Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    pfBlocker CRON update not being disabled

    Scheduled Pinned Locked Moved Forum Feedback
    11 Posts 4 Posters 485 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Amin48
      last edited by Amin48

      Hello, I have this issue where CRON keeps updating even after I disabled the setting. I'm aware that this is an existing bug (my fw V25.11.1) and common issue.

      29ca6308-5552-4b89-9b6e-a9825656a956-image.png

      I found an online fix attempt where users entered the following php command

      install_cron_job('pfblockerng.php cron', false);

      this successfullly disables cron updates, but then the pfblocker feature stops working. Anyone had similar issues?

      SteveITSS GertjanG A 3 Replies Last reply Reply Quote 0
      • SteveITSS Offline
        SteveITS Rebel Alliance @Amin48
        last edited by

        @Amin48 sorry, what is your goal, to not update any lists again? As opposed to disabling/deleting the feeds?

        FWIW there is a cron package in pfSense.

        To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
        Only install packages for your version of pfSense.
        Upvote 👍 helpful posts!

        A 1 Reply Last reply Reply Quote 0
        • GertjanG Offline
          Gertjan @Amin48
          last edited by

          @Amin48 said in pfBlocker CRON update not being disabled:

          I have this issue where CRON keeps updating even after I disabled the setting.

          Updating ... do you mind saying what gets updated ?

          When I set :

          0b01ca90-b0d1-431b-8247-d40643e80eb2-image.png

          then I would presume that this line :

          afd93ccb-06ef-4d19-8eae-b4d6b21f580a-image.png

          gets removed => no more pfBlockerng 'cron'.
          Strange enough, and I agree : using 'disabled' doesn't remove the pfBlockerng cron line, so nothing gets disabled.
          See this as a feature, not a bug ^^
          After all : who (and when ?) will rotate all the pfBlockerng log files ??
          These files are always growing, and if they are not rotated, your pfSense will crash in the future, as all disk space will be used. Way before the system goes down, access to the pfBlockerng stats pages will be so slow that the GUI fails, as the logs files that are used to create stats are just to big.

          No "help me" PM's please. Use the forum, the community will thank you.

          1 Reply Last reply Reply Quote 0
          • A Offline
            Amin48 @Amin48
            last edited by

            thanks for replying, I'm essentialy trying to utilize pcBlocker GeoIP for these specific rules, and are working as expected.

            39fa0317-f55e-4f34-9f92-77a9e73fa670-image.png

            However when the CRON update initiates, it automatically updates my FW rules and removes teh destination IP, which looks like the below

            28b73c2a-d8cd-46da-89ac-eda799c1b2b2-image.png
            If the CRON update stays disabled then my rules won't get updated which is why i'm trying to prevent this. I've had a look into the "Firewall 'Auto' Rule Order" setting to see if there is anything I can change, but after several changes this rule keeps getting changed per CRON update.

            GertjanG 1 Reply Last reply Reply Quote 0
            • A Offline
              Amin48 @SteveITS
              last edited by

              @SteveITS Hi steve, essentaily geoIP restrictions to a specific destination IP. Works as expected when GeoIP is enabled, however after the CRON update it automatically updates my FW rules and removes the destination IP, im tryign to prevent CRON updating and changing my rules.

              SteveITSS 1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @Amin48
                last edited by Gertjan

                @Amin48

                My WAN firewall 'pass' rule ;

                20f7e61c-493f-4753-a850-a3a372e17e24-image.png

                and it never changes as it's not an auto rule.
                "auto" is nice, but it can do things you don't want, like re-ordering of the rule.

                What I did : I created the rule myself, so it won't get deleted, or recreated.
                I use an alias, "pfB_Europe_v4". It's this alias that is kept up to date by pfBlockerng.
                So, in short, pfBlockerng doesn't change my firewall rules, just the Alias, and the Alias is used in a WAN firewall rule I created.

                Here I create the "pfB_Europe_v4" Alias :

                ce3c19c9-5532-4aed-9124-c555d2eddc93-image.png

                Btw : you've set (make and use an Alias) the "Destination" :

                5944f1b6-934c-44ca-951d-f727b2eec353-image.png

                ?

                No "help me" PM's please. Use the forum, the community will thank you.

                SteveITSS 1 Reply Last reply Reply Quote 0
                • SteveITSS Offline
                  SteveITS Rebel Alliance @Amin48
                  last edited by

                  @Amin48 said in pfBlocker CRON update not being disabled:

                  it automatically updates my FW rules and removes the destination IP

                  Yes that's what it does, it regenerates the rules.

                  A much better way to solve this, and keep updating geo data, is to change those rules to create as Alias Native instead of Deny. Then pfB only creates an alias. You can then create your own rules however you want, in whatever order you want:
                  bf4d713e-c7cd-4602-bad0-7f733eec6915-image.png

                  To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                  Only install packages for your version of pfSense.
                  Upvote 👍 helpful posts!

                  GertjanG 1 Reply Last reply Reply Quote 1
                  • GertjanG Offline
                    Gertjan @SteveITS
                    last edited by Gertjan

                    @Amin48
                    More info just one click away :

                    3117f7dc-2fa2-4b66-8101-96eb4c6fbc6b-image.png

                    No "help me" PM's please. Use the forum, the community will thank you.

                    1 Reply Last reply Reply Quote 0
                    • SteveITSS Offline
                      SteveITS Rebel Alliance @Gertjan
                      last edited by

                      @Gertjan said in pfBlocker CRON update not being disabled:

                      make and use an Alias

                      ...so basically what Gertjan wrote. :)

                      Honestly I am not sure why there is a choice Alias Permit. I know Alias Native will not deduplicate across lists, like the Deny options can. I prefer to control which IPs I'm blocking in each rule.

                      To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                      Only install packages for your version of pfSense.
                      Upvote 👍 helpful posts!

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG Offline
                        Gertjan @SteveITS
                        last edited by

                        @SteveITS said in pfBlocker CRON update not being disabled:

                        Honestly I am not sure why there is a choice Alias Permit.

                        I guess the "permit" does nothing for me, true.
                        I use the alias, "pfB_Europe_v4" in my case, in a firewall rule where I (the admin) control everything - except the content of the alias. For me, this is a pass rule, so this rule makes my pfSense accepts VPN connections from Europe (France). Other 'UDP port 1194' will get dropped as a default behavior.
                        I probably should use "Native" : that's done now 👍

                        No "help me" PM's please. Use the forum, the community will thank you.

                        BBcan177B 1 Reply Last reply Reply Quote 0
                        • BBcan177B Offline
                          BBcan177 Moderator @Gertjan
                          last edited by

                          There are alias deny for blocking and using that option the events will show in the Deny Stats. Alias Native doesn't use any deduplication.

                          Alias Permit/Match should be selected if they are destined for a permit or match rule.

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.