PfBlockerNG

SkyHawk

@BBcan177:

Hi SkyHawk,

Try to Disable "Keep Setting" and Disable "pfBlockerNG", then hit "Save"… This will do a full clear of all the files.  Re-apply "Keep" and Re-Enable pfBNG, followed by a "Force Update" and see if that clears the discrepancy...

Thank you BBcan177 this needs to be on a sticky or something.  I did as you suggested; then after Re-apply "Keep" and Re-Enable pfBNG I hit "Save" followed by a "Force Update" and poof - the error was resolved.

Kytran

Thank you, BBCan177!
I try install pfBlockerNG in my firewall and config block some range IP.
I force update but it's not update anything and cannot download some range list.
It just show result:
"  No Updates required.
CRON  PROCESS  ENDED
UPDATE PROCESS ENDED"
and
"===[  Aliastables / Rules  ]================================

No Changes to Firewall Rules, Skipping Filter Reload

No Changes to Aliases, Skipping pfctl Update "
So, Could you tell some way to pfBlockerNG can update, please!
Thanks.

BBcan177

Hi Kytran,

In the Alias settings, did you configure the "Update Frequency"? Which Lists are you trying to use? Did the lists download initially?

Cron will execute each hour, the package will check each alias to see if the "Update Frequency" setting is within the current hour, and if so it will perform an update. The message "No Updates required" means none of the defined Aliases require to be updated at this particular Hour interval.

Kytran

Hi BBcan177,
I chose some country to block, but not config list action yet, I change config and it's can update list alias.
Thanks!

Mr. Jingles

BB  :-* :-* :-* :-* :-*

I will respond later with some useless text, but this one is not useless ( ;D ): I am amazed by your package, to me, while playing with it, it seems you've thought of some many things, and it is so fast. Your package to me is like the attached pic (and you know how I feel about these women.. ;D ;D ;D ).

Ciao BB,

GoldServe

Is there a known issue generating a custom list with an ip block of /8?

I tried 17.0.0.0/8 for all of Apple's servers but when I look at the table, I only see 17.0.0.0

When I tried 17.0.0.0/10, I see exactly 17.0.0.0/10 in the table.

BBcan177

Hi GoldServe, there is a small bug that I have fixed. I am putting together some other changes/features for version 1.07 and this will be included.

I will send you a PM shortly with a fix until v1.07 is released.

GoldServe

Thanks! I tried the patch and all is working…

Mr. Jingles

Hi BB  :D

I get this error constantly every day:

[ pfB_PRI3 Juniper ] Download FAIL [ 04/14/15 18:00:27 ]

The list does exist, 'though:

https://www.juniper.net/security/auto/spam

It is set to html (by default).

Would your Royalty have any idea?

Thank you  ;D

BBcan177

Hi Mr. Jingles,

Take a look at the pfblockerng.log  and/or the error.log … Both of these log files are accessible in the Log Browser Tab. It should give you clues as to why its failed.

Hakim

Hi,

Since I upgrade from 2.2 to 2.2.2, I cannot change my NAT rules (well I can change them, but they do not apply).

In fact, I also change pfBlocker to pfBlockerNG.

And if I stop pfBlockerNG then my NAT changes are applied, I can make further NAT changes and they apply correctly.
As soon as I start pfBlockerNG, existing NAT settings are correctly applied, but I cannot change them (until I stop pfBlockerNG).

My global settings include :

<inbound_interface>opt1,wan</inbound_interface>
<inbound_deny_action>block</inbound_deny_action>
<outbound_interface>lan,opt2</outbound_interface>
<outbound_deny_action>reject</outbound_deny_action>

And I have 1 IPv4 Alias :

 <pfblockernglistsv4><config><action>Deny_Both</action>
		<cron>04hours</cron>
		<dow>1</dow>
		<aliaslog>enabled</aliaslog>
		 <custom><custom_update>disabled</custom_update></custom></config></pfblockernglistsv4> 

Any idea about what could be wrong ?

Thanks,
Hakim

doktornotor

@Hakim:

Since I upgrade from 2.2 to 2.2.2, I cannot change my NAT rules (well I can change them, but they do not apply).

As noted right above your comments, logs exist for a reason… ;)

Mr. Jingles

@BBcan177:

Hi Mr. Jingles,

Take a look at the pfblockerng.log  and/or the error.log … Both of these log files are accessible in the Log Browser Tab. It should give you clues as to why its failed.

Thanks BB  ;D

I got that previous quote from error.log, wasn't awake enough to realize there was also info contained in another log:

[ Juniper ]          Downloading New File
looking up www.juniper.net
connecting to www.juniper.net:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Certificate verification failed for /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
34381026664:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1162:
fetch: https://www.juniper.net/security/auto/spam: Authentication error

[ pfB_PRI3 Juniper ] Download FAIL [ 04/18/15 7:00:29 ]

Hakim

As noted right above your comments, logs exist for a reason…

No doubt about it, but in this case, no clue in the logs (in fact nothing is logged - on pfBlockerNG side when I made a change in the firewall / NAT UI settings).

On the System/General log I only have :
check_reload_status: Reloading filter
check_reload_status: Syncing firewall

doktornotor

pfBNG has nothing to do with NAT. You simply most likely have some broken alias coming from the pfBNG lists you did set up that breaks the firewall rules altogether. Again, there are logs for a reason.

Hakim

pfBNG has nothing to do with NAT

Maybe but :

• with pfBlockerNG ON : pfSense NAT update does not work
• with pfBlockerNG OFF : pfSense NAT update does work

So, I do not completly agree with your assertion. Just facts.

You simply most likely have some broken alias coming from the pfBNG lists you did set up that breaks the firewall rules altogether.

Is it an expected behavior of pfBlockerNG ?
When there is a problem with an alias, pfSense NAT does cannot be updated properly anymore ?

Because the problem is only about updating. I did not say that NAT is not working. If I stop pfBlockerNG and restart it, my NAT changes are applied.

As I already explain : I did check the logs and did not find anything.
Which log would you propose to check ?

doktornotor

Yes. Because when the updated firewall rules are broken, they fail to load. Flush your pfBNG configuration by unchecking the Keep configuration box, reinstall the package and start from scratch, enabling only ONE list at a time, until you figure this out.

Hakim

@doktornotor:

Yes. Because when the updated firewall rules are broken, they fail to load. Flush your pfBNG configuration by unchecking the Keep configuration box, reinstall the package and start from scratch, enabling only ONE list at a time, until you figure this out.

Thanks for your help,

By enabling one by one the list in my alias, I figured out the list that was ginving problem.

I switch back to my previous config. pfSense 2.2 + pfBlocker with the same lists and everything was fine.

Any idea why that same list which was working fine with (pfSense 2.2 + pfBlocker) does not work anymore with (pfSense 2.2**.2** + pfBlockerNG) ?

That list is from i-blocklist with about 167 000 items.

When that list is loaded I can see the following in the "Live Log Viewer " :

Updating: pfB_AliasBlockList 
(...)

no IP address found for /32pfctl: cannot load /var/db/aliastables/pfB_AliasBlockList.txt: No error: 0

(...)

====================[ Empty Lists w/1.1.1.1 ]==================

malicious
/32
malicious
/32
malicious
/32
malicious
/32
malicious
/32
malicious
/32
malicious
/32
malicious
/32
malicious
/32
malicious
/32
malicious
/32

(...)

BBcan177

Hi Hakim, my first guess is that IBlock has a variant of "0.0.0.0" in this list. I really do not understand why IBlock inserts this IP, every so often.

Are you using the latest version of pfBlockerNG? (v1.06)

Can you post the url of this list?

BBcan177

@Mr.:

@BBcan177:

Hi Mr. Jingles,

Take a look at the pfblockerng.log  and/or the error.log … Both of these log files are accessible in the Log Browser Tab. It should give you clues as to why its failed.

Thanks BB  ;D

I got that previous quote from error.log, wasn't awake enough to realize there was also info contained in another log:

[ Juniper ]          Downloading New File
looking up www.juniper.net
connecting to www.juniper.net:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Certificate verification failed for /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
34381026664:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1162:
fetch: https://www.juniper.net/security/auto/spam: Authentication error

[ pfB_PRI3 Juniper ] Download FAIL [ 04/18/15 7:00:29 ]

Looks like they have an issue with their certificate. Try to change the URL from 'https' to 'http'.

If you load that https URL in the browser do you get the same Cert error?