Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Having problems with Firewall Aliases URLs not working since update to 2.4.5-p1

    Firewalling
    3
    13
    494
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IsaacFL
      IsaacFL last edited by

      Instead of updating my pfsense from 2.4.5 to 2.4.5p1, I reinstalled my pfsense router today using my old config.xml and now my URL table Aliases are not working.

      Here are the Aliases from my old config:

      		<alias>
      			<name>GEOIP_CN_v4</name>
      			<type>urltable</type>
      			<url>https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone</url>
      			<updatefreq>1</updatefreq>
      			<address>https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone</address>
      			<descr><![CDATA[China IPs]]></descr>
      			<detail><![CDATA[China]]></detail>
      		</alias>
      		<alias>
      			<name>GEOIP_CN_v6</name>
      			<type>urltable</type>
      			<url>https://www.ipdeny.com/ipv6/ipaddresses/aggregated/cn-aggregated.zone</url>
      			<updatefreq>1</updatefreq>
      			<address>https://www.ipdeny.com/ipv6/ipaddresses/aggregated/cn-aggregated.zone</address>
      			<descr><![CDATA[China IPs]]></descr>
      			<detail><![CDATA[China]]></detail>
      		</alias>
      		<alias>
      			<name>GEOIP_RU_v4</name>
      			<type>urltable</type>
      			<url>https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone</url>
      			<updatefreq>1</updatefreq>
      			<address>https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone</address>
      			<descr><![CDATA[Russian IPs ]]></descr>
      			<detail><![CDATA[Russian IPs]]></detail>
      		</alias>
      		<alias>
      			<name>GEOIP_RU_v6</name>
      			<type>urltable</type>
      			<url>https://www.ipdeny.com/ipv6/ipaddresses/aggregated/ru-aggregated.zone</url>
      			<updatefreq>1</updatefreq>
      			<address>https://www.ipdeny.com/ipv6/ipaddresses/aggregated/ru-aggregated.zone</address>
      			<descr><![CDATA[Russian IPs]]></descr>
      			<detail><![CDATA[Russian IPs]]></detail>
      		</alias>
      

      I can go my way of browser to the links and it looks like what I would expect.

      Here is the error message I see in the logs.

      Jun 17 12:36:13 	php-fpm 	95445 	/rc.update_urltables: : ERROR: could not update GEOIP_RU_v6 content from https://www.ipdeny.com/ipv6/ipaddresses/aggregated/ru-aggregated.zone
      Jun 17 12:36:12 	php-fpm 	95445 	/rc.update_urltables: : ERROR: could not update GEOIP_RU_v4 content from https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone
      Jun 17 12:36:12 	php-fpm 	95445 	/rc.update_urltables: : ERROR: could not update GEOIP_CN_v6 content from https://www.ipdeny.com/ipv6/ipaddresses/aggregated/cn-aggregated.zone
      Jun 17 12:36:12 	php-fpm 	95445 	/rc.update_urltables: : ERROR: could not update GEOIP_CN_v4 content from https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone 
      

      I finally had to delete the aliases and associated rules.

      Anybody seen this or could explain what I have done to break them?

      Everything else works fine. I am installed on a Hyper-V VM.

      Version 2.4.5-RELEASE-p1 (amd64)
      built on Tue Jun 02 17:51:17 EDT 2020
      FreeBSD 11.3-STABLE

      viktor_g 1 Reply Last reply Reply Quote 0
      • viktor_g
        viktor_g Netgate @IsaacFL last edited by

        @IsaacFL Successfully added https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone to my fw aliases on 2.4.5-p1

        or is this error only occurring on updates?

        IsaacFL 1 Reply Last reply Reply Quote 0
        • IsaacFL
          IsaacFL @viktor_g last edited by

          @viktor_g
          It occurred on the update, but even after deleting them, I can't recreate them.

          I always get:

          The following input errors were detected:
          
              Unable to fetch usable data from URL https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
          

          At least I know it is on my end.

          1 Reply Last reply Reply Quote 0
          • viktor_g
            viktor_g Netgate last edited by

            are you able to fetch it manually from pfSense?

            # fetch  https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
            

            in command line

            IsaacFL 1 Reply Last reply Reply Quote 0
            • IsaacFL
              IsaacFL @viktor_g last edited by

              @viktor_g said in Having problems with Firewall Aliases URLs not working since update to 2.4.5-p1:

              fetch https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone

              This is the error I got:

              Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
              34374270280:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
              fetch: https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone: Authentication error
              
              IsaacFL viktor_g 2 Replies Last reply Reply Quote 0
              • IsaacFL
                IsaacFL @IsaacFL last edited by

                When I open the link on a browser, it says the certificate is valid. Both Edge Chromium and Firefox.

                IsaacFL 1 Reply Last reply Reply Quote 0
                • IsaacFL
                  IsaacFL @IsaacFL last edited by

                  Changing https to http does allow it to work.

                  Seems to be an issue with verifying the certificate?

                  IsaacFL 1 Reply Last reply Reply Quote 0
                  • IsaacFL
                    IsaacFL @IsaacFL last edited by

                    I do have Check certificate of aliases URLs Enabled.

                    Verify HTTPS certificates when downloading alias URLs Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it.

                    Not sure when I did that.

                    1 Reply Last reply Reply Quote 0
                    • IsaacFL
                      IsaacFL last edited by

                      fetch https://www.spamhaus.org/drop/dropv6.txt
                      yields:
                      dropv6.txt 1068 B 14 MBps 00s

                      So it works for some sites.

                      1 Reply Last reply Reply Quote 0
                      • bmeeks
                        bmeeks last edited by bmeeks

                        I'm not a pfBlockerNG user, but I've seen this particular problem posted about previously, and the cause is the expired AddTrust certificate. There are apparently two solutions. One involves finding and manually deleting that expired certificate in the pfSense CLI. The other solution used by some was to change the URL mode in pfBlockerNG so that the cert is not validated. While not the most secure way of doing things, it was a "working" workaround for the folks posting.

                        IsaacFL 1 Reply Last reply Reply Quote 0
                        • IsaacFL
                          IsaacFL @bmeeks last edited by

                          @bmeeks I am not using pfBlockerNG either.

                          Just trying to download Alias/URL Table.

                          Does get me something google, but for now I just changed my urls from https to http. Which to be honest it isn't needed to encrypt a list of ips.

                          I assume there will be a fix at some point.

                          1 Reply Last reply Reply Quote 0
                          • viktor_g
                            viktor_g Netgate @IsaacFL last edited by

                            @IsaacFL ipdeny.com https server is misconfigured and is offering an expired CA certificate (AddTrust) in the chain.

                            you can try this workaround: https://redmine.pfsense.org/issues/10616#note-3

                            more about AddTrust expriration issue: https://www.ssl.com/blogs/addtrust-external-ca-root-expired-may-30-2020/

                            IsaacFL 1 Reply Last reply Reply Quote 1
                            • IsaacFL
                              IsaacFL @viktor_g last edited by

                              @viktor_g

                              Once I read about the cert issue, and that it is an external issue, I decided to just use the http (80) link to ipdeny at least for now.

                              I am not concerned about the country ip list being encrypted and figure they will probably fix it at some point.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post