@riften said in pfblocker and AD DNS:

I've got two Server 2016 VMs running a domain, both with DNS and DHCP on both. No DHCP on PFSense, only DNS Resolver configured. The IPs listed in PFSense in SYSTEM/GENERAL are all my chosen Internet resolvers (not my internal DNS, they are DNS over TLS Internet resolvers). All my clients have as their DNS, my two DNS servers only, and they get this from the DCs DHCP server and scope options. The DCs list each other as their DNS, and have the PFSense box as their forwarder (not conditional, just regular forwarder). If they can't resolve the request, they use the forwarder so port 53 TCP and UDP are allowed via a lan rule applied to an alias for both my DCs, to the lan interface on PFSENSE. All clients port 53 are blocked in PFSense on a rule below that allow rule, just to make sure they don't get directly out for any reason (say if they get infected with something and their DNS is hack-configured to something malicious). Once PFSense gets the request from my DCs, it then uses the configured DNS servers on the general tab, with the DNS over TLS settings set on the DNS Resolver section.

And what does that have to do with the original question/problem? That's your workflow, OK. But that has potential problems / oversights as well. But besides, I don't get what you wanted to say/add to the topic with telling your setup.

As an additional thought: only blocking udp/tcp53 isn't enough anymore. There are DoT resolvers for client OS' as well that could be used and with Windows (or applications) adding DoH support, that "Pandora's Box" will soon bring fun to all admins debugging DNS failings as well ;)

@Gertjan ok, guys. will do

This is noted and will experiment with this in the next few days when most people in the office are in their Christmas break. Thank you!!!

7b5b7947-5c91-4b34-84ef-037a670f0787-image.png

6239db17-333b-41bb-8f23-edab33a27662-image.png

@kiokoman Aha, that makes much more sense! Thanks!

@Gertjan said in pfBlockerNG 2.2.5_27 cron update and traffic loss:

@asdjklfjkdslfdsaklj said in pfBlockerNG 2.2.5_27 cron update and traffic loss:

As an aside, no, no issues with name resolution.

Well, I'm still curious to know what the time is between "unbound stop" and "unbound started".

None, given "Resolver Live Sync" is enabled.

@viktor_g Yes, I know...I was just surprised to see a new display instead of a blank page. BBcan177 is so awesome...I remembered seeing a request for such display in a post recently, and he got it done...so cool!

@Derelict thank you!

@zaber01 I run both Squid for the antivirus only as well as pfBlockerNG; however, I do not use Squid's proxy server. I believe that's where you had the conflict. Your wanting to block sites is the purpose of install pfBlockerNG, specifically to prevent clients from accessing potential harmful sites.
I would suggest spending sometime in this section of the forum learning more...we all had to do this.

@szepeviktor said in Need blocklist for amazonaws.com and stretchoid.com:

https://ip-ranges.amazonaws.com/ip-ranges.json

Well done! Thank you!

@johnpoz said in Multicast address log spam:

But floating rules are evaluated before interface rules, as long as you mark them "quick" so my guess is when you created the floating you didn't mark "quick" on it..

Yes, you're right. Thanks for the tip.

Yeah, I added a couple of feeds and nothing showed up as they do on the new install.

Maybe I'll have a look at the config files to see if there is something obvious which looks broken. But a faster solution is probably just to wipe it, reinstall and go through the wizard again, and then modify from there.

I had some minor configuration/customization which reduced the chatter from outside hits so only open ports where reported on. Easy to recreate.

I may have been a little unclear in my post, it was on whim to see if someone encountered something similar.

Brgs,

I contacted ET and they told me that there was a problem with that file so they took it down for a bit to fix it. They also said that even though they were acquired by Proofpoint a while back they have no plans to change the they they do things.

DNSBL working great so far... have deployed many boxes for customers... looking forward for whats to come... would be very nice to have features like schedules for rules in pfBlocker/DNSBL and specially regex filtering like we had in squid... im willing to contrib in any ways possible with these... totally worth a patron membership now.

What's important is the effect of the block list causing the firewall to block "itself" inadvertently (ie: inbound/outbound connections on a port for a required service, such as remote administrative access being blocked at the branch site, by "itself"), while trying to maximize efficiency - shunning undesirable traffic, first. Yes, one might argue to place the administrative service -prior- to the block lists, but why expose any service to sources that are considered "bad" for one reason or another? Would think that most folks would like the advantage of knowing that blocked addresses are simply rejected in total to reduce superfluous traffic. However that obviously backfires if an address ends up on a list. If pfBlocker logically allows the firewall to "block itself", the protection becomes equal to the risk of not blocking those addresses. External interface with logical rule ordering:

Block RFC-1918 Block Bogon Block from <lists> Block to <lists> All other rules

As a temporary 'hack' added the following shell script to remove anything that matches for the specific IP Address, but does little if for some reason the network were to end up in a list. This was added to the cron jobs by tacking on " && /bin/sh <script-name>" so that at conclusion of each update, any interface IP addresses would be removed. Not the "best" solution, but a "gross" temporary means. It still unfortunately means that until the processing by pfBlocker is completed - some services could be interrupted (vs performing exclusion prior to pushing the new table data in which would protect legitimate connections). With pfBlocker set to a cron interval of 1 hour - this means that any connection exceeding 1 hour would be 'clipped'. Script:

#!/bin/sh

export SCRIPTNAME="echo $0|sed -e's/^.*.\///'"
for IP in ifconfig -a | grep 'inet '|sed -e's/^.*.inet //'| sed -e's/ .*//'|grep -v '127.0.0.1'|sort -u
do
for TABLE in pfctl -s Tables | grep '^pfB'|sort -u
do
export CHECK="pfctl -t ${TABLE} -T show | grep ${IP}"
if [ "x${CHECK}" != "x" ]; then
pfctl -t ${TABLE} -T delete ${IP} >/dev/null 2>&1 3>&1
logger -t ${SCRIPTNAME} " : ${TABLE} : ${IP}"
fi
done
done

The point still remains that if by way of DHCP IP address changes or unexpected entry to a list - production services could be blocked inadvertently. The complexity (programmatically) could be a bit daunting based on what's available for efficient and fast processing of v4 and v6 addressing. Using something in 10.0.0.0/8 as crude example:

Interface IP Address: 10.57.93.84
Network in block list: 10.56.0.0/15
Would need to translate to: 10.56.0.0/16,10.57.0.0/18, 10.57.64.0/20,... 10.57.93.0, ... 10.57.93.83, 10.57.93.85, ... 10.57.93.255, 10.57.94.0/23, 10.57.96.0/22, ...

Noting that 10.57.93.84 being removed from list as it occurs on an interface. This would increase table sizes where its network centric. It also adds overhead to the process as each leading octet would need to be vetted (ability to ignore processing where lead octet doesn't match any of the leading octets for interfaces present).

Notionally, maintaining all of the other "blocks" while excluding (at a minimum) interface address and potentially interface network(s). Otherwise, you'd end up either losing a significant protection or having to use overrides that nullify the advantages.

Assertion being that if an IP Address ends up in a list - you don't want communication with that IP Address. Unfortunately, when the IP address on one of the firewall's interfaces ends up in a list.... After realizing what happens, it becomes a palm-to-forehead moment that could result in a less than enjoyable discussion.

Granted, one might hope to think that any given address static or dynamic that they use wouldn't end up on a list, but its possible. Interestingly enough, the dynamic IP Address was evidently already on a list for a type of service that is specifically denied outbound in the firewall (making it all the more agitating).

@jdeloach Sounds exactly what is needed! Thank you!

That did not solve the issue. Then I tried your 2nd suggestion and it seems to have worked. No issues so far. Thanks a lot for the quick help.

@Stewart said in dnsbl Crashing:

Congratulations. I've seen plenty of instances where c-icap, Squid, SquidGuard, Snort, etc. have crashed. Many times it's because of lack of space, usually because a log file (often Snort or Suricata) gets out of control and fills the entire SSD.

And how does using the watchdog to restart them makes any sense in that cases? If disk is full the service dies. That's normal. It's just like @Gertjan says: simply restarting with a "dumb" service checker doesn't do any good. I've tested the package myself and simply found no use case at all. All points where one could use it have underlying problems as cause that you have to fix yourself (or by correcting settings etc. etc.) so simply hitting restart after restart doesn't do any good to them.

But besides that, with Surricata and probably other memory eaters, 4GB seem a bit on the very low side when running DNSBL mode with pfBNG. Do you have other memory intensive settings activated in pfBNG?