PfBlocker disabled pf when router was booted with no internet



  • Hello,

    I just had a router reboot and there was temporarily no internet when it came back up.  No traffic would pass from behind the router then, and it appears that pfBlocker errored out and disabled pf (below).  This is an Alix 2d13 running pfSense 2.0.1 and pfBlocker 1.0.2.

    This router also seems to have squid binaries installed, even though squid isn't shown in the GUI as an installed package, so I think I need to zero out the flash card, reload, and import the config in fresh.

    Is the pf problem related to the squid issue, or is it a lingering problem mentioned in this link below?

    http://forum.pfsense.org/index.php/topic,42543.msg266549.html#msg266549

    
    Apr 22 19:50:57 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAfrica.txt.tmp' 'https://127.0.0.1:8443/pf
    blocker.php?pfb=pfBlockerAfrica'' returned exit code '1', the output was 'fetch: transfer timed out' 
    Apr 22 19:50:57 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerAfrica.txt.tmp' > '/var/db/aliastables/pfBlock
    erAfrica.txt'' returned exit code '2', the output was '' 
    Apr 22 19:51:02 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAsia.txt.tmp' 'https://127.0.0.1:8443/pfbl
    ocker.php?pfb=pfBlockerAsia'' returned exit code '1', the output was 'fetch: transfer timed out' 
    Apr 22 19:51:02 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerAsia.txt.tmp' > '/var/db/aliastables/pfBlocker
    Asia.txt'' returned exit code '2', the output was '' 
    Apr 22 19:51:07 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerEurope.txt.tmp' 'https://127.0.0.1:8443/pf
    blocker.php?pfb=pfBlockerEurope'' returned exit code '1', the output was 'fetch: transfer timed out' 
    Apr 22 19:51:07 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerEurope.txt.tmp' > '/var/db/aliastables/pfBlock
    erEurope.txt'' returned exit code '2', the output was '' 
    Apr 22 19:51:12 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' 'https://127.0.0.1:8
    443/pfblocker.php?pfb=pfBlockerSouthAmerica'' returned exit code '1', the output was 'fetch: transfer timed out' 
    Apr 22 19:51:12 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' > '/var/db/aliastables/p
    fBlockerSouthAmerica.txt'' returned exit code '2', the output was '' 
    Apr 22 19:51:17 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerTopSpammers.txt.tmp' 'https://127.0.0.1:84
    43/pfblocker.php?pfb=pfBlockerTopSpammers'' returned exit code '1', the output was 'fetch: transfer timed out' 
    Apr 22 19:51:17 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerTopSpammers.txt.tmp' > '/var/db/aliastables/pf
    BlockerTopSpammers.txt'' returned exit code '2', the output was '' 
    Apr 22 19:52:08 kanth3 php: : The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address fo
    und for grep: /tmp/rules.test.packages:17: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tm
    p/rules.test.packages:19: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.test.packag
    es:21: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.test.packages:23: file "/var
    /db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.test.packages:25: file "/var/db/aliasta
    bles/pfBlockerTopSpammers.txt" contains bad data' 
    Apr 22 19:52:08 kanth3 php: : There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc.
    Apr 22 19:52:59 kanth3 php: : The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address fo
    und for grep: /tmp/rules.test.packages:17: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tm
    p/rules.test.packages:19: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.test.packag
    es:21: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.test.packages:23: file "/var
    /db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.test.packages:25: file "/var/db/aliasta
    bles/pfBlockerTopSpammers.txt" contains bad data' 
    ...
    Apr 22 19:53:49 kanth3 php: : There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc.
    Apr 22 19:54:40 kanth3 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'no IP address found for grep: /tmp/rules.debug:17: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:19: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:21: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:23: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:25: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded' 
    ...
    
    


  • This happened again, and on a different router - running 2.0.1, pfblocker 1.0.2 on an Alix board:

    May 13 08:57:19	php: : There were error(s) loading the rules: no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ /tmp/rules.debug]:
    May 13 08:57:19	php: : New alert found: There were error(s) loading the rules: no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded The line in question reads [ /tmp/rules.debug]:
    May 13 08:56:28	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded'
    May 13 08:56:28	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded'
    May 13 08:55:36	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerTopSpammers.txt.tmp' > '/var/db/aliastables/pfBlockerTopSpammers.txt'' returned exit code '2', the output was ''
    May 13 08:55:36	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerTopSpammers.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerTopSpammers'' returned exit code '1', the output was 'fetch: transfer timed out'
    May 13 08:55:34	php: : No pfBlocker action during boot process.
    May 13 08:55:33	php: : No pfBlocker action during boot process.
    May 13 08:55:33	php: : No pfBlocker action during boot process.
    May 13 08:55:33	php: : No pfBlocker action during boot process.
    May 13 08:55:33	php: : Restarting/Starting all packages.
    May 13 08:55:31	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' > '/var/db/aliastables/pfBlockerSouthAmerica.txt'' returned exit code '2', the output was ''
    May 13 08:55:31	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerSouthAmerica'' returned exit code '1', the output was 'fetch: transfer timed out'
    May 13 08:55:27	check_reload_status: Starting packages
    May 13 08:55:27	php: : pfSense package system has detected an ip change -> ... Restarting packages.
    May 13 08:55:27	php: : OpenNTPD is starting up.
    May 13 08:55:26	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerEurope.txt.tmp' > '/var/db/aliastables/pfBlockerEurope.txt'' returned exit code '2', the output was ''
    May 13 08:55:26	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerEurope.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerEurope'' returned exit code '1', the output was 'fetch: transfer timed out'
    May 13 08:55:21	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerAsia.txt.tmp' > '/var/db/aliastables/pfBlockerAsia.txt'' returned exit code '2', the output was ''
    May 13 08:55:21	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAsia.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerAsia'' returned exit code '1', the output was 'fetch: transfer timed out'
    May 13 08:55:16	check_reload_status: Reloading filter
    May 13 08:55:16	php: : rc.newwanip: on (IP address: 172.19.1.1) (interface: ) (real interface: ovpns1).
    May 13 08:55:16	php: : rc.newwanip: Informational is starting ovpns1.
    May 13 08:55:16	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerAfrica.txt.tmp' > '/var/db/aliastables/pfBlockerAfrica.txt'' returned exit code '2', the output was ''
    May 13 08:55:16	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAfrica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerAfrica'' returned exit code '1', the output was 'fetch: transfer timed out'
    

    Has anyone else experienced this?



  • yes, the reboots take much longer with pfBlocker, as per the link described.

    But it shouldn't disable pf all together, don't see that it actually does in this case?



  • Yes, I've had this happen on two occasions.

    Both times the router lost power the night before and the users had no internet access when they came in in the morning.  Disabling pfblocker restored their internet access.

    I have not been able to reproduce this so far on a test router.



  • Maybe you should report this to marcelloc in http://forum.pfsense.org/index.php/topic,42543.0.html? It's probably related to the pfBlocker taking longer to boot up on embedded problem.



  • Ok.

    To convert a regular computer into a testing router, how do you install the embedded pfSense image, do you just dd the image onto the hard drive?





  • I was able to reproduce this on a test router, and I have posted this at:

    http://forum.pfsense.org/index.php/topic,42543.msg340581.html#msg340581