[Solved] Corrupt config? Failed packages upgrade etc.



  • Hi there,

    I have bin running pfSense since 2011 now and always use & backup my config file in case something goes wrong.
    Lately more and more packages seem to fail the upgrade process when there is an update available for a specific package.

    Upgrading to 2.1.2 did also not go smoothly. I reset my system to factory defaults and then restore my config. That worked (then) and all packages where updated.

    Now there is a new version of openvpn client export, that failed to install, nmap failed..
    There is also a new version of snort but I don't want to brake to..!

    Upgrading my packages was a no-brainer but not anymore so it seems.
    Any tips or tricks on cleaning/checking a config or system health?

    Checking files via CLI is also an option. I'm open for all suggestions. Thanks a lot!

    Status: System logs: General

    php: /pkg_mgr_install.php: Beginning package installation for nmap .
    php: /pkg_mgr_installed.php: XML_RPC_Client: Connection to RPC server packages.pfsense.org:443 failed. No route to host 103
    php: /pkg_mgr_installed.php: XMLRPC communication error: No route to host
    
    

  • Moderator

    See if this Link helps you fix the issue.

    https://forum.pfsense.org/index.php?topic=65246.0



  • It seems that connecting to the source is not a problem. Although installing the package is.

    
    Beginning package installation for nmap .
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading nmap and its dependencies... 
    Checking for package installation... 
     Downloading https://files.pfsense.org/packages/amd64/8/All/nmap-6.40_2-amd64.pbi ...  (extracting)
    Loading package configuration... done.
    Configuring package components...
    Additional files... nmap.inc failed.
    Removing package...
    Starting package deletion for nmap-6.40_2-amd64...done.
    Removing nmap components...
    Menu items... done.
    Loading package instructions...
    Include file nmap.inc could not be found for inclusion.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    done.
    Failed to install package.
    
    Installation halted.
    


  • I just installed nmap on a 32-bit 2.2 snapshot:

    Beginning package installation for nmap .
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading nmap and its dependencies... 
    Checking for package installation... 
     Downloading https://files.pfsense.org/packages/10/All/nmap-6.40_2-i386.pbi ...  (extracting)
    Loading package configuration... done.
    Configuring package components...
    Additional files... done.
    Loading package instructions...
    Custom commands...
    Menu items... done.
    Writing configuration... done.
    
    Installation completed.   Please check to make sure that the package is configured from the respective menu then start the package.
    

    This message in your output is not good:

    Include file nmap.inc could not be found for inclusion.
    

    That file came fine for me:

    ----rwxrwx  1 root  wheel  3678 May  1 14:45 /usr/local/pkg/nmap.inc
    


  • Just tried the new nmap 6.46 but it still shows that i'm missing the included nmap.inc file.
    I also checked the /usr/local/pkg folder. And indeed there was no file called nmap.inc

    Same story goes for other packages when I try to update them.

    Beginning package installation for nmap .
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading nmap and its dependencies... 
    Checking for package installation... 
     Downloading https://files.pfsense.org/packages/amd64/8/All/nmap-6.46-amd64.pbi ...  (extracting)
    Loading package configuration... done.
    Configuring package components...
    Additional files... nmap.inc failed.
    Removing package...
    Starting package deletion for nmap-6.46-amd64...done.
    Removing nmap components...
    Menu items... done.
    Loading package instructions...
    Include file nmap.inc could not be found for inclusion.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    done.
    Failed to install package.
    
    Installation halted.
    

    After this, when I click on packages, the package menu looks strange. Not how it suppose to look. (see picture)
    It seems to fix it self after some time. Strange behavior if you ask me..
    If I can provide more information, please let me know.




  • Interesting behavior pinging packages.pfsense.org via the CLI.

    I added a rule of the local-IP of the pfsense box to pfsense config itself to allow communication to al destinations. Did not work either.




  • [Solved]

    Turning OFF Snort did the trick for me. Somehow snort did not like the traffic going to packages.pfsense.org and blocked all IP's to that destination.
    Explains why the menu fixed it self after some time.

    So disabling the Snort service worked for me!

    Nmap is now successfully installed. Hope this still might help some others. Thanks for the support!



  • @SkyNET:

    [Solved]

    Turning OFF Snort did the trick for me. Somehow snort did not like the traffic going to packages.pfsense.org and blocked all IP's to that destination.
    Explains why the menu fixed it self after some time.

    So disabling the Snort service worked for me!

    Nmap is now successfully installed. Hope this still might help some others. Thanks for the support!

    You need to look on the ALERTS and/or BLOCKED tabs in Snort and either add Suppress List entries for the rules that triggered on packages.pfsense.org or disable those rules entirely.  You can, by clicking the plus (+) icon next to the IP address for packages.pfsense.org, add a suppress list entry to track for that IP only.  That will prevent future alerts and blocks on that IP.

    If I recall, there are some HTTP_INSPECT false positives that are frequently triggered by the pfSense site and many others as well.  There is long thread here in the Packages Forum with suggestions for a comprehensive Suppress List configuration.

    Bill


  • Moderator

    Bill, would it be beneficial to add the pfsense package repo to the whitelist page as a checkbox option? I personally haven't had this issue but if you look at the link I sent originally, Jimp had made the recommendation to check for a Snort block so I assume that it has happened to a few users.



  • @BBcan17:

    Bill, would it be beneficial to add the pfsense package repo to the whitelist page as a checkbox option? I personally haven't had this issue but if you look at the link I sent originally, Jimp had made the recommendation to check for a Snort block so I assume that it has happened to a few users.

    While not a bad idea, if the IP address changed, then it would become a false "fix" and folks would assume it was working when it in fact might not be.

    Bill


  • Moderator

    @bmeeks:

    While not a bad idea, if the IP address changed, then it would become a false "fix" and folks would assume it was working when it in fact might not be.

    If pfSense could fix the code to allow domain names it would be really beneficial.

    Couldn't an alias be setup as packages.pfsense.org and at each interface restart, it would perform a

    dig packages.pfsense.org +short as the ip address?

    I assume that the repo is coded in the update page and could be extracted.

    Just a thought.