pfSense Support Subscription

Author Topic: pfBlocker  (Read 183659 times)

0 Members and 2 Guests are viewing this topic.

Offline LinuxTracker

  • Full Member
  • ***
  • Posts: 118
  • Karma: +0/-0
    • View Profile
Re: pfBlocker
« Reply #405 on: February 21, 2012, 11:33:01 pm »
I know Rules ReOrdering after a pfBlocker change has been covered in this thread.
I'd like to bring it back up because it's making me crazy.

Here's my situation.
I use the pfBlocker widget.  I also have my rules customized and ordered a certain way.

In the last pfBlocker ver., I'd set every Action to Deny Inbound.
Next I'd customize and reorder the auto-created rules. I'd be finished in 10 min or so.
I'm pretty sure pfBlocker automatically changed Action to Alias when I had adjusted the rules.
The end result was the rules wouldn't change after an update.  

In this latest pfBlocker ver., my last method doesn't work.  I have to set action to Alias myself.
If I don't, my rule changes are wiped out after every update.

So, I make any changes at all to pfBlocker, I'm re-writing my blocking rules totally from scratch.
It's the only way I can have Widget+CustomizedRules+CustomRulesOrder.

It's doubled my time to restore settings after each pfBlocker config change.
Selecting a single country becomes a 20+min process, per machine.

I'm to weary to come up with any helpful suggestions/workarounds right now.
I'll revisit the thread when my brain is working again.

Thanks.

edit: I had another look at the Backup feature and discovered the option for FirewallRules.
I've make my copy and will try to restore from it after my next pfBlocker change.

« Last Edit: February 21, 2012, 11:48:06 pm by LinuxTracker »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9996
  • Karma: +4/-0
    • View Profile
Re: pfBlocker
« Reply #406 on: February 22, 2012, 04:22:41 am »
Linuxtracker,

After a update, as well as I know, you need just to enable pfBlocker to get all your settings working again.

Maybe I misundertood you but I did not coded an automatic action switch from deny to alias only.

The steps I do for rule reordering are:

Apply pfBlocker conf with action I want on rules.
Change alias description on created firewall rules and then customize it's order.
Back on pfBlocker and change action to alias only.


Offline LinuxTracker

  • Full Member
  • ***
  • Posts: 118
  • Karma: +0/-0
    • View Profile
Re: pfBlocker
« Reply #407 on: February 23, 2012, 12:16:24 am »
1) Apply pfBlocker conf with action I want on rules.
2) Change alias description on created firewall rules and then customize it's order.
3) Back on pfBlocker and change action to alias only.

I did #1 and #2 and had just started on #3.
The moment I set the first country-group to alias (S.America) it tosses that country group off the list.
The remaining rules - order and customizations - were all reset.

As near as I can tell, any change at all in pfBlocker now mandates that I rewrite my rules from scratch.

It may be that every list update does the same.  
I offer that because the rules table completely reset about 11:30pm today - I have to rewrite them again.
« Last Edit: February 23, 2012, 12:38:16 am by LinuxTracker »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9996
  • Karma: +4/-0
    • View Profile
Re: pfBlocker
« Reply #408 on: February 23, 2012, 07:59:09 am »
Linuxtracker,

How are you renaming rule description before changing action to alias only?
I did a clean install and then:
  • Installed pfblocker
  • denied inbound access to argentina and some countries on Oceania
  • Renamed the rule description from South America to block Argentina
  • saved firewall rules and applied changes
  • back to pfblocker, set action to alias only on South America tab
  • saved config

After this, both rules(South america and Oceania) are still there.

I'll do some tests with lists applied too.
« Last Edit: February 23, 2012, 08:01:43 am by marcelloc »

Offline LinuxTracker

  • Full Member
  • ***
  • Posts: 118
  • Karma: +0/-0
    • View Profile
Re: pfBlocker
« Reply #409 on: February 23, 2012, 11:41:59 am »
Linuxtracker,

How are you renaming rule description before changing action to alias only?

I don't change the rule descriptions that are generated by pfBlocker.
I figured they were necessary for the widget to work.

When I write the rules from scratch, the descriptions are identical to the pfBlocker generated ones.
ie:
Code: [Select]
pfBlockerSouthAmerica auto rule
Thanks

Offline LinuxTracker

  • Full Member
  • ***
  • Posts: 118
  • Karma: +0/-0
    • View Profile
Re: pfBlocker
« Reply #410 on: February 23, 2012, 11:46:01 am »
I did a clean install and then:
  • Installed pfblocker
  • denied inbound access to Argentina and some countries on Oceania
  • Renamed the rule description from South America to block Argentina
  • saved firewall rules and applied changes
  • back to pfblocker, set action to alias only on South America tab
  • saved config

After this, both rules(South America and Oceania) are still there.

I'll do some tests with lists applied too.

I need to clarify something.
  • Renamed the rule description from South America to block Argentina

You mean you changed the rule description from "South America", so that it read "block Argentina" - correct?

The last time I changed my rule descriptions, my pfBlocker widget quit working.
So, I've kept my rules descriptions identical to whatever pfBlocker created.

But:
It seems we can rename the pfBlocker-generated alias name
as long as the new alias name is at the beginning of the rules description.

That won't break the widget.  Do I understand correctly?

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9996
  • Karma: +4/-0
    • View Profile
Re: pfBlocker
« Reply #411 on: February 23, 2012, 11:55:10 am »
Linuxtracker,

I've changed rule description to "pfBlockerSouthAmerica deny inbound" to do not break widget and also included a list with every hour update and rules are still there.


Offline LinuxTracker

  • Full Member
  • ***
  • Posts: 118
  • Karma: +0/-0
    • View Profile
Re: pfBlocker
« Reply #412 on: February 23, 2012, 12:58:46 pm »
Linuxtracker,

I've changed rule description to "pfBlockerSouthAmerica deny inbound" to do not break widget and also included a list with every hour update and rules are still there.

OK Thanks for your time on this.

I'll uninstall the package tonight and see what a fresh start yields.

Question: How do I force a manual list update?

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9996
  • Karma: +4/-0
    • View Profile
Re: pfBlocker
« Reply #413 on: February 23, 2012, 01:30:47 pm »
Question: How do I force a manual list update?

As I forgot to include this option, you can change update frequency to every hour and then run

/usr/local/bin/php -q /usr/local/www/pfblocker.php cron

on console.

Offline LinuxTracker

  • Full Member
  • ***
  • Posts: 118
  • Karma: +0/-0
    • View Profile
Re: pfBlocker
« Reply #414 on: February 24, 2012, 02:49:06 am »
Linuxtracker,

I've changed rule description to "pfBlockerSouthAmerica deny inbound" to do not break widget and also included a list with every hour update and rules are still there.

My custom lists weren't pulling new updates.  I don't think the countries were updating either.

So I uninstalled the package and deleted the pgblocker*.xml files in /usr/local/pkg.
After reinstalling pfBlocker, both lists and countries updated correctly.

After that, I followed your guide as before.
Once my rules were setup, I went back into pfBlocker and changed Oceana from Deny All to Alias
and all my rule changes and ordering were thrown out.

That made me sad.

Update:
So with a heavy heart I set out to rewrite my rules from scratch.
I set the rest of the pfBlocker options to Alias and applied the settings.

I next went to rules - and discovered that my rule settings and ordering - were restored back to where I wanted them.

I am no longer sad.  Now I am confused.
« Last Edit: February 24, 2012, 03:48:27 am by LinuxTracker »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9996
  • Karma: +4/-0
    • View Profile
Re: pfBlocker
« Reply #415 on: February 24, 2012, 07:57:18 am »
My custom lists weren't pulling new updates.  I don't think the countries were updating either.
Did you tried to run it on console the way I described to you?

I don't think the countries were updating either.

Country lists are updated on pfblocker releases, not via cron job.

So I uninstalled the package and deleted the pgblocker*.xml files in /usr/local/pkg.
After reinstalling pfBlocker, both lists and countries updated correctly.

After that, I followed your guide as before.
Once my rules were setup, I went back into pfBlocker and changed Oceana from Deny All to Alias
and all my rule changes and ordering were thrown out.

That made me sad.

Update:
So with a heavy heart I set out to rewrite my rules from scratch.
I set the rest of the pfBlocker options to Alias and applied the settings.

I next went to rules - and discovered that my rule settings and ordering - were restored back to where I wanted them.

I am no longer sad.  Now I am confused.


I'll keep trying to simulate this issue.
All tests I did, preserving the aliasname on firewall rule description were fine.

Offline LinuxTracker

  • Full Member
  • ***
  • Posts: 118
  • Karma: +0/-0
    • View Profile
Re: pfBlocker
« Reply #416 on: February 24, 2012, 02:18:18 pm »
Did you tried to run it on console the way I described to you?
Yes.  That did work and helped me to find a misspelled list name.

It'll also come in handy in the future.

Country lists are updated on pfblocker releases, not via cron job.
After I uninstalled the package -> deleted the pfblocker*.xml files -> reinstalled it - the country lists updated normally.

I think the package handler was wonky and didn't update pfblocker properly the last time.

I'll keep trying to simulate this issue.
All tests I did, preserving the aliasname on firewall rule description were fine.

That my rules would suddenly show correctly - after they were reset - seems really strange.

I have other pfSense boxes out there.  I'll update one or two of them and see if any issues pop up.

I certainly appreciate your efforts. 
For now I'll keep looking into things on my end.

Offline archy

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: pfBlocker
« Reply #417 on: February 29, 2012, 12:06:31 pm »
My exp for using pfBlocker ,
if I set max table size = 100000 ,
there still have error logged ,

php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:23: cannot define table pfBlockerNorthAmerica: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded The line in question reads [23]: table <pfBlockerNorthAmerica> persist file "/var/db/aliastables/pfBlockerNorthAmerica.txt"

if I set max table size = 1000000

problem solve , just like to share .

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
  • Karma: +0/-0
    • View Profile
Re: pfBlocker
« Reply #418 on: February 29, 2012, 12:22:02 pm »
I wonder if the pfBlocker developers have considered using pf anchors ( http://openbsd.org/faq/pf/anchors.html ) ?

IMHO it'd be a nice design practice for pfsense packages to use anchors.

Check article http://forum.pfsense.org/index.php/topic,45277.0.html which among others notes the recent pf extensions by Apple to make sure Mac OS X applications that interact with the packet filter configuration do not clobber each others' rules.
« Last Edit: February 29, 2012, 12:24:12 pm by dhatz »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9996
  • Karma: +4/-0
    • View Profile
Re: pfBlocker
« Reply #419 on: February 29, 2012, 12:31:13 pm »
dhatz,

Pfblocker use pfsense firewall rules and url table.

No pf rule is created by this package, only xml info to pfsense alias and rules.


anyway, thanks for this suggestion  :)