Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfblockerNG problems

    Scheduled Pinned Locked Moved pfSense Packages
    13 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      serialdie
      last edited by

      I setup pfblockerng with my own custom list in txt formart.
      Every fail2ban entry on my server gets add it to my deny.txt file. For the initial ipv4 setup list it downloads the file just fine and list all the ips as normal.
      The problem comes when I try to force update or when the cron runs the pfblcokerng db does not update. I am not sure why?!?

      ===[  Aliastables / Rules  ]================================

      No Changes to Firewall Rules, Skipping Filter Reload
      No Changes to Aliases, Skipping pfctl Update

      UPDATE PROCESS ENDED

      There is more ips in the file… How come is not adding them?

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Hi serialdie,

        I posted a patch in the pfBNG thread… I will be submitting a PR to get this fixed soon..

        Please patch the file  /usr/local/www/pfblockerng/pfblockerng.php  as indicated in the following thread below:
        https://forum.pfsense.org/index.php?topic=86212.msg526272#msg526272

        Following that, goto the Log browser, "Deny" and find the List in question (fail2ban) and delete that file by clicking the "x" on the right side… Follow that with a "Force Update"

        Thanks!

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • S
          serialdie
          last edited by

          BBcan177,

          Thank you so much!

          1 Reply Last reply Reply Quote 0
          • S
            serialdie
            last edited by

            @BBcan177,

            Do you take donations?

            1 Reply Last reply Reply Quote 0
            • H
              hda
              last edited by

              I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

              the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
              Not just for the same IP, even for another IP.
              But [Status: System logs: Firewall] has several entries reported.

              What settings are needed for "append-mode" reporting ?

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                @hda:

                the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
                Not just for the same IP, even for another IP.

                Eh? Perhaps you could post some screenshots of the issue…

                1 Reply Last reply Reply Quote 0
                • S
                  serialdie
                  last edited by

                  @doktornotor:

                  @hda:

                  the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
                  Not just for the same IP, even for another IP.

                  Eh? Perhaps you could post some screenshots of the issue…

                  Its fixed. I hit a few bugs that I worked out with the developer. Thanks! :)

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    Oh, OK… I'm using the -dev stuff, so usually things are updated before I notice anything.

                    1 Reply Last reply Reply Quote 0
                    • H
                      hda
                      last edited by

                      @doktornotor:

                      Eh? Perhaps you could post some screenshots of the issue…

                      Fixed what ? or I wait for pfBng > 1.09 ?

                      FWlog1.png
                      FWlog1.png_thumb
                      pfBalerts1.png
                      pfBalerts1.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • S
                        serialdie
                        last edited by

                        @hda:

                        @doktornotor:

                        Eh? Perhaps you could post some screenshots of the issue…

                        Fixed what ? or I wait for pfBng > 1.09 ?

                        Look here https://forum.pfsense.org/index.php?topic=86212.855

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          @hda:

                          I see the following unexpected behaviour. pfBlockerNG [Alerts(Permit) last 5 entries]:

                          the reporting is in "overwrite-mode" i.s.o. appending a record per detection on same port (22).
                          Not just for the same IP, even for another IP.
                          But [Status: System logs: Firewall] has several entries reported.

                          What settings are needed for "append-mode" reporting ?

                          Hi hda,

                          If i understand your question, you are asking to see duplicate alerts in the Alerts Tab? Is that correct? You can put a

                          //  in front of  continue;

                          in the code below to have it display duplicate entries…

                          Edit file :  /usr/local/www/pfblockerng/pfblockerng_alerts.php  Line: 455

                          
                                                  // Skip Repeated Alerts 
                          			if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) {
                          				//continue;
                          			}
                          

                          Its best to open a new thread as the other issues in this thread are related to something else…

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            OK I took a look at the screen shot and see what you mean… Could you change the following line and let me know if that fixes your issue please?

                            Edit file :   /usr/local/www/pfblockerng/pfblockerng_alerts.php   Line: 454
                                                   ```

                            // Skip repeated alerts
                                                    if (($pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_ip) {
                                                            continue;
                                                    }

                            
                            and also change line:  492
                            
                            

                            $previous_ip = $pfbalert[7] . $pfbalert[3] . $pfbalert[8] . $pfbalert[10];

                            
                            Let me know if you need any help with that?
                            
                            Thanks!

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • H
                              hda
                              last edited by

                              @BBcan177:

                              … Could you change the following line and let me know if that fixes your issue please?
                              ...

                              Thank you for pointing me at the code spot(s). I have made the changes as per your last writing here above, BUT with commented out "continue".

                              I found out that one have to Update Reload pfBlockerNG AND also to reload (by picking anyone rule and do Save & apply changes) the pfSense Firewall, in order to activate the renewed php-file. What is the proper protocol for restarting all ?

                              Yes this works as I see now every attempt time-registered, except when the first attempt after reload is on a valid-port (listen "xyz22") i.s.o. the dummy-port (22).
                              So, restated, if the first attempt is on the dummy-port (nothing listening on 22), then the entry (in Firewall-log & Alerts) is made, otherwise on an listening port no entry made at first attempt after reload/restart.

                              Results in attach.

                              Thank You !

                              Edit: I see entry-2 should be from rule 112 i.s.o.107.

                              pfBalerts2.png_thumb
                              pfBalerts2.png

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.