PfBlockerNG - Causing reboot failure?

switchman

Not sure my issue is caused by pfBlockerNG, but it happens ever time I try and install it.  I can install pfBlockerNG, configure it such that all countries except the United States are blocked, both IPv4 and 6.  Start it and everything appears to work normal.  When I shut the router down and try to reboot it, it hangs everytime at the "configuring firewall" stage.  This happens ever time I install pfBlockerNG.

While would have expected this to have been caught, you never know so am requesting someone else with pfBlockerNG try and reboot their router, preferably a test machine just in case.  I have tried a fresh install, build the configuration and everything works.  I can reboot with no issues.  Install pfBlockerNG and it hangs.

My only solution is to completely blow away my current install with a fresh install of pfSense and reload of a backup prior to the pfBlockerNG install.  I am sure there is a way to recover without this extreme measure, but I do not know how.

marcelloc

It could be related to list timeout during boot.

Try to disable the service before rebooting to confirm it's an apply list problem during boot.

switchman

That worked.  I installed pfBlockerNG, configured it, verified the rules were inplace then shutdown the service by unchecking the "Enable pfBlockerNG" service box and saving in the pfBlockerNG: General Settings screen.  I then rebooted successfully.

This is good for a test, but obviously not a real fix.  While in a controlled shutdown/reboot  you could disable the service, if you remember, an uncontrolled shutdown/reboot/restart would be an issue.

Is there a config parameter I could modify that would lengthen the timeout period?

BBcan177

@switchman:

When I shut the router down and try to reboot it, it hangs everytime at the "configuring firewall" stage.

Hi switchman,

This issue is not a bug in the pfBlockerNG code. I assume that you are on a Nano or are using a Ramdisk. In these types of installs, the /var/db/aliastables folder is getting wiped at each reboot. I would also recommend that you look at the pfBlockerNG thread and reverse your approach for blocking all countries (except for a few) and change that to a "Permit" certain countries instead.

On 'bootup' you will see "configuring firewall…" and it will wait a minute for each aliastable that is configured in pfSense for pfBlockerNG. This happens early on in the reboot process, and I am not able to run any code without manipulating the base pfSense code. I am working on a solution but it the short term, you can use this solution below to improve the reboot issue…

Edit /etc/inc/pfsense-utils.inc (Line 1648)

and change  $connect_timeout = 60    to    $connect_timeout = 5  ( This will change the timeout to 5 seconds )

Original :

1648 function download_file($url, $destination, $verify_ssl = false, $connect_timeout = 60, $timeout = 0) {

Modified:

1648 function download_file($url, $destination, $verify_ssl = false, $connect_timeout = 5, $timeout = 0) {

However, please note that /var/db/aliastables is still empty, so to get pfBlockerNG working again, you will need to execute a "Force Update" or wait for the next pfBNG Cron event.

I will keep you updated with my progress on a better solution… (and again, this is only related to NANO / RAMDisk installations)

Tropheus

I am having the same problem but I am running off a hard drive.  The boot up just hangs and all I can do is a complete re install.

Is there anyway to recover a system when this happens or is the only way to reinstall?

BBcan177

@Tropheus:

I am having the same problem but I am running off a hard drive.  The boot up just hangs and all I can do is a complete re install.

Is there anyway to recover a system when this happens or is the only way to reinstall?

The system is not hung… Its in a timeout.. For each alias it is waiting a Minute. Please follow the recommendation in my post above for a quick fix. I will be posting an update to over come this issue. I am waiting on some testers to confirm that its working as expected…

switchman

@BBcan177,

Thanks for the info, I will go back an read the full thread to see how to enable your recommendation to ". I would also recommend that you look at the pfBlockerNG thread and reverse your approach for blocking all countries (except for a few) and change that to a "Permit" certain countries instead. "

I am new to pfSense and it takes a while to get an handle on it and all of the packages that can be utilized and how they work.

wcrowder

All countries are permitted by default. On the top 20, you still have to select the countries on the list. I could be me, but how would that make sense?

@switchman:

@BBcan177,

Thanks for the info, I will go back an read the full thread to see how to enable your recommendation to ". I would also recommend that you look at the pfBlockerNG thread and reverse your approach for blocking all countries (except for a few) and change that to a "Permit" certain countries instead. "

I am new to pfSense and it takes a while to get an handle on it and all of the packages that can be utilized and how they work.