• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Host(s) type aliases now missing from list within Firewall/ pfBlockerNG/ IP /IPv4

Scheduled Pinned Locked Moved pfBlockerNG
4 Posts 2 Posters 289 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    farrina
    last edited by Jan 28, 2024, 11:14 AM

    It would appear that Host(s) type aliases are no longer allowed, only Network(s) - this seems to have been a recent change in behaviour.

    General Setup

    Using pfsense version 2.7.2 (Community Edition)
    pfBlockerNG-Develop 3.2.0_7
    pfBlockerNG is set via CRON to update daily (IP & DNSBL)
    Firewall Auto Rule Order is set to pfB_Pass/Match/Block/Reject | All otherRules (Default format)

    I use the IP blocking capabilities within pfBlockerNG to bar access to locations by way of their ASN numbers. This has worked seamlessly for a number of years but I have recently encountered a problem that I believe to have occurred following a recent upgrade of pfsense from 2.7.0 to 2.7.2

    I say upgrade, but in reality my normal practice is to undertake a bare metal reinstall of the latest version of pfsense and then restore the immediately preceding pfsense configuration via full backup restore.

    Basic Problem

    Under Firewall / pfBlockerNG / IP / IPv4
    Advanced Outbound Firewall Rule Settings
    Custom Source
    Text Field (to right of enable and invert check boxes)

    Expected behaviour

    Type name of existing alias into field should automatically filter/display list of existing configured aliases (both Hosts and Network) to enable easy selection and addition.

    Previously I have selected Host(s) based aliases

    Actual behaviour

    Only Network aliases are now displayed - all existing Host(s) aliases are missing

    For existing configured Advanced Outbound Firewall Rule Settings previously using a Hosts alias field, the field in now blank and net effect of rule implementation is to block all outbound LAN connections to Microsoft ASN and ignore previously configuration permitted Host(s) IP list.

    Mitigations

    Uninstall pfBlockerNG (retain existing settings - would be a major ball ache to reconfigure from scratch)
    Reboot pfsense (cold)
    Reinstall pfBlockerNG

    Creating new Host aliases and new IPv4 block lists does not circumvent the problem i.e appears broken for new items as well as existing host aliases

    Workaround

    Within Firewall / Aliases /IP convert all existing Host(s) type aliases to Network type e.g.

    Individual Host IP of 192.168.123.50 -> Network of 192.168.123.50/32

    (Note this can be done in bulk by changing alias type from Host(s) to Network(s) which automatically appends /32 to each individual host IP address listed - if you have a large number of entries saves having to individual change/re-add)

    Result

    Under Firewall / pfBlockerNG / IP / IPv4
    Advanced Outbound Firewall Rule Settings
    Custom Source
    Text Field (to right of enable and invert check boxes)
    Converted Host -> Converted Host(s) now Network aliases are listed and can be selected from list

    Expected behaviour restored (albeit Host aliases are no longer eligible for selection)

    Question

    Has the option to select Host(s) type aliases been removed from pfBlockerNG-Develop 3.2.0_7 as it still seems to be operative on one of my older pfsense boxes thus

    pfsense 2.7.0
    pfBlockerNG-Devel 3.2.0_6

    Cheers

    Alan

    S 1 Reply Last reply Jan 28, 2024, 3:06 PM Reply Quote 0
    • S
      SteveITS Rebel Alliance @farrina
      last edited by Jan 28, 2024, 3:06 PM

      @farrina I am low on coffee, but as I recall there was a one character typo bug fix in _7 and I don’t think it’s in the devel version. You could just switch to non devel…in theory they are supposed to be the same.

      https://docs.netgate.com/pfsense/en/latest/releases/23-01.html
      “The pfBlockerNG package has been updated to match pfBlockerNG-devel. After upgrade it is safe to uninstall pfBlockerNG-devel (keeping settings) and install pfBlockerNG instead.”

      I seem to recall running into a similar problem a while back and using network/32 was my answer also. I don’t remember if it was pfBlocker though.

      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
      Upvote 👍 helpful posts!

      F 1 Reply Last reply Jan 28, 2024, 4:54 PM Reply Quote 0
      • F
        farrina @SteveITS
        last edited by Jan 28, 2024, 4:54 PM

        @SteveITS

        Thanks Steve - I was in auto mode and had not clocked that Devel and normal were now at same revision. Likewise with me running the community edition I had not read the plus release notes.

        Certainly looks promising - I shall revert my Host -> Network changes, install the normal package and report back in a day or so.

        Appreciate you taking the time to respond (seems rather quite hereabouts lately - my next destination was going to be pfBlockerNG on Reddit!

        Hope you found the coffee 😀

        Cheers

        Alan

        1 Reply Last reply Reply Quote 0
        • F
          farrina
          last edited by Jan 29, 2024, 3:37 PM

          Further to my last, an update.

          I reverted my workaround changes (back from Network to Host) and reloaded pfBlockerNG but the issue did not return. I wonder if converting the type (described above) from Host to Network and back has reset something?

          Followed your suggestion of installing the non Dev version of pfBlocker and reloaded. All seems normal and operational using Host again.

          If I come across any subsequent "funnies" I shall report back, but for now I think I'll leave this post as is, in case any one else runs into a similar issue.

          Cheers again for your help.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received