Bugs: PHP error memory exhausted in CE r2.7.2 and rate limits crashing

muvaminon

Context:
pfSense CE release 2.7.2 with pfBlockerNG. A custom block list is being downloaded hourly by pfBlockerNG. Max Source Connection rate limits are applied in NAT rules redirecting scurrilous traffic to a honeypot. The design objective is for rate limit violations to limit traffic via the "antivirus list" for an hour until a custom syslog server updates the blocklist. The attack rate ranges from around 1,000 to 10,000 per hour.

Three interrelated bugs:

1. Bug 1: Crash reports are flagging
   "[05-Aug-2024 12:31:28 US/Pacific] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /etc/inc/util.inc on line 4054"

2. Bug 2 and Documentation Error: There is no "util.inc" file in /etc/inc/ to modify for extending size limits. Neither is there a "config.inc" file. Neither of these files is identified as existing using ls at "Execute Shell Command" in the web GUI. pfSense crash reports, documentation, FAQs and forum advice have not been updated to reflect the present architecture. And, no means of modifying memory limits is accessible using the web GUI.

3. Bug 3: Some time after reboot, the rate limiting and temporary blacklisting via "antivirus list" feature of pfSense stops working, allowing hackers to continue probing and characterizing the system. This is bad because I want the hackers to be blocked BEFORE they've acquired enough date to identify that they are diverted to a honeypot. Failure might be chronologically associated with pfBlocker cron jobs. Failure seems to be intermittent.

When will these bugs be fixed and the fixes available in pfSense CE? Are these bugs already fixed in pfSense Plus?

muvaminon

@muvaminon said in Bugs: PHP error memory exhausted in CE r2.7.2 and rate limits crashing:

rate limiting

Updates:
3. Bug 3: Further analysis identified that attackers are responding to rate limiting using the “antivirus list” by switching from TCP to UDP traffic. TCP traffic is being blocked. And, the feature does not presently work for UDP traffic. This has been downgraded from a bug to a feature request for a means of rate limiting UDP traffic.

1. Bug 1: While working on other things, I eventually stumbled across the "Diagnostics/Edit File” feature and updated “usr/local/etc/php.ini” to “memory_limit = 1024M”. The fix is not yet validated because memory limit appears to have been hit while pfBlockerNG was updating blocklists and pfBlockerNG is now not updating my blocklist (another bug).

2. Bug 2 and Documentation Error. With a means for editing “php.ini” identified, this is being downgraded to just Documentation Error. Documentation must be up-to-date, clear, complete, defined and searchable enough for a customer to identify what to do within 5 minutes. Going on an epic safari should not be required for elementary tasks. Time costs money.

SteveITS

@muvaminon There’s a GUI setting for PHP memory limit now. Probably in System/Misc but I’m not near a pfSense. You may find directly editing system files gets overwritten.

https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#php-interpreter

muvaminon

@SteveITS Thank you. Its in "Diagnostics/Edit File”

SteveITS

@muvaminon said in Bugs: PHP error memory exhausted in CE r2.7.2 and rate limits crashing:

@SteveITS Thank you. Its in "Diagnostics/Edit File”

That's to edit files on disk. I am thinking of this setting in System/Advanced/Miscellaneous:

Since that exists I would expect it to override, or overwrite, an edited file on disk. Possibly, at the next boot.