Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Error - "There were error(s) loading the rules"

    pfBlockerNG
    3
    6
    758
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      revilzs
      last edited by revilzs

      Since the upgrade of pfBlockerNG from v2 to v3 with pfsense version 2.6.0 (the problem exists also after an upgrade to 2.7.0), we detect frequently following error messages:

      There were error(s) loading the rules: /tmp/rules.debug:51: cannot load "/var/db/aliastables/pfB_Top_v4.txt": Invalid argument - The line in question reads [51]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
      @ 2023-07-13 15:45:20

      In most cases the error appears while a filter reload (updating a firewall rule) or after a reboot.
      As a result changes are not loaded or after reboot the NAT rules are not loaded.

      This problem ist very similar to following posts:

      • https://forum.netgate.com/topic/118293/2-3-4-p1-breaks-pfblockerng
      • https://forum.netgate.com/topic/128402/error-there-were-error-s-loading-the-rules

      The temporary solution is to disable and re enable pfBlocker.
      After some hours/days the error appears again or directly after firewall changes.

      Reinstalling pfBlocker did not fix the problem.

      Could it be something like a race condition, when the cron runs and a filter reload is triggered?

      CRON PROCESS START [ v3.2.0_5 ] [ 07/13/23 15:45:00 ]
      [ custom_blocklist_v4 ]
      ( md5 feed ) . 200 OK
      ( md5 changed ) Update found
      UPDATE PROCESS START [ v3.2.0_5 ] [ 07/13/23 15:45:01 ]

      ===[ DNSBL Process ]================================================

      ===[ GeoIP Process ]============================================

      [ pfB_Top_v4 ] exists.
      [ pfB_Europe_v4 ] exists.
      [ pfB_NAmerica_v4 ] exists.

      ===[ IPv4 Process ]=================================================

      [ custom_blocklist_v4 ] Downloading update . ( md5 feed ) . completed ..

      Reputation (Max=5) - Range(s)
      87.xxx.xxx.|

      Reputation -Max Stats

      Blacklisted Match
      Ranges IPs Ranges IPs

      1 6 0 0

      ===[ Aliastables / Rules ]==========================================

      No changes to Firewall rules, skipping Filter Reload

      Updating: pfB_custom_blocklist_v4
      1 addresses deleted.

      ===[ Kill States ]==================================================

      No matching states found

      ======================================================================

      UPDATE PROCESS ENDED

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @revilzs
        last edited by Gertjan

        @revilzs said in Error - "There were error(s) loading the rules":

        Since the upgrade of pfBlockerNG from v2 to v3

        This version :

        89097d54-dd9b-4b1e-b048-00cb57fc1169-image.png

        ?
        (also available without -devel )

        @revilzs said in Error - "There were error(s) loading the rules":

        persist file "/var/db/aliastables/pfB_Top_v4.txt"

        Did you have a look at this file ? ( why not ? )
        How many lines (== entries) does it have ?

        The best solution is : using pfBlocker feeds there are less big.
        What feeds did you use ?

        Example : these :

        a6270648-ba4a-4f4b-8806-f0e2ec74ea3c-image.png

        and already 25 % of my 4 Gbytes is used.

        Look at the start of /tmp/rules.debug, you'll find :

        ...
set limit table-entries 400000
...

        which means : creating pg (firewall) tables which are bigger then that number (entries) will make the system not happy.
        You can set this number here : System > Advanced > Firewall & NAT

        Also : do a Firewall > pfBlocker > NGUpdate :: Reload :: All
        Everything goes well ?
        You'll see what and how much is loaded.

        Also : go here Status > Monitoring and check System > Memory usage.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        R 1 Reply Last reply Reply Quote 0
        • R
          revilzs @Gertjan
          last edited by

          @Gertjan thank you for the fast reply!

          pfBlockerNG 3.2.0_5 without -devel:

          67190601-58c8-479c-a49a-d2c401b89f46-image.png

          But we had the problem also with a previous version for example v3.2.0_3

          Yes, I looked at that file. It looks ok and has valid IP net entries:

          [...]
          217.67.76.0/23
          217.67.78.0/23
          217.147.172.0/24

          Lines: 28352

          We are using one custom IPv4 feed and GeoIPv4. With disabled GeoIP Aliases everything works fine:

          00b9d37e-f281-482a-a246-41ff071074e7-image.png

          Alias table IP Counts

          112026 total
          83220 /var/db/aliastables/pfB_NAmerica_v4.txt
          28352 /var/db/aliastables/pfB_Top_v4.txt
          347 /var/db/aliastables/pfB_Europe_v4.txt
          107 /var/db/aliastables/pfB_custom_blocklist.txt

          pfSense Table Stats

          table-entries hard limit 400000
          Table Usage Count 112170

          "Also : do a Firewall > pfBlocker > NGUpdate :: Reload :: All"
          Everything goes well ? -> Yes, but also "No changes to Firewall rules, skipping Filter Reload"

          "Also : go here Status > Monitoring and check System > Memory usage."
          13% of 4038 MiB

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @revilzs
            last edited by

            @revilzs Set the max table entries to 2 million. Long ago I read that was the minimum recommended for pfBlocker.

            After updates, restores, or especially uninstalling/reinstalling pfB I've had to run an Update in pfBlocker so it regenerates the files.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            R 1 Reply Last reply Reply Quote 0
            • R
              revilzs @SteveITS
              last edited by

              @SteveITS thank you for that hint.

              I increased the Firewall Maximum Table Entries from 400.000 to 800.000. To reduce the overall entries, I enabled De-Duplication and CIDR Aggregation.

              Since yesterday evening the errors did not occur again. I will continue to monitor the systems.

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @revilzs
                last edited by

                @revilzs It has to at least be big enough to hold the data. Extra space won't hurt.

                enabled De-Duplication

                One note on this...if you use pfBlocker to create overlapping deny rules the deduplication works across rules, so may remove an entry from additional rules. If that's the case for you, disable it, or use Alias Native and create your own rules.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.