Project

General

Profile

Actions

Bug #3109

closed

pfBlocker disables firewall on nanobsd when no there is no internet access at boot time

Added by Todd Blum about 9 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/25/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.0.x
Affected Plus Version:
Affected Architecture:
i386

Description

Hello,

I have had two routers running pfBlocker that, when booted after a power outage, all inside hosts have lost internet access after the router came back up.
I can reproduce this on test routers with the following conditions:

pfSense nanobsd version 2.0.3
pfBlocker version 1.0.2
WAN: Static IP
Gateway monitoring: enabling or disabling gateway monitoring has no effect

If the internet connection to the router is severed before bootup (without losing link light), then no traffic from the inside is allowed to go through the router (even if internet connectivity is restored to the router after bootup).  An attempted connection to yahoo.com looks like:

tcp 98.139.183.24:80 <- 192.168.1.100:51349 CLOSED:SYN_SENT
tcp 192.168.1.100:51349 -> 98.139.183.24:80 SYN_SENT:CLOSED

No traffic from the inside is shown as being blocked in the firewall logs.

If pfBlocker is not installed (or installed but not enabled), then traffic is allowed to pass normally in these conditions.

The following is logged on bootup:

Jul 1 07:39:53 syslogd: kernel boot file is /boot/kernel/kernel
...
Jul 1 07:39:58 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerAfrica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerAfrica'' returned exit code '1', the output was 'fetch: transfer timed out'
...
Jul 1 07:40:09 check_reload_status: Starting packages
Jul 1 07:40:09 php: : pfSense package system has detected an ip change -> ... Restarting packages.
Jul 1 07:40:14 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' > '/var/db/aliastables/pfBlockerSouthAmerica.txt'' returned exit code '2', the output was ''
Jul 1 07:40:14 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerSouthAmerica'' returned exit code '1', the output was 'fetch: transfer timed out'
Jul 1 07:40:14 php: : The command '/usr/bin/grep -v '^#' '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' > '/var/db/aliastables/pfBlockerSouthAmerica.txt'' returned exit code '2', the output was ''
Jul 1 07:40:14 php: : The command '/usr/bin/fetch -T 5 -q -o '/var/db/aliastables/pfBlockerSouthAmerica.txt.tmp' 'https://127.0.0.1:8443/pfblocker.php?pfb=pfBlockerSouthAmerica'' returned exit code '1', the output was 'fetch: transfer timed out'
Jul 1 07:40:16 php: : No pfBlocker action during boot process.
Jul 1 07:40:16 php: : No pfBlocker action during boot process.
Jul 1 07:40:16 php: : No pfBlocker action during boot process.
Jul 1 07:40:16 php: : No pfBlocker action during boot process.
Jul 1 07:40:16 php: : Restarting/Starting all packages.
...
Jul 1 07:42:16 php: : OpenNTPD is starting up.
Jul 1 07:42:16 php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 26134: No such process'
Jul 1 07:42:16 php: : There were error(s) loading the rules: no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ /tmp/rules.debug]:
Jul 1 07:42:17 check_reload_status: Restarting ipsec tunnels
Jul 1 07:42:27 php: : Creating rrd update script
Jul 1 07:42:30 php: : No pfBlocker action during boot process.
Jul 1 07:42:30 php: : No pfBlocker action during boot process.
Jul 1 07:42:30 php: : No pfBlocker action during boot process.
Jul 1 07:42:30 php: : No pfBlocker action during boot process.
Jul 1 07:42:30 php: : Restarting/Starting all packages.
Jul 1 07:42:33 php: : IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Jul 1 07:42:33 check_reload_status: Reloading filter
Jul 1 07:42:34 login: login on console as root
Jul 1 07:42:41 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'no IP address found for grep: /tmp/rules.debug:18: file "/var/db/aliastables/pfBlockerAfrica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:20: file "/var/db/aliastables/pfBlockerAsia.txt" contains bad data no IP address found for grep: /tmp/rules.debug:22: file "/var/db/aliastables/pfBlockerEurope.txt" contains bad data no IP address found for grep: /tmp/rules.debug:24: file "/var/db/aliastables/pfBlockerSouthAmerica.txt" contains bad data no IP address found for grep: /tmp/rules.debug:26: file "/var/db/aliastables/pfBlockerTopSpammers.txt" contains bad data pfctl: Syntax error in config file: pf rules not loaded'
...

Actions

Also available in: Atom PDF