Firwall blocking rsync by default, but allow rule in place

toddehb

Hi,

cant figure out why pfsense is blocking port 873 TCP via default blocking rule, allthough I explicitly placed a rule on top spot to allow that traffic.

This what log is showing

I have absolutely no clue

johnpoz

@toddehb is 192.168.1.4 part of the serverlan net?

Did you actually load your rules, its possible they didn't actually get applied. You can look in the full ruleset to see.

https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

SteveITS

+1 to John. Just adding
https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied
and that there was a recent post with a similar complaint and it turned out an error was causing the rules to not load.

toddehb

@steveits

yeah, rules where not loaded. Found an issue on the box reporting me this:

18:39:07 There were error(s) loading the rules: /tmp/rules.debug:30: cannot define table pfB_Asia_v4: Cannot allocate memory - The line in question reads [30]: table <pfB_Asia_v4> persist file "/var/db/aliastables/pfB_Asia_v4.txt"

Disabled pfblocker geo ip feature for now till I find out, what that means. Mybe my box is to limited.

johnpoz

@toddehb you just need to update the table size.

I think it defaults to something pretty low when using large lists from pfblocker.. Just up, as you can see have mine set at 1.6mil

system, advanced, firewall & nat

once you change it, the note below will say that is default for the system ;)

toddehb

@johnpoz said in Firwall blocking rsync by default, but allow rule in place:

@toddehb you just need to update the table size.

I think it defaults to something pretty low when using large lists from pfblocker.. Just up, as you can see have mine set at 1.6mil

system, advanced, firewall & nat

once you change it, the note below will say that is default for the system ;)

Thanks. Increased to 2M. Should by sufficient, hopefully. Have 8GB RAM so plenty of space left to increase more if needed ;-)

SteveITS

Long ago I saw the package maintainer suggest a minimum of 2 million but it depends on usage. Some block lists are large.

toddehb

@steveits said in Firwall blocking rsync by default, but allow rule in place:

Long ago I saw the package maintainer suggest a minimum of 2 million but it depends on usage. Some block lists are large.

Might be a good default expecially to decrease amount of questions in this forum ;-)

What is confusing me a little bit is the fact that when looking under diagnostic/states. I don't see that many state entries, even with pfblocker enabled. I that what is beeing showed just some kind of summary?

johnpoz

@toddehb its not states, its table entries, you know the thing that stores all the IPs that pfblocker is blocking, etc.

toddehb

@johnpoz said in Firwall blocking rsync by default, but allow rule in place:

@toddehb its not states, its table entries, you know the thing that stores all the IPs that pfblocker is blocking, etc.

yup, just noticed myself