pfBlocker update Log viewer odd SSL entry
-
Hi Fellow pfSensers
I was having problems with DNS and traced it to pfBlocker. In working with this I did a reinstall from the system/package menu of pfBlocker. I also did a reload of the updates, which makes sense because it requires it after a reinstall and I was watching the Log viewer.
In watching the postings on the Log Viewer I saw this message.
"Cannot restore firewalll entry" (I am a little unsure of the exact verbage.)
Then this next part appeared, it is cut and pasted.
"0020016B8D2D0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/record/rec_layer_s3.c:304:"
My instance of Freebsd is not running in a virtual machine. There is no /var/jenkins ... etc., directory.
So I am wondering if this is someone hacking into or trying to hack into my machine, or if it is some kind of software range error that picked up something in the source code comments, which seems strange, but in writing in C I have seen it. The SSL error message suggests otherwise.
Now I just recently installed a 256 GB nvme so the entire system was reinstalled with the config.xml from the previouse persistant storage and the system seemed to be having DNS problems, although the Diagnostics/DNS said DNS was working, it was not getting out on the LAN. Disabling pfBlocker allowed DNS to work.
In order to get DNS to work after alll these girations, finally I disable pfBlocker and reenabled it. I am running HA so I had to fuss with that in Status/Carp(failover), doing a temporary disable and restore.
So I know this is an odd post, but if anyone has any suggestions and observations I am open to all input.
Thanks so much,
Roy
-
@reberhar Jenkins is a programming tool; itโs referencing the original source code.
https://www.jenkins.io/Note pfBlocker does not sync changes to the second router unless an update is run, or thereโs a one line fix for that.
-
@SteveITS
Hi Steve,Yeah on second thought that line in the pfBlocker log look more like a line from a log file. I did note the source code reference. Yes I did update the second box too.
It is still odd to see such an entry appear in production code. Doesn't BBcan remove the debugging stuff before distribution?
I almost always did, except for something I was especially concerned about. In the end I tried to get rid of it all. End users don't usually see such things.
I will research Jenkins.
Thanks,
Roy
P.S. We recently got 1 gb / 1 gb. When I rebuilt the system with a USB stick and the original config.xml and a NVMe, the rebuild time was astounding. In minutes all was back as before.
-
@reberhar
Re:JenkinsIs pfBlocker trying to phone home to Jenkins and failed? Is that what this is all about? Seems like something you might do in development. I am still reading about Jenkins.
Roy
-
@reberhar Jenkins is an automated build tool, it's not relevant to anything, it's just a reference to when/where the code was compiled.
Is this error recurring? If not I think I would ignore it.
-
@SteveITS
And so I shall ... Ignore the error.Roy
-
@reberhar Hi SteveTS or whomever answers this.
I have been struggling with pfblockerng pfb_dnsbl. I am using HA and CARP.
First I had some DNS problems, but they seemed to resolve when I found and corrected a node number conflict. I had spawned my nodes from the same single server pfsense install. There are a couple of issuse when doing that. The SSL keys have to be fixed is one. The other is the node number. Maybe there are others.
When I did the HA install I accepted the default node number which turned out to be the same on both systems. CARP colision, :) Yes I did clear the State table after fixing the nodes.
So yes my system is working as expected. Until I look at it the next day.
The next day the pfb_dnsbl process is stopped and corresponding CARP node with it. It does not go to backup, it just goes offline. The "Master" word disappears from the CARP widget for the pfblocker entry and the corresponding backup node on the other machine takes over which is what you should expect if the primary node fails.
I get it started again be entering the VIP menu entry in the firewall menu, making like I am going to edit something and then saving. The entry in the CARP widget corrects itself and I can start ptf_dnsbl.
Everything ok until tomorrow.
I did correct the skew on the secondary node to 100. The silly thing seems to demand a mask of 32 which just seems wrong on an interface which uses 24. Everytime I change it it reverts to 32.
There isn't anything I can see in the logs. Yea, there are lots of entries about DNS not picking up the DHCP entries, but I don't think that is pertinent. I have that option turned off in Unbound. I tried using the python option for a little while which does not support that option, or didn't anyway.
I still haven't figured out how to do graphics on this interface. Cut and paste certainly doesn't work.
I am sure that there is something obvious that I am missing.
Thanks for your suggestions, which are always helpful.
Roy
One other thing that occured to me. I use PRIQ for my Traffic Shaping. I have the ethernet hardware configured for PRIQ. Suicata complains and says I have to turn that off for Suicata to work right. That I have not done. I have not had time to research the implications of that.
-
@reberhar I might start a new thread, more people might find it with a different subject line...
Is it working without pfBlocker? (I don't have an HA setup with DNSBL)
Is the secondary (incorrectly) set to sync its config to the primary?
re: mask, you're talking about the mask on each CARP virtual IP? It should be the network mask as it notes on that page...
re: PRIQ, Suricata should not care. Many of our clients use that setup. It does show a note if hardware checksum is enabled though?? Can you copy/paste that message?
You might need some upvotes to paste images, not sure there.
-
@SteveITS Hi Steve,
I do have some upvotes. How many do I need?
Is it working without pfBlocker? (I don't have an HA setup with DNSBL)
Yes it works without pfBlocker.
Is the secondary (incorrectly) set to sync its config to the primary?
The secondary ... "Do not sync this package configuration"
XMLPRC Replication Targets
Checkbox cleared.
suricata
[100940 - Suricata-Main] 2024-07-20 00:30:47 Info: threshold-config: Threshold config parsed: 167 rule(s) found
[100940 - Suricata-Main] 2024-07-20 00:30:47 Info: detect: 24180 signatures processed. 64 are IP-only rules, 2486 are inspecting packet payload, 21427 inspect application layer, 108 are decoder event only
[100940 - Suricata-Main] 2024-07-20 00:30:47 Warning: detect-flowbits: flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 1 other sigs
[100940 - Suricata-Main] 2024-07-20 00:31:07 Notice: detect: rule reload complete -
@reberhar Hi Steve,
So absolutely the machine changes the VIP mask for the pfblocker CARP node to 32 from 24 and it crashes the HA / CARP on that node.
And here is something else. I got a crash note from Diagnosics ...
My friend Jenkins is back and on a completely different machine.
Crash report begins. Anonymous machine information:
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FCrash report details:
PHP Errors:
[22-Jul-2024 15:19:11 America/Phoenix] PHP Fatal error: Uncaught ValueError: date_create_from_format(): Argument #2 ($datetime) must not contain any null bytes in /usr/local/www/widgets/widgets/suricata_alerts.widget.php:188
Stack trace:
#0 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(188): date_create_from_format()
#1 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(78): suricata_widget_get_alerts()
#2 {main}
thrown in /usr/local/www/widgets/widgets/suricata_alerts.widget.php on line 188 -
That's a message / fail from Suricata, another pfSense package.
See here : Home > pfSense Packages > IDS/IPS -
@Gertjan Yes of course I saw that.
And it might be totally unrelated to this problem.
That is a helpful post.
Thanks
So what is the deal with pfBlocker setting the mask to 32?
I note that lots of folks don't choose LAN for that interface but localhost. Why would they do that?
Roy
Maybe I'd better go read the source code.
-
@reberhar
I played with pfBlocker and watched the updates for CARP from that window.BBcan is very deliberate about making sure that the CARP VIPs are configured with the /32 mask. I think I understand why.
When I fudged it the /24, of course it worked. But when the night updates happen it is set back to /32. CARP then failed on that node. I set it back to /24 and the process repeated itself.
But even with the mask at 32 the next day CARP is again down on that node.
I will keep trying.
Tonight I will clear the state tables.
-
This post is deleted!
