PfblockerNG problems

serialdie

I setup pfblockerng with my own custom list in txt formart.
Every fail2ban entry on my server gets add it to my deny.txt file. For the initial ipv4 setup list it downloads the file just fine and list all the ips as normal.
The problem comes when I try to force update or when the cron runs the pfblcokerng db does not update. I am not sure why?!?

===[ Aliastables / Rules ]================================

No Changes to Firewall Rules, Skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update

UPDATE PROCESS ENDED

There is more ips in the file… How come is not adding them?

BBcan177

Hi serialdie,

I posted a patch in the pfBNG thread… I will be submitting a PR to get this fixed soon..

Please patch the file /usr/local/www/pfblockerng/pfblockerng.php as indicated in the following thread below:
https://forum.pfsense.org/index.php?topic=86212.msg526272#msg526272

Following that, goto the Log browser, "Deny" and find the List in question (fail2ban) and delete that file by clicking the "x" on the right side… Follow that with a "Force Update"

Thanks!

serialdie

BBcan177,

Thank you so much!

serialdie

@BBcan177,

Do you take donations?

hda

I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.
But [Status: System logs: Firewall] has several entries reported.

What settings are needed for "append-mode" reporting ?

doktornotor

@hda:

the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.

Eh? Perhaps you could post some screenshots of the issue…

serialdie

@doktornotor:

@hda:

the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.

Eh? Perhaps you could post some screenshots of the issue…

Its fixed. I hit a few bugs that I worked out with the developer. Thanks! :)

doktornotor

Oh, OK… I'm using the -dev stuff, so usually things are updated before I notice anything.

hda

@doktornotor:

Eh? Perhaps you could post some screenshots of the issue…

Fixed what ? or I wait for pfBng > 1.09 ?

FWlog1.png_thumb

pfBalerts1.png_thumb

serialdie

@hda:

@doktornotor:

Eh? Perhaps you could post some screenshots of the issue…

Fixed what ? or I wait for pfBng > 1.09 ?

Look here https://forum.pfsense.org/index.php?topic=86212.855

BBcan177

@hda:

I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
Not just for the same IP, even for another IP.
But [Status: System logs: Firewall] has several entries reported.

What settings are needed for "append-mode" reporting ?

Hi hda,

If i understand your question, you are asking to see duplicate alerts in the Alerts Tab? Is that correct? You can put a

// in front of continue;

in the code below to have it display duplicate entries…

Edit file : /usr/local/www/pfblockerng/pfblockerng_alerts.php Line: 455


                        // Skip Repeated Alerts 
			if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) {
				//continue;
			}

Its best to open a new thread as the other issues in this thread are related to something else…

BBcan177

OK I took a look at the screen shot and see what you mean… Could you change the following line and let me know if that fixes your issue please?

Edit file : /usr/local/www/pfblockerng/pfblockerng_alerts.php Line: 454
```

// Skip repeated alerts
if (($pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_ip) {
continue;
}


and also change line:  492

$previous_ip = $pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10];


Let me know if you need any help with that?

Thanks!

hda

@BBcan177:

… Could you change the following line and let me know if that fixes your issue please?
...

Thank you for pointing me at the code spot(s). I have made the changes as per your last writing here above, BUT with commented out "continue".

I found out that one have to Update Reload pfBlockerNG AND also to reload (by picking anyone rule and do Save & apply changes) the pfSense Firewall, in order to activate the renewed php-file. What is the proper protocol for restarting all ?

Yes this works as I see now every attempt time-registered, except when the first attempt after reload is on a valid-port (listen "xyz22") i.s.o. the dummy-port (22).
So, restated, if the first attempt is on the dummy-port (nothing listening on 22), then the entry (in Firewall-log & Alerts) is made, otherwise on an listening port no entry made at first attempt after reload/restart.

Results in attach.

Thank You !

Edit: I see entry-2 should be from rule 112 i.s.o.107.

pfBalerts2.png_thumb