PfBlockerNG



  • Well then I guess the blue fairies that control Nginx have an issue with the newest version of BSD 11.1.  Because it locks up the Kernel, PHP, and all when it crashes. Nginx is just a symptom.  and the only common thing between all of them is PfblockerNG.  502 is just a symptom of the lockup not the cause or even the correct reason for the lockup.  If you get a fever from a cold, you could think its the flu, or anything but you dont know because its only a symptom, not the cause.

    Also when it freezes if you log in local, you can not run any commands, nothing.  It will execute the command but never return anything.. Find command, even the directory change doesn't even show the directory anymore.  Seems to me more than a Nginx issue..


  • Moderator

    @BreeOge:

    Well then I guess the blue fairies that control Nginx have an issue with the newest version of BSD 11.1.  Because it locks up the Kernel, PHP, and all when it crashes. Nginx is just a symptom.  and the only common thing between all of them is PfblockerNG.  502 is just a symptom of the lockup not the cause or even the correct reason for the lockup.  If you get a fever from a cold, you could think its the flu, or anything but you dont know because its only a symptom, not the cause.

    Also when it freezes if you log in local, you can not run any commands, nothing.  It will execute the command but never return anything.. Find command, even the directory change doesn't even show the directory anymore.  Seems to me more than a Nginx issue..

    Haven't tested 2.4.1 (FBSD 11.1) yet…. I had one of my testers confirm this issue but at a glance have not found whats causing it....

    I'll send you a PM to help troubleshoot this issue better...

    Thanks!



  • I've got the same problem. Anything I can do to help? Other than reboot every 3 hours of course  ::)

    Doug


  • Moderator

    Can you remove the pfBlockerNG widget from the dashboard and see if that helps. Also before a reboot or running option 11/16 from the console. Please review the /tmp/PHP_Error file for any details.



  • Okay I will do this and report back. I might add that doing "Firewall > pfBlockerNG" Disable didn't help.

    Doug



  • I updated to yesterdays build.

    The issue persists. 3+ hours after booting the GUI and serial console become unresponsive. Interesting to note that  from a network point of view everything still works. WAN and LAN connectivity is normal.

    VPN in does not work.

    I monitored "/tmp/PHP_error.txt" until it became unresponsive but there were no entries.

    Doug



  • To me it seems like some counter / process in the kernel with Pfblockerng is not releasing like it should.  I have multiple boxes, with different loads, all same config.  All of them will eventually lock up, but the time it takes is related to how much load is on the system.

    If you try to SSH in when it locks you will notice you can not restart, start or do anything with any service, it will freeze.  Also if you change directory the directory your in is never shown.  FYI if you do SSH in, you will need to CTRL-Z to drop out of the menu execution as it will lock up as well.



  • Well I got home from work and all appears to be working. GUI responsive, Serial console okay. VPN answered several times during the day. Still I think I'll follow others and reinstall and restore a recent config. Good time to switch to ZFS.

    Thanks for listening.

    Doug



  • @john_galt:

    Well I got home from work and all appears to be working. GUI responsive, Serial console okay. VPN answered several times during the day. Still I think I'll follow others and reinstall and restore a recent config. Good time to switch to ZFS.

    Thanks for listening.

    Doug

    Please keep us updated, I was wondering that myself if a fresh install to the newest release would fix issues. I know they had a major issue the other day and had to revert due to upgrade problems.



  • Jinxed myself. 502 Bad Gateway nginx

    Going to nurse it along until the weekend when I can get an 18 pack
    and re-install.

    Doug





  • BBcan177

    Just letting you know of another thread on this, trying to narrow the issue down.  Wanted to make you aware of the other thread.

    https://forum.pfsense.org/index.php?topic=137103.msg754247#new

    Thank you sir.
    BreeOge



  • I made the edits in this post:

    https://forum.pfsense.org/index.php?topic=137103.msg754338#msg754338

    Now my pfSense isn't locking up as I had reported before.

    Doug



  • I have reinstalled 2.4.0-R with ZFS and restored my previous config file. I reset pfBlockerNG.
    I will report any of the previous symptoms if the occur.

    Doug


  • Moderator

    @BreeOge:

    BBcan177

    Just letting you know of another thread on this, trying to narrow the issue down.  Wanted to make you aware of the other thread.

    https://forum.pfsense.org/index.php?topic=137103.msg754247#new

    Thank you sir.
    BreeOge

    Thanks for helping work thru the issue… I will work on converting that to use an SQLite3 database as recommended by jimp... I have just shied away in the past on using any SQL dbs...

    For those that remove that section of code in the index.php, that will stop the widget DNSBL counters from populating, however all else will still function as-is...



  • Hey, don't know what thread to post this on, but I am using a nanobsd install of pfsense and want to upgrade. I just want to know if pfblockerng is running okay with the new release before switching and if I do a backup of my config, and import, will that be ok without issues?



  • If you use the ZFS file system (If you do a full reload) It will work just fine. If you just upgrade or re-install with the UFS file system, then pfBlockerNG will lock up the system with a 502 bad gateway error.

    https://forum.pfsense.org/index.php?topic=137103.0

    In that thread there is a current work around, but like BBcan stated, if you do the work around your widget will not update properly.

    BreeOge



  • I wanted to chime in here as I just updated from a month old RC to 2.4.0-RELEASE last night and ran into this problem today.

    I haven't read through all of the many pages of the many threads that seem related to this issue (show how popular pfBNG is!), so maybe this has already been covered.

    But I've seen several people state that this doesn't happen on ZFS - I have a raidz2 ZFS install, and this happened to me, just throwing that out there.



  • @belt9:

    I wanted to chime in here as I just updated from a month old RC to 2.4.0-RELEASE last night and ran into this problem today.

    I haven't read through all of the many pages of the many threads that seem related to this issue (show how popular pfBNG is!), so maybe this has already been covered.

    But I've seen several people state that this doesn't happen on ZFS - I have a raidz2 ZFS install, and this happened to me, just throwing that out there.

    That is good to know. Thank you for the report.  BBcan177 is currently updating it to use SQLlite and this should fix any issues in the future.  In the other thread there is a temp fix posted..

    https://forum.pfsense.org/index.php?topic=137103.75

    Thank you
    BreeOge



  • Looks like there is an update available in the package manager. Where can one find release notes for the new version? I'm wondering if this has the fix in it.



  • @Jailer:

    Looks like there is an update available in the package manager. Where can one find release notes for the new version? I'm wondering if this has the fix in it.

    https://github.com/pfsense/FreeBSD-ports/commit/fe101279ac400e2794fa27780f020c0bbe1c8caa
    https://github.com/pfsense/FreeBSD-ports/pull/424



  • @Cino:

    @Jailer:

    Looks like there is an update available in the package manager. Where can one find release notes for the new version? I'm wondering if this has the fix in it.

    https://github.com/pfsense/FreeBSD-ports/commit/fe101279ac400e2794fa27780f020c0bbe1c8caa
    https://github.com/pfsense/FreeBSD-ports/pull/424

    Has it fix the issue??



  • @pfcode:

    @Cino:

    @Jailer:

    Looks like there is an update available in the package manager. Where can one find release notes for the new version? I'm wondering if this has the fix in it.

    https://github.com/pfsense/FreeBSD-ports/commit/fe101279ac400e2794fa27780f020c0bbe1c8caa
    https://github.com/pfsense/FreeBSD-ports/pull/424

    Has it fix the issue??

    No. That update was initiated 18 days ago and is unrelated to the current issue.



  • We are currently testing a fix, if all goes well you should see an update soon.


  • Moderator

    I am going to make a PR shortly to hopefully fix this issue….

    You could download these two files from my Github gist to get the updated code:

    fetch -o /usr/local/www/pfblockerng/www/index.php "https://gist.githubusercontent.com/BBcan177/9f9c8e62b166cee07ad16cd4ff59103c/raw"
    
    fetch -o /usr/local/pkg/pfblockerng/pfblockerng.inc "https://gist.githubusercontent.com/BBcan177/7ff15715be0f02afdbe0a00c676aedce/raw"
    

    You will need to restart the DNSBL Service for this to take effect.

    A reboot is not required, but would be recommended.



  • @BreeOge:

    We are currently testing a fix, if all goes well you should see an update soon.

    https://forum.pfsense.org/index.php?topic=137103.msg756625#msg756625



  • I have get 502 Bad Gateway and use pfsense 2.4.0 pfblockerng 2.1.2
    How to fix it?



  • Hi, one thing i am noticing with pfBlockerNG is that it may be missing an end-double quote on its shell commands?

    root    81266   0.0  0.0  13084   2780  -  D    19:50        0:00.00 sh -c /usr/bin/grep -l ' "dmd\\.metaservices\\.microsoft\\.com 60 IN A' /var/db/pfblockerng/dnsblalias/*
    root    81779   0.0  0.0  13084   2780  -  D    19:51        0:00.00 sh -c /usr/bin/grep -l ' "rules\\.quantcount\\.com 60 IN A' /var/db/pfblockerng/dnsblalias/*
    root    82010   0.0  0.0  13084   2780  -  D    19:51        0:00.00 sh -c /usr/bin/grep -l ' "rules\\.quantcount\\.com 60 IN A' /var/db/pfblockerng/dnsblalias/*
    

    pfSense GUI was also seized up once more.

    pkill, killall, and other assorted commands all fail to kill the commands running above.

    Shell is accessible (otherwise, how would i be able to post the above code block!)  :D

    Additional running services are also inaccessible; ntopng, OpenVPN. Fairly certain the box has all the latest packages/updates installed.


  • Moderator

    @BrettC:

    Hi, one thing i am noticing with pfBlockerNG is that it may be missing an end-double quote on its shell commands?

    No the quote is used in the grep command to find an exact match starting with the first quotation mark in the line…  The 502 error is being worked on...  The upcoming release doesn't seem to be affected by this and will hopefully be released shortly... Stay tuned!



  • Ok, thank you so much



  • ERRO MEMORIA.JPG

    Good afternoon friends this message arrives all the time,

    and when I restart pfsense the internet does not work I need to disable pfblocker save, then the internet works again, activate pfblocker again. every time I restart pfsense and need to do this.
       Any solution ?



  • Another thing I am not using DNSBL.



  • @EdIlS0N-LiMa
    Did you run a Force Update All, increase?

    @BBcan177 said in pfBlockerNG errors when GoeIP enabled:

    In pfSense > System > Advanced > Firewall & NAT > "Firewall Maximum Table Entries"

    The package should default that to "2000000" entries.

    Follow that with a Filter Reload



  • @RonpfS Thank you friend it worked.


Log in to reply