Project

General

Profile

Actions

Bug #3109

closed

pfBlocker disables firewall on nanobsd when no there is no internet access at boot time

Added by Todd Blum almost 9 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/25/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.0.x
Affected Plus Version:
Affected Architecture:
i386

Description

Hello,

I have had two routers running pfBlocker that, when booted after a power outage, all inside hosts have lost internet access after the router came back up.
I can reproduce this on test routers with the following conditions:

pfSense nanobsd version 2.0.3
pfBlocker version 1.0.2
WAN: Static IP
Gateway monitoring: enabling or disabling gateway monitoring has no effect

If the internet connection to the router is severed before bootup (without losing link light), then no traffic from the inside is allowed to go through the router (even if internet connectivity is restored to the router after bootup).  An attempted connection to yahoo.com looks like:

tcp 98.139.183.24:80 <- 192.168.1.100:51349 CLOSED:SYN_SENT
tcp 192.168.1.100:51349 -> 98.139.183.24:80 SYN_SENT:CLOSED

No traffic from the inside is shown as being blocked in the firewall logs.

If pfBlocker is not installed (or installed but not enabled), then traffic is allowed to pass normally in these conditions.

The following is logged on bootup:

Jul 1 07:39:53 syslogd: kernel boot file is /boot/kernel/kernel
...
Jul 1 07:39:58 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAfrica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerAfrica'' returned exit code '1', the output was 'fetch: transfer timed out'
...
Jul 1 07:40:09 check_reload_status: Starting packages
Jul 1 07:40:09 php: : pfSense package system has detected an ip change -> ... Restarting packages.
Jul 1 07:40:14 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' > '/var/db/aliastables/pfBlockerSouthAmerica.txt'' returned exit code '2', the output was ''
Jul 1 07:40:14 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerSouthAmerica'' returned exit code '1', the output was 'fetch: transfer timed out'
Jul 1 07:40:14 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' > '/var/db/aliastables/pfBlockerSouthAmerica.txt'' returned exit code '2', the output was ''
Jul 1 07:40:14 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerSouthAmerica'' returned exit code '1', the output was 'fetch: transfer timed out'
Jul 1 07:40:16 php: : No pfBlocker action during boot process.
Jul 1 07:40:16 php: : No pfBlocker action during boot process.
Jul 1 07:40:16 php: : No pfBlocker action during boot process.
Jul 1 07:40:16 php: : No pfBlocker action during boot process.
Jul 1 07:40:16 php: : Restarting/Starting all packages.
...
Jul 1 07:42:16 php: : OpenNTPD is starting up.
Jul 1 07:42:16 php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 26134: No such process'
Jul 1 07:42:16 php: : There were error(s) loading the rules: no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ /tmp/rules.debug]:
Jul 1 07:42:17 check_reload_status: Restarting ipsec tunnels
Jul 1 07:42:27 php: : Creating rrd update script
Jul 1 07:42:30 php: : No pfBlocker action during boot process.
Jul 1 07:42:30 php: : No pfBlocker action during boot process.
Jul 1 07:42:30 php: : No pfBlocker action during boot process.
Jul 1 07:42:30 php: : No pfBlocker action during boot process.
Jul 1 07:42:30 php: : Restarting/Starting all packages.
Jul 1 07:42:33 php: : IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Jul 1 07:42:33 check_reload_status: Reloading filter
Jul 1 07:42:34 login: login on console as root
Jul 1 07:42:41 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded'
...

Actions #1

Updated by Todd Blum almost 9 years ago

I tried the regular non-embedded version of pfSense and it does not have this behavior, I could only reproduce this with the embedded version.

Actions #2

Updated by Doktor Notor almost 9 years ago

This works just fine on nanobsd 2.1RC. Never seen any such issue there.

Actions #3

Updated by Todd Blum almost 9 years ago

I couldn't reproduce this on nanobsd 2.1-RELEASE either.

Actions #4

Updated by Kill Bill almost 7 years ago

Abandoned package, no such issue with pfBlockerNG.

Actions #5

Updated by Chris Buechler almost 7 years ago

  • Status changed from New to Resolved
Actions

Also available in: Atom PDF