PfBlocker disabled pf when router was booted with no internet

ttblum

Hello,

I just had a router reboot and there was temporarily no internet when it came back up. No traffic would pass from behind the router then, and it appears that pfBlocker errored out and disabled pf (below). This is an Alix 2d13 running pfSense 2.0.1 and pfBlocker 1.0.2.

This router also seems to have squid binaries installed, even though squid isn't shown in the GUI as an installed package, so I think I need to zero out the flash card, reload, and import the config in fresh.

Is the pf problem related to the squid issue, or is it a lingering problem mentioned in this link below?

http://forum.pfsense.org/index.php/topic,42543.msg266549.html#msg266549


Apr 22 19:50:57 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAfrica.txt.tmp' 'https://127.0.0.1:8443/pf
blocker.php?pfb=pfBlockerAfrica'' returned exit code '1', the output was 'fetch: transfer timed out' 
Apr 22 19:50:57 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerAfrica.txt.tmp' > '/var/db/aliastables/pfBlock
erAfrica.txt'' returned exit code '2', the output was '' 
Apr 22 19:51:02 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAsia.txt.tmp' 'https://127.0.0.1:8443/pfbl
ocker.php?pfb=pfBlockerAsia'' returned exit code '1', the output was 'fetch: transfer timed out' 
Apr 22 19:51:02 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerAsia.txt.tmp' > '/var/db/aliastables/pfBlocker
Asia.txt'' returned exit code '2', the output was '' 
Apr 22 19:51:07 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerEurope.txt.tmp' 'https://127.0.0.1:8443/pf
blocker.php?pfb=pfBlockerEurope'' returned exit code '1', the output was 'fetch: transfer timed out' 
Apr 22 19:51:07 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerEurope.txt.tmp' > '/var/db/aliastables/pfBlock
erEurope.txt'' returned exit code '2', the output was '' 
Apr 22 19:51:12 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' 'https://127.0.0.1:8
443/pfblocker.php?pfb=pfBlockerSouthAmerica'' returned exit code '1', the output was 'fetch: transfer timed out' 
Apr 22 19:51:12 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' > '/var/db/aliastables/p
fBlockerSouthAmerica.txt'' returned exit code '2', the output was '' 
Apr 22 19:51:17 kanth3 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerTopSpammers.txt.tmp' 'https://127.0.0.1:84
43/pfblocker.php?pfb=pfBlockerTopSpammers'' returned exit code '1', the output was 'fetch: transfer timed out' 
Apr 22 19:51:17 kanth3 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerTopSpammers.txt.tmp' > '/var/db/aliastables/pf
BlockerTopSpammers.txt'' returned exit code '2', the output was '' 
Apr 22 19:52:08 kanth3 php: : The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address fo
und for grep: /tmp/rules.test.packages:17: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tm
p/rules.test.packages:19: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.test.packag
es:21: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.test.packages:23: file "/var
/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.test.packages:25: file "/var/db/aliasta
bles/pfBlockerTopSpammers.txt" contains bad data' 
Apr 22 19:52:08 kanth3 php: : There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc.
Apr 22 19:52:59 kanth3 php: : The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address fo
und for grep: /tmp/rules.test.packages:17: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tm
p/rules.test.packages:19: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.test.packag
es:21: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.test.packages:23: file "/var
/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.test.packages:25: file "/var/db/aliasta
bles/pfBlockerTopSpammers.txt" contains bad data' 
...
Apr 22 19:53:49 kanth3 php: : There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc.
Apr 22 19:54:40 kanth3 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'no IP address found for grep: /tmp/rules.debug:17: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:19: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:21: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:23: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:25: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded' 
...

ttblum

This happened again, and on a different router - running 2.0.1, pfblocker 1.0.2 on an Alix board:

May 13 08:57:19	php: : There were error(s) loading the rules: no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ /tmp/rules.debug]:
May 13 08:57:19	php: : New alert found: There were error(s) loading the rules: no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded The line in question reads [ /tmp/rules.debug]:
May 13 08:56:28	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded'
May 13 08:56:28	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded'
May 13 08:55:36	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerTopSpammers.txt.tmp' > '/var/db/aliastables/pfBlockerTopSpammers.txt'' returned exit code '2', the output was ''
May 13 08:55:36	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerTopSpammers.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerTopSpammers'' returned exit code '1', the output was 'fetch: transfer timed out'
May 13 08:55:34	php: : No pfBlocker action during boot process.
May 13 08:55:33	php: : No pfBlocker action during boot process.
May 13 08:55:33	php: : No pfBlocker action during boot process.
May 13 08:55:33	php: : No pfBlocker action during boot process.
May 13 08:55:33	php: : Restarting/Starting all packages.
May 13 08:55:31	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' > '/var/db/aliastables/pfBlockerSouthAmerica.txt'' returned exit code '2', the output was ''
May 13 08:55:31	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerSouthAmerica'' returned exit code '1', the output was 'fetch: transfer timed out'
May 13 08:55:27	check_reload_status: Starting packages
May 13 08:55:27	php: : pfSense package system has detected an ip change -> ... Restarting packages.
May 13 08:55:27	php: : OpenNTPD is starting up.
May 13 08:55:26	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerEurope.txt.tmp' > '/var/db/aliastables/pfBlockerEurope.txt'' returned exit code '2', the output was ''
May 13 08:55:26	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerEurope.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerEurope'' returned exit code '1', the output was 'fetch: transfer timed out'
May 13 08:55:21	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerAsia.txt.tmp' > '/var/db/aliastables/pfBlockerAsia.txt'' returned exit code '2', the output was ''
May 13 08:55:21	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAsia.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerAsia'' returned exit code '1', the output was 'fetch: transfer timed out'
May 13 08:55:16	check_reload_status: Reloading filter
May 13 08:55:16	php: : rc.newwanip: on (IP address: 172.19.1.1) (interface: ) (real interface: ovpns1).
May 13 08:55:16	php: : rc.newwanip: Informational is starting ovpns1.
May 13 08:55:16	php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerAfrica.txt.tmp' > '/var/db/aliastables/pfBlockerAfrica.txt'' returned exit code '2', the output was ''
May 13 08:55:16	php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAfrica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerAfrica'' returned exit code '1', the output was 'fetch: transfer timed out'

Has anyone else experienced this?

SeventhSon

yes, the reboots take much longer with pfBlocker, as per the link described.

But it shouldn't disable pf all together, don't see that it actually does in this case?

ttblum

Yes, I've had this happen on two occasions.

Both times the router lost power the night before and the users had no internet access when they came in in the morning. Disabling pfblocker restored their internet access.

I have not been able to reproduce this so far on a test router.

SeventhSon

Maybe you should report this to marcelloc in http://forum.pfsense.org/index.php/topic,42543.0.html? It's probably related to the pfBlocker taking longer to boot up on embedded problem.

ttblum

Ok.

To convert a regular computer into a testing router, how do you install the embedded pfSense image, do you just dd the image onto the hard drive?

SeventhSon

I use VirtualBox myself:
http://forum.pfsense.org/index.php?topic=47306.0

ttblum

I was able to reproduce this on a test router, and I have posted this at:

http://forum.pfsense.org/index.php/topic,42543.msg340581.html#msg340581

PfBlocker disabled pf when router was booted with no internet

Products

Services

Support

News

Resources

Company

Our Mission

Subscribe to our Newsletter