PfBlockerNG


  • Banned

    And it was Tom Schaefer that did the first countryblock package ;)

    Marcello turned it into pfblocker and BBcan17 evolved it into what we see today and we love it!



  • I'm using them since the beginning and in several installs. Big thanks to all that helped especially Tom Schaefer, Marcello and BBcan17.



  • I have the package installed and configured but it doesn't seemto be working. I have PFblocker installed but the I checked the box to disable checking, any suggestions?




  • @samham:

    I have the package installed and configured but it doesn't seemto be working. I have PFblocker installed but the I checked the box to disable checking, any suggestions?

    Looks like you have no list enabled or no hint on rules???



  • @marcelloc:

    @samham:

    I have the package installed and configured but it doesn't seemto be working. I have PFblocker installed but the I checked the box to disable checking, any suggestions?

    Looks like you have no list enabled ???

    Or downloaded (?). I believe the new package doesn't download lists every time you click save on the edit/add list page.



  • Did you applied(force update) after selecting countries for example?



  • many thanks marcelloc that did it.



  • is this available to the public yet?


  • Moderator

    @fragged:

    I believe the new package doesn't download lists every time you click save on the edit/add list page.

    Yes this is  'by Design'.  The process is single threaded, to ensure that only one process at a time updates the files. Allowing the possibility of pressing "Save" at the same time as "Cron" is running or expected to run, can cause data corruption. So when you press "save" it will just save the settings.

    The "Update" tab has a "Force Update" icon which will disable the Cron event and execute the download process. If Cron is active, it will not let you bypass that event, until its completed. You are able to see the complete Download process in the Update Window.

    Any errors will be recorded there, so debugging is fairly straight forward.

    You are also able to view the  pfblockerng.log  and  error.log  in the Log Browser Tab.




  • Moderator

    For those of you that followed the bypass to install the Package, please follow these suggestions:

    1. Enable "Keep Settings" in the pfBlockerNG General Tab. On a Re-install, the first step is a De-Install of the package. So without enabling this setting, you will lose all configured settings on a "Re-Install".

    So please ensure that this is "Checked". You will need to hit "Save" to have it apply!!

    1. There is a v1.0 of pfBlockerNG Posted with a minor revision for an IBlock issue. I believe you will need to ensure that the bypass method used on the first Install, is activated before proceeding with the Update or the Re-Install will FAIL.

    Please ensure you Backup as always before proceeding with any Updates.



  • I don't see the package listed yet!!!


  • Moderator

    @samham:

    I don't see the package listed yet!!!

    Its not Official Yet.. I was referring to those Users who followed the Bypass methods in this thread to get it Installed.



  • marcelloc sent a pull request, I'm assuming it should be official shortly



  • I seen it in packages today.  Got the update from it.



  • @BBCan:

    Thanks for mailing me I was (almost) missing all the fun  ;)
    The package really needs to be released officially!

    Great marcelloc pointed out the old pfblocker is now obsolete and should be replaced with pfBlockerNG.



  • Not in my package list yet (just the old blocker package). Looking forward to it though!!

    @Topper727:

    I seen it in packages today.  Got the update from it.



  • See:
    https://forum.pfsense.org/index.php?topic=86212.msg481358#msg481358

    Make sure you read this entire thread.

    @JasonJoel:

    Not in my package list yet (just the old blocker package). Looking forward to it though!!

    @Topper727:

    I seen it in packages today.  Got the update from it.



  • @wcrowder:

    See:
    https://forum.pfsense.org/index.php?topic=86212.msg481358#msg481358

    Make sure you read this entire thread.

    I'm confused.  Doesn't this post indicate that the package is being officially released now, and that we won't have to do anything special to download it?



  • The pull request needs to be merged by pfsense team before you can use it without any hacks.



  • Ha, ha, ha… I was wondering the same thing too!



  • I used the patch method to install pfBlockerNG, and it was working well on two machines until a reboot.  After a reboot the country block lists in /var/db/aliastables/ are all empty but for a single entry of 1.1.1.1.

    Forcing an update does not fetch the correct files, and no blocking is taking place.


  • Moderator

    @bfeitell:

    I used the patch method to install pfBlockerNG, and it was working well on two machines until a reboot.

    Is this a Nano install where the /var folder is getting deleted on reboot?

    This is a question I have asked the Devs to find a solution for… As these files should be stored in the /var folder. The previous pfBlocker package used to store the files in the /usr/local folder. This issue is only limited to Nano and Ramdisk type installs.

    Run the following shell command to Re-Download the Maxmind Database, and restore the Country code files in the /var folder.

    php /usr/local/www/pfblockerng/pfblockerng.php dc

    Following that, execute a "Force Update"



  • @BBcan177:

    Is this a Nano install where the /var folder is getting deleted on reboot?

    I guess so.

    You may need a conf mount rw to backup data on package save.

    I found a long time ago a guide to run nanobsd on virtual machine. This way will be easier to debug cf installs.


  • Moderator

    @marcelloc:

    You may need a conf mount rw to backup data on package save.

    I found a long time ago a guide to run nanobsd on virtual machine. This way will be easier to debug cf installs.

    Yes, I have a similar doc on that running a Nano in a VM. In this instance, there is nothing to debug.. The /var/db folder which contains the Maxmind Country files get wiped on reboot. I can make a hack way around it in the code which probably is not the best.

    This is a question I have posed to the Devs, but I am waiting on feedback for the best approach. I do not want to save these files to the /usr/local folder.

    Maybe could put it in the PBI Share Folder?



  • Yes indeed, it is a nano install.  Thank you for the fix!


  • Banned

    @BBcan177:

    The /var/db folder which contains the Maxmind Country files get wiped on reboot. I can make a hack way around it in the code which probably is not the best.
    This is a question I have posed to the Devs, but I am waiting on feedback for the best approach. I do not want to save these files to the /usr/local folder.
    Maybe could put it in the PBI Share Folder?

    The /var/db thing is rather unfortunate, not just b/c it's volatile but also since the directory is pretty huge. Takes over 1/3 of the default /var ramdisk.



  • pfBlockerNG needs the Maxmind database country codes otherwise most of the functions will not work.


  • Banned

    @digdug3:

    pfBlockerNG needs the Maxmind database country codes otherwise most of the functions will not work.

    Hmmm, yeah… and the point being? It's already there.



  • The point being if we added a "disable country codes" mode then you would free up the memory.
    This can be a solution for low-memory devices, but then you would miss out all the benefits like reputation, country blocking etc.


  • Banned

    And what would be the point of doing that in a countryblock package?


  • Banned

    @digdug3:

    The point being if we added a "disable country codes" mode then you would free up the memory.

    Cannot see anyone suggesting something similar anywhere. All that's being discussed here is moving the files to a better place.



  • @doktornotor:

    The /var/db thing is rather unfortunate, not just b/c it's volatile but also since the directory is pretty huge. Takes over 1/3 of the default /var ramdisk.

    Thats why I suggested the option to disable country blocking as a whole, only as an option…

    @Supermule:

    And what would be the point of doing that in a countryblock package?

    pfBlockerNG is much more than just a countryblock package.
    I think most of the users use pfBlockerNG as an ip-blocklist and use the countrycodes only for reputation.


  • Banned

    Well. I can tell you differently…

    I use them for blocking as well since I dont want anything to do with the countries I block....and my customers dont have any business there as well.

    So I dont get the traffic on my servers and I can sleep fairly safe at night :D


  • Banned

    Meanwhile, you can use Shellcmd package and run this as shellcmd on nanobsd boxes:

    
    /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc
    
    

    to get the blocklists back on reboot.


  • Moderator

    I will be submitting a Pull Request for the following :

    1. MaxMind files will be saved to the PBI folder which will make them persist after reboot. (for Nano / Ramdisk installs)

    2. MaxMind archive files in /var/db will be purged after installation to free up some memory.

    3. Add MaxMind "Anonymous Proxy and Satellite Providers".

    I think Digdug is suggesting to have the option of not installing the MaxMind database to free up some more space. I have an option in the General tab to skip downloading future MaxMind updates, but it doesn't delete the existing installed Files. I could create a function to clear them out but I also need to re-install the files if the user Un-checks this option.

    Also note that "Reputation" and the Alerts tab require the use of the GeoIP.dat and GeoIPv6.dat to function.



  • @wcrowder:

    See:
    https://forum.pfsense.org/index.php?topic=86212.msg481358#msg481358

    Make sure you read this entire thread.

    In that thread it mentions 'look at the screenshot' a number of times, but I don't see a screenshot in the thread anywhere. I make the patch, it says it can be applied, but not reverted, so was going to double check settings to make sure I didn't do something stupid ion the patch definition…


  • Banned

    1/ The screenshot shows just fine, fix your browser.
    2/ You obviously cannot revert patches that have not been applied.



  • Thanks. You are right, the screenshot was there. For some reason it took a LONG time to load though (I was on that page for >3 minutes before the screenshot actually appeared…).

    And, yeah, I should have realized it couldn't revert.

    I have it all installed, configured, and working now. Thanks all for the guidance.

    Thanks!



  • @marcelloc:

    The pull request needs to be merged by pfsense team before you can use it without any hacks.

    Mostly out of curiosity, what does this mean for where this package is in the release process?  That is, does the pfsense team do some testing before they merge it?  Or do they just do some sort of minimal sanity check through the code?


Log in to reply