DNSBL service requires restart weekly
-
Since I upgraded my Netgate 1100 to 23.01 running pfblockerng 3.2.0_3 I get the following messages in the system log about once a week requiring me to restart pfb_dnsbl even though it shows as running.
"pfSense kernel: sonewconn: pcb 0xffffa000257bf8c0 (10.10.10.1:443 (proto 6)): Listen queue overflow: 193 already in queue awaiting acceptance (3 occurrences), euid 0, rgid 0, jail 0"
If I web to 10.10.10.1 during this time my browser just hangs. A display of the queued requests:
Shell Output - netstat -Lan
Current listen queue sizes (qlen/incqlen/maxqlen)
Proto Listen Local Address
tcp4 0/0/128 127.0.0.1.953
tcp4 0/0/128 *.53
tcp6 0/0/128 *.53
tcp4 0/0/128 10.10.10.1.80
tcp6 193/0/128 ::10.10.10.1.443
tcp6 162/0/128 ::10.10.10.1.80
tcp4 193/0/128 10.10.10.1.443
tcp6 0/0/128 *.80
tcp4 0/0/128 *.80
tcp6 0/0/128 *.443
tcp4 0/0/128 *.443
tcp4 0/0/128 *.22
tcp6 0/0/128 *.22
unix 0/0/10 /var/run/snmpd.sock
unix 0/0/5 /var/run/dpinger_WAN_DHCP~107.145.69.92~107.145.64.1.sock
unix 0/0/4 /var/run/devd.pipe
unix 0/0/30 /var/run/check_reload_status
unix 0/0/128 /var/run/php-fpm.socket
unix 0/0/4 /var/run/devd.seqpacket.pipeOnce I restart the service queues go to 0 and 10.10.10.1 responds immediately.
I'm not sure where to look to better define what is occurring as there are no additional messages in any log I can find. Any suggestions will be greatly appreciated. I do see a new pfblockerng (3.2.0_4) version is available and I will update to that version.
-
@ltolbert set the DNSBL Listening interface to "localhost" and Force Update.
-
@bbcan177 It is already set to localhost according to web interface which is default. I'm not sure where else to look. Here's the pfb_dnsbl_lighty.conf is that helps.
#pfBlockerNG DNSBL Lighttpd configuration file
server.tag = "pfBlockerNG DNSBL"
server.bind = "10.10.10.1"
server.port = "80"
server.event-handler = "freebsd-kqueue"
server.network-backend = "freebsd-sendfile"
server.dir-listing = "disable"
server.document-root = "/usr/local/www/pfblockerng/www/"
server.max-request-size = "1"
server.pid-file = "/var/run/dnsbl.pid"
server.use-ipv6 = "enable"
server.modules = ( "mod_auth", "mod_fastcgi", "mod_rewrite", "mod_openssl" )
index-file.names = ( "index.php" )
mimetype.assign = ( ".html" => "text/html", ".gif" => "image/gif" )
url.access-deny = ( "~", ".inc" )
fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) )$HTTP["scheme"] == "http" {
url.rewrite-once = ( ".*" => "/index.php" )
}$HTTP["remoteip"] =~ ".*" {
$SERVER["socket"] == "10.10.10.1:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.dh-file = "/etc/dh-parameters.4096" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2") } $SERVER["socket"] == "[::10.10.10.1]:80" { # } $SERVER["socket"] == "[::10.10.10.1]:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.dh-file = "/etc/dh-parameters.4096" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2") } $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "/index.php" ) }}
