Can you force a rule to apply before floating rules and hold it's position?
-
@SteveITS I have to buy a subscription to get the install file for the 3100 however right? I hate to toss money at a system that doesn't appear to be working and is EOL. While I'd love to be able to save a few dollars (our company can sure use it) maybe I need to give up. Nothing so far has made any progress on this thing. My attempt to keep two rules above the pfb has resulted in an appliance that won't do anything. The attempt to make those rules into an alias screwed me.
-
@cdsJerry No, install files are free tickets.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
@SteveITS The reinstall seems to have worked!! It even loaded the config backup file. It's loading packages in the background as I type this. Once completed I'll attempt to set the pfb as an alias and reset the rules again. Hopefully this time it doesn't start increasing all the rules exponentially again. If it does, I'm at least confident that I can get back to this point again now.
-
@SteveITS I'm back to where I was with the pfblocker changing the rule order again. I went into Firewall / pfBlockerNG / IP / IPv4 and created the Alias as Alias native. However I the alias doesn't show up anywhere else. It's not listed under Firewall / Aliases / IP nor does it show up as an Alias if I try to create a rule on firewall.
All the various pfb_rules are gone from the firewall as expected, but I can't add the alias rule because it doesn't seem to exist anywhere. So it says it exists... but where?
-
@cdsJerry It doesn't show on Firewall Aliases. It should show in Diagnostics/Tables, or in autocomplete like this:
Ensure you've run a Force Update in pfBlocker to create it.
-
@SteveITS Nothing.
-
@cdsJerry if it's not there and not in Diagnostics/Tables, did it successfully generate via the force update? What does the pfB log say?
-
@SteveITS It looks like it's missing a file for some reason. Given that it's a clean install how can it be missing files already? Didn't that package just reinstall after the rebuild this morning?
CRON PROCESS START [ v3.2.0_7 ] [ 04/2/24 13:00:01 ] UPDATE PROCESS START [ v3.2.0_7 ] ===[ DNSBL Process ]================================================ *** [ Unbound.conf file missing. Exiting! ] *** ===[ GeoIP Process ]============================================ [ pfB_Top_v4 ] exists. [ 04/2/24 13:00:11 ] [ pfB_Africa_v4 ] exists. [ pfB_Europe_v4 ] exists. [ 04/2/24 13:00:12 ] [ pfB_NAmerica_v4 ] exists. [ pfB_Oceania_v4 ] exists. [ pfB_SAmerica_v4 ] exists. ===[ IPv4 Process ]================================================= ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload No Changes to Aliases, Skipping pfctl Update UPDATE PROCESS ENDED [ 04/2/24 13:00:13 ] CRON PROCESS START [ v3.2.0_7 ] [ 04/2/24 14:00:00 ] UPDATE PROCESS START [ v3.2.0_7 ] ===[ DNSBL Process ]================================================ *** [ Unbound.conf file missing. Exiting! ] *** ===[ GeoIP Process ]============================================ [ pfB_Top_v4 ] exists. [ 04/2/24 14:00:09 ] [ pfB_Africa_v4 ] exists. [ 04/2/24 14:00:10 ] [ pfB_Europe_v4 ] exists. [ 04/2/24 14:00:11 ] [ pfB_NAmerica_v4 ] exists. [ pfB_Oceania_v4 ] exists. [ pfB_SAmerica_v4 ] exists. ===[ IPv4 Process ]================================================= ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload No Changes to Aliases, Skipping pfctl Update UPDATE PROCESS ENDED **Saving configuration [ 04/2/24 14:51:20 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Stopping firewall filter daemon ** **Saving configuration [ 04/2/24 14:59:59 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Restarting firewall filter daemon ** **Saving configuration [ 04/2/24 15:01:35 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Stopping firewall filter daemon ** **Saving configuration [ 04/2/24 15:19:20 ]** *** [ Unbound.conf file missing. Exiting! ] *** **Saving configuration [ 04/2/24 15:19:43 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Restarting firewall filter daemon ** **Saving configuration [ 04/2/24 15:34:50 ]** *** [ Unbound.conf file missing. Exiting! ] *** ** Stopping firewall filter daemon **``` -
@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:
Unbound.conf file missing
Man, you are having a tough week! Google has only ONE result for that...the source code.
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.incif (file_exists("{$pfb['dnsbldir']}/unbound.conf")) { ... } else { pfb_logger("\n\n*** [ Unbound.conf file missing. Exiting! ] ***\n\n", 1); }Disable DNSBL? Enable DNSBL?
-
@SteveITS You don't know the half of it. I lost a key employee this week. I lost my wedding band last night while killing a groundhog that was under my porch. My notebook computer died over the weekend. And my mother -in-law is moving up from Florida because my wife and I are going to need to take care of her now.
And then there's this firewall..... Which as you know was a clean install this morning and here I am beating my head on it again.
Yes... this week has sucked pretty bad so far.\
Is this what's preventing the alias from being created?
There were error(s) loading the rules: /tmp/rules.debug:53: cannot define table pfB_Europe_v4: Cannot allocate memory - The line in question reads [53]: table <pfB_Europe_v4> persist file "/var/db/aliastables/pfB_Europe_v4.txt"
@ 2024-04-02 15:20:20
-
Yikes, I hope it gets better.
@cdsJerry said in Can you force a rule to apply before floating rules and hold it's position?:
Cannot allocate memory
So either pfSense is out of memory or PHP is out of memory. Probably the latter since I think the limit is 128 MB on ARM? Usually that's not an issue until loading in files over that size because PHP has to allocate the memory to read in the file.
System/Advanced/Miscellaneous has a PHP Settings section with a memory limit.
Also check System/Advanced/Firewall & NAT that Firewall Maximum Table Entries is minimum 2 million when using pfBlocker, and raise as necessary.
Depending on what you're doing with pfB_Europe_v4, it is usually way more efficient to "allow my country" than "block the world" because the latter uses lots more RAM/table entry space.
-
@SteveITS It's a better day already. I went out in the rain yesterday with my metal detector and was able to find my wedding ring in the hay field. I'd have never found it without the metal detector. My luck is improving. I'm going to go with that!
On the PHP settings it looks like everything is at defaults. IF I'm looking at this right, PHP memory is set to the default of 128? Could I set that to something higher?
On the system/advanced/firewall & NAT.. 2 million??? Mine is set to the default of 400,000. That's a huge difference. Would you confirm I should change it to 2 million?
I've always heard it's a bad practice to try to block the world. So many things come from outside countries for support, purchases, etc. it would be hard to know who to allow in. But maybe allowing 12 countries in would be better.. if we can figure out where our customers are actually working from? So much is outsourced it might be impossible to tell.
-
@cdsJerry Nice.
I skimmed back above but didn't see, did you state your free memory? It shouldn't hurt to raise the PHP limit unless you actually run out of physical memory. So I guess I'd try 512, and see.
Yes set it to 2000000. Each IP in an alias table uses one entry. Though IIRC pfSense logs an error about running out of table entries. I'd heard long ago to start there and raise if necessary, when using pfBlocker.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
@SteveITS said in Can you force a rule to apply before floating rules and hold it's position?:
ur free memory?
The Dashboard shows Memory usage of 11% of 2027 MiB
-
@SteveITS I increased the two memory settings and ran the CRON update in pfb but I'm still getting that config error message, and as a result, no alias from pfb to put into the firewall rules.
** Restarting firewall filter daemon **
Saving configuration [ 04/2/24 15:34:50 ]
*** [ Unbound.conf file missing. Exiting! ] ***
** Stopping firewall filter daemon **
-
@cdsJerry I think I would start a "Unbound.conf file missing. Exiting!" thread in the pfBlocker forum category.
I have these:
/: find . -name "unbound.conf"
./var/unbound/unbound.conf
./usr/local/etc/unbound/unbound.conf
...plus two for strongswan. I wouldn't think either of those are in a directory $pfb['dnsbldir']. The second looks like it's an example file and all commented out. -
@cdsJerry I decided to give it another shot. I re-installed the configs from before all this mess started. I made the two changes to memory we'd done this morning and then re-created the pfb alias. It said it created it successfully however it doesn't show up under aliases, but if I create a Firewall rule it does show up there, so I went into the rules and added the new rule with the pfbAlias, saved, applied. I still had all the pfb entries in the firewall/rules so I went back and unchecked the enable box in pfblocker and saved. When I went back to firewall/rules, the alias was gone and no longer shows up if I try to add a rule.
So I don't get it. If pfblocker is enabled I get both an alias and the firewall rules. If it's disabled I lose both. And the alias never shows up under firewall/Aliases even when that alias is visible in the Firewall/rules.
-
@cdsJerry pfB aliases are not "supposed" to show up in Firewall/Aliases, those are only manual aliases I guess. It shows in Diagnostics/Tables along with other internal aliases.
If you disable pfBlocker I would think that un-creates the aliases. Invalid aliases should alert...believe they show as text-not-links on the rules pages. I see it sometimes after an upgrade if I uninstall pfBlocker before upgrading pfSense (per the upgrade guide) and install it again after.
-
@SteveITS Wow. So it's working. I'll delete the pfb rules in the firewall and just leave the alias and ... finished. What a long haul. THANK YOU so much for your help Steve.
-
@cdsJerry Nice. So the "Unbound.conf file missing" error is gone? Or maybe doesn't matter?
