Firewall requires hard reboot for changes to take effect
-
On a SG-1100, running 2.4.5-RELEASE-p1 has anyone seen any issues with firewall rule changes not taking effect unless a full reboot is carried out ? Also getting lots of these messages :
There were error(s) loading the rules: /tmp/rules.debug:25: cannot define table pfB_PRI2_v4: Cannot allocate memory - The line in question reads [25]: table <pfB_PRI2_v4> persist file "/var/db/aliastables/pfB_PRI2_v4.txt"
@ 2020-07-08 17:56:51Running pfblockerNG. Table size should be adequate.
-
Rule changes not taking effect are likely due to the error you see preventing the ruleset from being reloaded.
That particular error on 2.4.5-p1 is not from the table size, but from a lack of kernel memory needed at the time it tried to load the tables.
There are a few different ways that could happen, though usually is from a general lack of RAM in the system for a variety of different ways (too many packages running, for example).
If you go to Status > Filter Reload and trigger a filter reload, does it report any errors?
-
Yes. It throws the same error message as above at the bottom on the page.
As far as packages are concerned I have only two running and the live status generally shows ram usage at around 30%. Open VPN is available but rarely connected.
-
Hello!
By default, only some of the feeds in the pfb PRI1 group are enabled. The PRI2 group (alienvault feed) is considerably larger and may take more memory (?). Maybe try disabling the PRI2 group?
Alias table IP Counts ----------------------------- 281532 total 262674 /var/db/aliastables/pfB_PRI2_v4.txt 18858 /var/db/aliastables/pfB_PRI1_v4.txt
John
-
Ok Disabling that PRI2 group has prevented the error message from appearing. Do you consider that was the cause of the failure for rules to take effect too ?
-
Hello!
I dont know if that would cause the rule change issue you were seeing.
I had to increase the Firewall Maximum Table Entries setting to get PRI2 to load.
John
-
It almost certainly was the cause. Is the ruleset cannot load the previous loaded rules continue to be used.
In this case the ruleset is loaded correctly at boot because the pfBlocker table has not yet populated but any change after it has pulled in that data could not be applied.
The SG-1100 has limited available RAM. Do you have anything else running that uses significanlt memory? Snort, Squid etc?
Steve
-
Did anyone ever figure this out, other than disabling PFBlocker? I have the default Table count, but it seems that it is not even being all used? Below is taken from pfblockerng.log.
IPv4 alias tables IP count
302610
IPv6 alias tables IP count
18945
Alias table IP Counts
321555 total
232947 /var/db/aliastables/pfB_PRI2.txt
33192 /var/db/aliastables/pfB_Europe_v4.txt
19578 /var/db/aliastables/pfB_Asia_v4.txt
15766 /var/db/aliastables/pfB_Africa_v4.txt
11779 /var/db/aliastables/pfB_Europe_v6.txt
5493 /var/db/aliastables/pfB_Asia_v6.txt
1562 /var/db/aliastables/pfB_Africa_v6.txt
799 /var/db/aliastables/pfB_PRI1.txt
328 /var/db/aliastables/pfB_SAmerica_v4.txt
111 /var/db/aliastables/pfB_SAmerica_v6.txt
0 /var/db/aliastables/pfB_PRI1_v4.txtpfSense Table Stats
table-entries hard limit 3000000
Table Usage Count 435612 -
Are you running 2.4.5p1? What hardware are you running on?
-
@Be-Bop-Bo , You need to sign up (free account) on maxmind.com/en/geolite2/signup. Once you have Maxmind License Key;
- go to Firewall > PfblockerNG > IP > MaxMind GeoIP configuration and insert your key.
- run an update Firewall > PfblockerNG > Update > Run.
- then select the rules by highlighting them. Firewall > pfblockerng > ip > geoIP > edit > Highlighted all ipv4/6 countries. After that you need to run an update again.
That's it.
-
@stephenw10 - Sorry I guess I am not, I am one back at 2.4.5, not _p1. I am running a SG-1100, though. I have another device that is a full 1U Atom computer and obviously I do not have this issue. Is it based on the total RAM available? The SG-1100 currently sits at around 68%-72% utilized.
If I disable everything else and only go with the AV reputation list, I continue to get the errors about memory allocation. That seems weird to me as it does not seem to have enough items to fill the table allocation.
-
@AKEGEC -I do have some Geo-IP restriction working with a free MaxMind account, but wanted a bit more intelligent based blocking.
-
You need to update to 2.4.5p1. In 2.4.5 you will be hitting this:
https://redmine.pfsense.org/issues/10414Steve
-
@stephenw10 From all accounts you are dead on. I did this late last night and I have not receive any alerts in nearly 12 hours, other than immediately after the reboot.
Much appreciated!
-
Go to Firewall:System -> Advanced -> Firewall & NAT: Firewall Maximum Table Entries value of "800000"