pfBlockerNG-devel v3.1.0_19/10

cmcdonald

@renegade

Sorry, try this:

pkg info "py*" unbound

nimrod

@cmcdonald said in pfBlockerNG-devel v3.1.0_19/10:

@renegade

Sorry, try this:

pkg info "py*" unbound

Here it is:

[2.6.0-RELEASE][admin@pfSense.home.arpa]/root: pkg info "py*" unbound
py38-ply-3.11
py38-setuptools-57.0.0
py39-maxminddb-2.0.3
py39-setuptools-57.0.0
py39-sqlite3-3.9.9_7
python38-3.8.12_1
python39-3.9.9
unbound-1.13.2

cmcdonald

@nimrod Thanks. I see the problem. Testing a fix. Standby

cmcdonald

@nimrod can you also share pkg info unbound ?

nimrod

@cmcdonald said in pfBlockerNG-devel v3.1.0_19/10:

@nimrod can you also share pkg info unbound ?

Of course. Here it is:

[2.6.0-RELEASE][admin@pfSense.home.arpa]/root: pkg info unbound
unbound-1.13.2
Name           : unbound
Version        : 1.13.2
Installed on   : Mon Jan 31 21:24:27 2022 CET
Origin         : dns/unbound
Architecture   : FreeBSD:12:amd64
Prefix         : /usr/local
Categories     : dns
Licenses       : BSD3CLAUSE
Maintainer     : jaap@NLnetLabs.nl
WWW            : https://www.nlnetlabs.nl/projects/unbound
Comment        : Validating, recursive, and caching DNS resolver
Options        :
	DEP-RSA1024    : off
	DNSCRYPT       : off
	DNSTAP         : off
	DOCS           : off
	DOH            : on
	ECDSA          : on
	EVAPI          : off
	FILTER_AAAA    : off
	GOST           : on
	HIREDIS        : off
	LIBEVENT       : on
	MUNIN_PLUGIN   : off
	PYTHON         : on
	SUBNET         : off
	TFOCL          : off
	TFOSE          : off
	THREADS        : on
Shared Libs required:
	libexpat.so.1
	libnghttp2.so.14
	libpython3.8.so.1.0
	libevent-2.1.so.7
Shared Libs provided:
	libunbound.so.8
Annotations    :
	FreeBSD_version: 1203500
	build_timestamp: 2022-01-12T15:27:10+0000
	built_by       : poudriere-git-3.3.99.20211130
	cpe            : cpe:2.3:a:nlnetlabs:unbound:1.13.2:::::freebsd12:x64
	port_checkout_unclean: no
	port_git_hash  : 8df9544dcbab
	ports_top_checkout_unclean: yes
	ports_top_git_hash: 7046b65c0d41
	repo_type      : binary
	repository     : pfSense
Flat size      : 7.99MiB
Description    :
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run as
a server, but are linked into an application) are easily possible.

Goals:
    * A validating recursive DNS resolver.
    * Code diversity in the DNS resolver monoculture.
    * Drop-in replacement for BIND apart from config.
    * DNSSEC support.
    * Fully RFC compliant.
    * High performance, even with validation enabled.
    * Used as: stub resolver, full caching name server, resolver library.
    * Elegant design of validator, resolver, cache modules.
          o provide the ability to pick and choose modules.
    * Robust.
    * In C, open source: The BSD license.
    * Smallest as possible component that does the job.
    * Stub-zones can be configured (local data or AS112 zones).

Non-goals:
    * An authoritative name server.
    * Too many Features.

WWW: https://www.nlnetlabs.nl/projects/unbound

cmcdonald

@nimrod Can you now try reinstalling pfBlockerNG-devel on 22.05/2.6, and repeat the above command pkg info "py*" unbound

nimrod

@cmcdonald said in pfBlockerNG-devel v3.1.0_19/10:

@nimrod Can you now try reinstalling pfBlockerNG-devel on 22.05/2.6, and repeat the above command pkg info "py*" unbound

I reinstalled it and here is the output:

[2.6.0-RELEASE][admin@pfSense.home.arpa]/root: pkg info "py*" unbound
py38-maxminddb-2.0.3
py38-ply-3.11
py38-setuptools-57.0.0
py38-sqlite3-3.8.12_7
py39-maxminddb-2.0.3
py39-setuptools-57.0.0
py39-sqlite3-3.9.9_7
python38-3.8.12_1
python39-3.9.9
unbound-1.13.2

cmcdonald

@nimrod That should be correct now. Clear the unbound errors and try again.

nimrod

@cmcdonald said in pfBlockerNG-devel v3.1.0_19/10:

@nimrod That should be correct now. Clear the unbound errors and try again.

Yup. That fixed it. Thank you sir.

BBcan177

@draco said in pfBlockerNG-devel v3.1.0_19/10:

I had hoped this might let pfBlocker directly download a JSON list like the one found at Microsoft Azure IPs. This is a file I manually download and then use pfSense's GUI CMD interface to upload for pfBlocker (I set the format to AUTO). Ran this on 3.1.0_11 just now.

The Link you posted is the HTML page. You need to use the direct link:

https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20230123.json

Keep in mind that this will parse all IPs in the json file. You could also create a new shell script to parse this JSON and get more refinement on which IPs to pull ( "Advanced Tunables - Post-Script Script" feature.)

yorke

@bbcan177

I figure out why i was getting those errors some package/feature on pfsense needed to be update (ie unbound and about 4 others ) once I ran the update and reboot and reinstall
PfblockerNG work, no more errors.
Thanks BBcan177

bigjohns97

@cmcdonald I am seeing the same error about missing python modules on 23.01 RC, was this fixed on that version as well?

nimrod

@bigjohns97 said in pfBlockerNG-devel v3.1.0_19/10:

@cmcdonald I am seeing the same error about missing python modules on 23.01 RC, was this fixed on that version as well?

Yes.

Draco

@bbcan177 said in pfBlockerNG-devel v3.1.0_19/10:

he Link you posted is the HTML page. You need to use the direct link:
https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20230123.json

Fair enough -- this means I will need to manually update the link each time, but better than copying the file from my computer up to pfSense each time, thanks!

I might have to write a screen-scraper to pull the latest URL off the download page...

bigjohns97

@nimrod Can you confirm what add-on's I should see because they differ than what is posted above.

pkg info "py*" unbound

py311-maxminddb-2.2.0_2
py311-setuptools-63.1.0
py311-sqlite3-3.11.1_8
py39-libzfs-1.1.2022081600
py39-setuptools-63.1.0
py39-yaml-5.4.1
python311-3.11.1_1
python39-3.9.15
unbound-1.17.0

nimrod

@bigjohns97

Is this before or after pfblocker reinstall ?

bigjohns97

@nimrod After

nimrod

@bigjohns97

I just noticed you are on Plus version of pfsense. The output that i shared is from CE edition.

bigjohns97

@nimrod That wouldn't matter, the difference between 2.6/22.x and 2.7/23.x is really what I am trying to confirm was fixed.

@BBcan177 builds the pfblockerng code but I believe netgate dev's such as @cmcdonald are who associate package prerequisites and manage how the actual package is presenting in package manager.

This is why my original question was to @cmcdonald as to whether his fix he did in this thread was also applied to the new 2.7/23.x branch.

cmcdonald

@bigjohns97

Report the output of

pkg info unbound

ldd `which unbound`

pkg info py*

bigjohns97

@cmcdonald said in pfBlockerNG-devel v3.1.0_19/10:

@bigjohns97

Report the output of

pkg info unbound

unbound-1.17.0
Name : unbound
Version : 1.17.0
Installed on : Sat Jan 14 12:37:18 2023 CST
Origin : dns/unbound
Architecture : FreeBSD:14:amd64
Prefix : /usr/local
Categories : dns
Licenses : BSD3CLAUSE
Maintainer : jaap@NLnetLabs.nl
WWW : https://www.nlnetlabs.nl/projects/unbound
Comment : Validating, recursive, and caching DNS resolver
Options :
DEP-RSA1024 : off
DNSCRYPT : on
DNSTAP : off
DOCS : off
DOH : on
ECDSA : on
EVAPI : off
FILTER_AAAA : off
GOST : on
HIREDIS : off
LIBEVENT : on
MUNIN_PLUGIN : off
PYTHON : on
SUBNET : off
TFOCL : off
TFOSE : off
THREADS : on
Shared Libs required:
libsodium.so.23
libpython3.9.so.1.0
libnghttp2.so.14
libexpat.so.1
libevent-2.1.so.7
Shared Libs provided:
libunbound.so.8
Annotations :
FreeBSD_version: 1400073
build_timestamp: 2022-10-27T06:51:33+0000
built_by : poudriere-git-3.3.99.20220831
cpe : cpe:2.3:a:nlnetlabs:unbound:1.17.0:::::freebsd14:x64
port_checkout_unclean: no
port_git_hash : 7b7b452fb8d5
ports_top_checkout_unclean: yes
ports_top_git_hash: 0c964f08a5cb
repo_type : binary
repository : pfSense
Flat size : 8.36MiB
Description :
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run as
a server, but are linked into an application) are easily possible.

Goals:
* A validating recursive DNS resolver.
* Code diversity in the DNS resolver monoculture.
* Drop-in replacement for BIND apart from config.
* DNSSEC support.
* Fully RFC compliant.
* High performance, even with validation enabled.
* Used as: stub resolver, full caching name server, resolver library.
* Elegant design of validator, resolver, cache modules.
o provide the ability to pick and choose modules.
* Robust.
* In C, open source: The BSD license.
* Smallest as possible component that does the job.
* Stub-zones can be configured (local data or AS112 zones).

Non-goals:
* An authoritative name server.
* Too many Features.

WWW: https://www.nlnetlabs.nl/projects/unbound

ldd `which unbound`

/usr/local/sbin/unbound:
libssl.so.111 => /usr/lib/libssl.so.111 (0x822469000)
libsodium.so.23 => /usr/local/lib/libsodium.so.23 (0x8236ec000)
libutil.so.9 => /lib/libutil.so.9 (0x822a37000)
libevent-2.1.so.7 => /usr/local/lib/libevent-2.1.so.7 (0x823fcb000)
libpython3.9.so.1.0 => /usr/local/lib/libpython3.9.so.1.0 (0x824b25000)
libcrypto.so.111 => /lib/libcrypto.so.111 (0x8259f7000)
libnghttp2.so.14 => /usr/local/lib/libnghttp2.so.14 (0x82790a000)
libthr.so.3 => /lib/libthr.so.3 (0x825eff000)
libc.so.7 => /lib/libc.so.7 (0x826edd000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x8284bd000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x829b94000)
libdl.so.1 => /usr/lib/libdl.so.1 (0x828694000)
libm.so.5 => /lib/libm.so.5 (0x828758000)
[vdso] (0x8215a5000)

pkg info "py*"

py311-maxminddb-2.2.0_2
py311-setuptools-63.1.0
py311-sqlite3-3.11.1_8
py39-libzfs-1.1.2022081600
py39-setuptools-63.1.0
py39-yaml-5.4.1
python311-3.11.1_1
python39-3.9.15

cmcdonald

@bigjohns97 and this is on 23.01?

bigjohns97

@cmcdonald Correct, dashboard shows 23.01 RC

Current Base System23.01.r.20230202.1645
Latest Base System23.01.r.20230202.1645
StatusUp to date.

cmcdonald

@bigjohns97 That is very odd.

The problem is you are running older Unbound which is using Python 3.9 and not 3.11

unbound-1.17.1_2
py311-libzfs-1.1.2022081600
py311-maxminddb-2.2.0_2
py311-setuptools-63.1.0
py311-sqlite3-3.11.1_8
py39-libzfs-1.1.2022081600
py39-maxminddb-2.2.0_1
py39-setuptools-63.1.0
python311-3.11.1_1
python39-3.9.16

These are the versions that we ship with 23.01-RC

I would try reinstalling unbound:

pkg install -fy unbound

bigjohns97

@cmcdonald That's odd, I also seem to be missing that 311 libzfs which I am using zfs and boot environments.

How would I go about getting these correct packages?

Edit: that worked, I now show the following.

py311-maxminddb-2.2.0_2
py311-setuptools-63.1.0
py311-sqlite3-3.11.1_8
py39-libzfs-1.1.2022081600
py39-setuptools-63.1.0
py39-yaml-5.4.1
python311-3.11.1_1
python39-3.9.15
unbound-1.17.1_2

cmcdonald

@bigjohns97 what if you just do pkg upgrade what does it offer to upgrade?

bigjohns97

@cmcdonald

Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (4 candidates): 100%
Processing candidates (4 candidates): 100%
The following 5 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
whois: 5.5.7 [pfSense]

Installed packages to be UPGRADED:
pfSense: 23.01.b.20230106.0600 -> 23.01.r.20230202.1645 [pfSense]
pfSense-Status_Monitoring: 1.7.11_4 -> 1.8 [pfSense]
pfSense-repo: 23.01.b.20230106.0600 -> 23.01.r.20230202.1645 [pfSense]
python39: 3.9.15 -> 3.9.16 [pfSense]

Number of packages to be installed: 1
Number of packages to be upgraded: 4

71 KiB to be downloaded.

Proceed with this action? [y/N]:

cmcdonald

@bigjohns97

What repo is set on the update GUI page?

bigjohns97

@cmcdonald

cmcdonald

@bigjohns97

Very strange....

I'm not sure how you've got in the state that you have, but I would first the pkg upgrade above, let that install, and then go back and try pkg upgrade again and see what it offers. It almost seems like you're still pointing at an old repository (you're version of pfSense-repo is 23.01.b)

strange.

Get the pfSense-repo package updated, and let's try again.

Bob.Dig

@cmcdonald Sry to interrupt, I have no hit with pkg info py*
Is this normal?

[23.01-RC][admin@pfSense.home.arpa]/root: pkg info py*
pkg: No match.

bigjohns97

@bob-dig Put the py* in quotes

Bob.Dig

@bigjohns97 said in pfBlockerNG-devel v3.1.0_19/10:

Thx, I am good.

[23.01-RC][admin@pfSense.home.arpa]/root: pkg info "py*"
py311-maxminddb-2.2.0_2
py311-setuptools-63.1.0
py311-sqlite3-3.11.1_8
py39-libzfs-1.1.2022081600
py39-setuptools-63.1.0
python311-3.11.1_1
python39-3.9.16

cmcdonald

sorry yes, otherwise it will do shell expansion on the current working directory, which is wrong lol we want the asterisk literal to be passed to pkg(8).

bigjohns97

@cmcdonald Ok, it took the upgrades and now the system info widget no longer suggests there is a upgrade and when I run pkg upgrade

Also after deleting the py_error.log and doing an update everything is back to working order on that pfblockerng side as well.

There must have been some issues with the upgrade between the 23.01 beta and the 23.01 RC. (Normally I only try RC's but was really ready to get on this 23.01 due to the upgrade to FreeBSD and the use of Speedshift vs Speedstep).

Everything is working perfectly again, thank you for all of your help.

Excellent work on the WG implementation BTW!

Draco

@BBcan177 Just wanted to confirm that I inserted the (most recent) link to the JSON file and it is parsing just fine. Much easier than manual downloads, thanks!