Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall requires hard reboot for changes to take effect

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 7 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oldlock
      last edited by

      On a SG-1100, running 2.4.5-RELEASE-p1 has anyone seen any issues with firewall rule changes not taking effect unless a full reboot is carried out ? Also getting lots of these messages :

      There were error(s) loading the rules: /tmp/rules.debug:25: cannot define table pfB_PRI2_v4: Cannot allocate memory - The line in question reads [25]: table <pfB_PRI2_v4> persist file "/var/db/aliastables/pfB_PRI2_v4.txt"
      @ 2020-07-08 17:56:51

      Running pfblockerNG. Table size should be adequate.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Rule changes not taking effect are likely due to the error you see preventing the ruleset from being reloaded.

        That particular error on 2.4.5-p1 is not from the table size, but from a lack of kernel memory needed at the time it tried to load the tables.

        There are a few different ways that could happen, though usually is from a general lack of RAM in the system for a variety of different ways (too many packages running, for example).

        If you go to Status > Filter Reload and trigger a filter reload, does it report any errors?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • O
          oldlock
          last edited by

          Yes. It throws the same error message as above at the bottom on the page.

          As far as packages are concerned I have only two running and the live status generally shows ram usage at around 30%. Open VPN is available but rarely connected.

          Capture.JPG

          1 Reply Last reply Reply Quote 0
          • S
            serbus
            last edited by

            Hello!

            By default, only some of the feeds in the pfb PRI1 group are enabled. The PRI2 group (alienvault feed) is considerably larger and may take more memory (?). Maybe try disabling the PRI2 group?

            Alias table IP Counts
            -----------------------------
              281532 total
              262674 /var/db/aliastables/pfB_PRI2_v4.txt
               18858 /var/db/aliastables/pfB_PRI1_v4.txt
            

            John

            Lex parsimoniae

            1 Reply Last reply Reply Quote 0
            • O
              oldlock
              last edited by

              Ok Disabling that PRI2 group has prevented the error message from appearing. Do you consider that was the cause of the failure for rules to take effect too ?

              1 Reply Last reply Reply Quote 0
              • S
                serbus
                last edited by

                Hello!

                I dont know if that would cause the rule change issue you were seeing.

                I had to increase the Firewall Maximum Table Entries setting to get PRI2 to load.

                John

                Lex parsimoniae

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  It almost certainly was the cause. Is the ruleset cannot load the previous loaded rules continue to be used.

                  In this case the ruleset is loaded correctly at boot because the pfBlocker table has not yet populated but any change after it has pulled in that data could not be applied.

                  The SG-1100 has limited available RAM. Do you have anything else running that uses significanlt memory? Snort, Squid etc?

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • B
                    Be-Bop-Bo
                    last edited by

                    Did anyone ever figure this out, other than disabling PFBlocker? I have the default Table count, but it seems that it is not even being all used? Below is taken from pfblockerng.log.

                    IPv4 alias tables IP count

                    302610

                    IPv6 alias tables IP count

                    18945

                    Alias table IP Counts

                    321555 total
                    232947 /var/db/aliastables/pfB_PRI2.txt
                    33192 /var/db/aliastables/pfB_Europe_v4.txt
                    19578 /var/db/aliastables/pfB_Asia_v4.txt
                    15766 /var/db/aliastables/pfB_Africa_v4.txt
                    11779 /var/db/aliastables/pfB_Europe_v6.txt
                    5493 /var/db/aliastables/pfB_Asia_v6.txt
                    1562 /var/db/aliastables/pfB_Africa_v6.txt
                    799 /var/db/aliastables/pfB_PRI1.txt
                    328 /var/db/aliastables/pfB_SAmerica_v4.txt
                    111 /var/db/aliastables/pfB_SAmerica_v6.txt
                    0 /var/db/aliastables/pfB_PRI1_v4.txt

                    pfSense Table Stats

                    table-entries hard limit 3000000
                    Table Usage Count 435612

                    1 Reply Last reply Reply Quote 1
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Are you running 2.4.5p1? What hardware are you running on?

                      B 1 Reply Last reply Reply Quote 0
                      • AKEGECA
                        AKEGEC
                        last edited by

                        @Be-Bop-Bo , You need to sign up (free account) on maxmind.com/en/geolite2/signup. Once you have Maxmind License Key;

                        • go to Firewall > PfblockerNG > IP > MaxMind GeoIP configuration and insert your key.
                        • run an update Firewall > PfblockerNG > Update > Run.
                        • then select the rules by highlighting them. Firewall > pfblockerng > ip > geoIP > edit > Highlighted all ipv4/6 countries. After that you need to run an update again.
                          That's it.
                        B 1 Reply Last reply Reply Quote 1
                        • B
                          Be-Bop-Bo @stephenw10
                          last edited by

                          @stephenw10 - Sorry I guess I am not, I am one back at 2.4.5, not _p1. I am running a SG-1100, though. I have another device that is a full 1U Atom computer and obviously I do not have this issue. Is it based on the total RAM available? The SG-1100 currently sits at around 68%-72% utilized.

                          If I disable everything else and only go with the AV reputation list, I continue to get the errors about memory allocation. That seems weird to me as it does not seem to have enough items to fill the table allocation.

                          1 Reply Last reply Reply Quote 1
                          • B
                            Be-Bop-Bo @AKEGEC
                            last edited by

                            @AKEGEC -I do have some Geo-IP restriction working with a free MaxMind account, but wanted a bit more intelligent based blocking.

                            1 Reply Last reply Reply Quote 1
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              You need to update to 2.4.5p1. In 2.4.5 you will be hitting this:
                              https://redmine.pfsense.org/issues/10414

                              Steve

                              B 1 Reply Last reply Reply Quote 1
                              • B
                                Be-Bop-Bo @stephenw10
                                last edited by

                                @stephenw10 From all accounts you are dead on. I did this late last night and I have not receive any alerts in nearly 12 hours, other than immediately after the reboot.

                                Much appreciated!

                                1 Reply Last reply Reply Quote 1
                                • C
                                  cvhideki
                                  last edited by

                                  Go to Firewall:System -> Advanced -> Firewall & NAT: Firewall Maximum Table Entries value of "800000"

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.