    Or whitelist your IP DNS name ;)

    @cjbujold said in PfBlockerNG causing a network reset error.:

    We tried turning off DNSBL with same results

    .... and a force reload etc etc ?



  • Thank you for the feedback. Will definitely try the suggestions. But from your comments I think that Unbound will be the issue since the backups normally runs for about 15+ hours.

    If it is Unbound any suggestion on how to fix it?

    Thanks



  • @cjbujold said in PfBlockerNG causing a network reset error.:

    If it is Unbound any suggestion on how to fix it?

    As said : stop using the feed you selected, tbe one that contains the IP or domain name that blocks your 'backup'.
    Or whitelist that 'backup'.

    unbound isn't broken neither faulty.
    It's - most probably - a setup question - you using a feed that starts blocking a "site" you use.



  • @cjbujold said in PfBlockerNG causing a network reset error.:

    Thank you for the feedback. Will definitely try the suggestions. But from your comments I think that Unbound will be the issue since the backups normally runs for about 15+ hours.

    If it is Unbound any suggestion on how to fix it?

    Thanks

    As @Gertjan said, pfBlocker and Unbound are functioning correctly and his detailed description is very good.

    Unless the pfBlockerNG list is explicitly blocking your backup, turning off the option to Kill States might solve the problem with your backup breaking.

    The downside would be if you have an infected system that is in communication with a malware site, (or any other undesirable activity that has the firewall open) and a new rule comes in to prevent the undesirable communication, that rule will not break the communication until the state times out or something else happens to reload the firewall states. Depending on how often the firewall is rebooted and/or configuration changes are made that could be days, weeks or even months.

    You may also wish to look at error.log in the pfBlockerNG log tab or from the shell:

    less /var/log/pfblockerng/error.log

    I found bad feeds files can also cause issues. You may need to temporarily disable or remove one or more feeds.


Log in to reply