PfBlocker doesn't start after upgrade



  • After an upgrade from 2.1.4 to 2.2.0 (alix2d13, 4GB CF card) I can no longer start pfBlocklist. If I enable it on Firewall>pfBlocker>General: enable pfBlocker and hit "Save", the browser keeps spinning/reloading for about 90s before it gives me a "500 - Internal Server Error". The pfBlocker widget remains empty.

    Roman


  • Netgate Administrator

    pfBlocker can really eat RAM if you're using large lists. Check the logs for 'out of memory/swap' errors.

    Steve



  • These are the log entries during the time of the attempt to start pfBlocker that resulted in the 500 server error.

    2015-01-24T14:16:11+01:00 adsl [daemon.err] php-fpm[23705]: /pkg_edit.php: Starting pfBlocker sync process.
    2015-01-24T14:16:11+01:00 adsl [daemon.err] php-fpm[23705]: /pkg_edit.php: Starting pfBlocker sync process.
    2015-01-24T14:17:48+01:00 adsl [daemon.err] lighttpd[22209]: (mod_fastcgi.c.2562) unexpected end-of-file (perhaps the fastcgi process died): pid: 0 socket: unix:/var/run/php-fpm.socket 
    2015-01-24T14:17:48+01:00 adsl [daemon.err] lighttpd[22209]: (mod_fastcgi.c.2562) unexpected end-of-file (perhaps the fastcgi process died): pid: 0 socket: unix:/var/run/php-fpm.socket 
    2015-01-24T14:17:48+01:00 adsl [kern.info] kernel: pid 23705 (php-fpm), uid 0: exited on signal 11 (core dumped)
    2015-01-24T14:17:48+01:00 adsl [daemon.err] lighttpd[22209]: (mod_fastcgi.c.3346) response not received, request sent: 1365 on socket: unix:/var/run/php-fpm.socket for /pkg_edit.php?, closing connection 
    2015-01-24T14:17:48+01:00 adsl [daemon.err] lighttpd[22209]: (mod_fastcgi.c.3346) response not received, request sent: 1365 on socket: unix:/var/run/php-fpm.socket for /pkg_edit.php?, closing connection 
    
    

  • Moderator

    What lists are you using in pfblocker. Maybe one of them in crashing it.



  • Check your lists files if they are not corrupt.  I had during my upgrade a few corrupt files,  ssh keys,  unbound root.key file.

    Could be that this is the same problem.



  • What lists are you using in pfblocker. Maybe one of them in crashing it.

    I haven't made any changes during the upgrade. I use a couple of entries from the "Top Spammers" category, plus two additional lists:

    http://list.iblocklist.com/?list=sh_drop&fileformat=p2p&archiveformat=gz
    http://list.iblocklist.com/?list=bt_dshield&fileformat=p2p&archiveformat=gz
    

    Roman


  • Moderator

    Try to disable pfblocker, ensure that it removes the rules and alias urls, then re-enable…

    If its still an issue remove the Iblock lists and see if the Top spammers works on its own.

    After that we can try a few other steps.



  • Try to disable pfblocker, ensure that it removes the rules and alias urls, then re-enable…

    That doesn't help. Server error everytime I try to save the pfBlocker configuration with any lists enabled.

    If its still an issue remove the Iblock lists and see if the Top spammers works on its own.

    Deleting the alias with the two lists I mentioned earlier from the "Lists" helped. The top spammers alone do indeed work.
    I then tried to define a new alias, with just one of the lists. Hitting "Save" got me back immediately to the "500 - Server error"


  • Moderator

    If you add a new list with a single entry like this one :

    http://www.spamhaus.org/drop/drop.txt

    Does this download ok?

    IBlock is not the original source of those Lists that you are using. You should use the following:

    http://www.spamhaus.org/drop/drop.txt
    http://www.spamhaus.org/drop/edrop.txt
    https://rules.emergingthreats.net/blockrules/compromised-ips.txt
    https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt



  • If you add a new list with a single entr like this one :

    Does this download ok?

    Yes, this works.

    IBlock is not the original source of those Lists that you are using. You should use the following:

    All four of these do work fine. Thank you.

    Roman


  • Moderator

    I think there might be an issue with the Range to Cidr function in pfsense.. and as such it crashes when its trying to convert the Iblock lists…





  • @BBcan177:

    I think there might be an issue with the Range to Cidr function in pfsense.. and as such it crashes when its trying to convert the Iblock lists…

    I agree with BBcan177.. I've heard of a lot of complaints that pfBlocker isn't working correctly in 2.2 due to that function change. pfBlockerNG includes a new function for this and works great! I believe there is a pull request to have the function added to pfSense but hasn't been committed yet



  • What if you just send the request as pfblocker v2 update?
    Should be easier to get only this version on 2.2 as pfblockerng base was the pfblocker package.


  • Netgate Administrator

    I imagine you may have to wait for a while for anything. Right about now I should think the devs have their hands full with the issues that are inevitably discovered when suddenly many thousands of new installs across many and varied hardware types take place.  ;)

    Steve



  • @stephenw10:

    I imagine you may have to wait for a while for anything. Right about now I should think the devs have their hands full with the issues that are inevitably discovered when suddenly many thousands of new installs across many and varied hardware types take place.  ;)

    Steve

    Most of the issue I'm seeing on the forum are because of packages not working.



  • @Cino:

    Most of the issue I'm seeing on the forum are because of packages not working.

    +1

    I'm trying since december to get all working but 2.2 pbi is messing everything up.

    Can't wait pbi replacement by pkg ng.



  • @marcelloc:

    I'm trying since december to get all working but 2.2 pbi is messing everything up.

    Can't wait pbi replacement by pkg ng.

    +100

    amen to that!



  • On 2.2 use pfBlockerNG instead of pfBlocker.



  • @marcelloc:

    On 2.2 use pfBlockerNG instead of pfBlocker.

    pfBlockerNG isn't in the package list / isn't an approved package for 2.2 yet?



  • @JasonJoel:

    @marcelloc:

    On 2.2 use pfBlockerNG instead of pfBlocker.

    pfBlockerNG isn't in the package list / isn't an approved package for 2.2 yet?

    Depends on how you look at it.. I can't speak for ESF but I've been testing it for months and its working great!



  • I realize that it does work, but many people don't know (nor should they have to in my opinion) how to install packages that aren't in the package repository - that is kind of what it is for… So end users know it has been tested, works, and is authentic.

    I'm not personally against unofficial packages though, and agree that is better than using pfBlocker (non-NG) in 2.2.