PfBlockerNG - Causing reboot failure?



  • Not sure my issue is caused by pfBlockerNG, but it happens ever time I try and install it.  I can install pfBlockerNG, configure it such that all countries except the United States are blocked, both IPv4 and 6.  Start it and everything appears to work normal.  When I shut the router down and try to reboot it, it hangs everytime at the "configuring firewall" stage.  This happens ever time I install pfBlockerNG.

    While would have expected this to have been caught, you never know so am requesting someone else with pfBlockerNG try and reboot their router, preferably a test machine just in case.  I have tried a fresh install, build the configuration and everything works.  I can reboot with no issues.  Install pfBlockerNG and it hangs.

    My only solution is to completely blow away my current install with a fresh install of pfSense and reload of a backup prior to the pfBlockerNG install.  I am sure there is a way to recover without this extreme measure, but I do not know how.



  • It could be related to list timeout during boot.

    Try to disable the service before rebooting to confirm it's an apply list problem during boot.



  • That worked.  I installed pfBlockerNG, configured it, verified the rules were inplace then shutdown the service by unchecking the "Enable pfBlockerNG" service box and saving in the pfBlockerNG: General Settings screen.  I then rebooted successfully.

    This is good for a test, but obviously not a real fix.  While in a controlled shutdown/reboot  you could disable the service, if you remember, an uncontrolled shutdown/reboot/restart would be an issue.

    Is there a config parameter I could modify that would lengthen the timeout period?


  • Moderator

    @switchman:

    When I shut the router down and try to reboot it, it hangs everytime at the "configuring firewall" stage.

    Hi switchman,

    This issue is not a bug in the pfBlockerNG code. I assume that you are on a Nano or are using a Ramdisk. In these types of installs, the /var/db/aliastables folder is getting wiped at each reboot. I would also recommend that you look at the pfBlockerNG thread and reverse your approach for blocking all countries (except for a few) and change that to a "Permit" certain countries instead.

    On 'bootup' you will see "configuring firewall…" and it will wait a minute for each aliastable that is configured in pfSense for pfBlockerNG. This happens early on in the reboot process, and I am not able to run any code without manipulating the base pfSense code. I am working on a solution but it the short term, you can use this solution below to improve the reboot issue…

    Edit /etc/inc/pfsense-utils.inc (Line 1648)

    and change  $connect_timeout = 60    to    $connect_timeout = 5  ( This will change the timeout to 5 seconds )

    Original :

    1648 function download_file($url, $destination, $verify_ssl = false, $connect_timeout = 60, $timeout = 0) {
    

    Modified:

    1648 function download_file($url, $destination, $verify_ssl = false, $connect_timeout = 5, $timeout = 0) {
    

    However, please note that /var/db/aliastables is still empty, so to get pfBlockerNG working again, you will need to execute a "Force Update" or wait for the next pfBNG Cron event.

    I will keep you updated with my progress on a better solution… (and again, this is only related to NANO / RAMDisk installations)



  • I am having the same problem but I am running off a hard drive.  The boot up just hangs and all I can do is a complete re install.

    Is there anyway to recover a system when this happens or is the only way to reinstall?


  • Moderator

    @Tropheus:

    I am having the same problem but I am running off a hard drive.  The boot up just hangs and all I can do is a complete re install.

    Is there anyway to recover a system when this happens or is the only way to reinstall?

    The system is not hung… Its in a timeout.. For each alias it is waiting a Minute. Please follow the recommendation in my post above for a quick fix. I will be posting an update to over come this issue. I am waiting on some testers to confirm that its working as expected…



  • @BBcan177,

    Thanks for the info, I will go back an read the full thread to see how to enable your recommendation to ". I would also recommend that you look at the pfBlockerNG thread and reverse your approach for blocking all countries (except for a few) and change that to a "Permit" certain countries instead. "

    I am new to pfSense and it takes a while to get an handle on it and all of the packages that can be utilized and how they work.



  • All countries are permitted by default. On the top 20, you still have to select the countries on the list. I could be me, but how would that make sense?

    @switchman:

    @BBcan177,

    Thanks for the info, I will go back an read the full thread to see how to enable your recommendation to ". I would also recommend that you look at the pfBlockerNG thread and reverse your approach for blocking all countries (except for a few) and change that to a "Permit" certain countries instead. "

    I am new to pfSense and it takes a while to get an handle on it and all of the packages that can be utilized and how they work.