• Need blocklist for amazonaws.com and stretchoid.com

    6
    0 Votes
    6 Posts
    5k Views
    RedDelPaPaR

    @szepeviktor said in Need blocklist for amazonaws.com and stretchoid.com:

    https://ip-ranges.amazonaws.com/ip-ranges.json

    Well done! Thank you!

  • Multicast address log spam

    7
    0 Votes
    7 Posts
    891 Views
    provelsP

    @johnpoz said in Multicast address log spam:

    But floating rules are evaluated before interface rules, as long as you mark them "quick" so my guess is when you created the floating you didn't mark "quick" on it..

    Yes, you're right. Thanks for the tip.

  • Missing DNSBL Feeds categories [SOLVED, broken config]

    8
    0 Votes
    8 Posts
    1k Views
    iorxI

    Yeah, I added a couple of feeds and nothing showed up as they do on the new install.

    Maybe I'll have a look at the config files to see if there is something obvious which looks broken. But a faster solution is probably just to wipe it, reinstall and go through the wizard again, and then modify from there.

    I had some minor configuration/customization which reduced the chatter from outside hits so only open ports where reported on. Easy to recreate.

    I may have been a little unclear in my post, it was on whim to see if someone encountered something similar.

    Brgs,

  • Emerging Threats Feed

    4
    0 Votes
    4 Posts
    646 Views
    E

    I contacted ET and they told me that there was a problem with that file so they took it down for a bit to fix it. They also said that even though they were acquired by Proofpoint a while back they have no plans to change the they they do things.

  • DNSBL List Format

    5
    0 Votes
    5 Posts
    1k Views
    T

    DNSBL working great so far... have deployed many boxes for customers... looking forward for whats to come... would be very nice to have features like schedules for rules in pfBlocker/DNSBL and specially regex filtering like we had in squid... im willing to contrib in any ways possible with these... totally worth a patron membership now.

  • pfBlockerNG-devel feedback

    102
    5 Votes
    102 Posts
    101k Views
    J

    What's important is the effect of the block list causing the firewall to block "itself" inadvertently (ie: inbound/outbound connections on a port for a required service, such as remote administrative access being blocked at the branch site, by "itself"), while trying to maximize efficiency - shunning undesirable traffic, first. Yes, one might argue to place the administrative service -prior- to the block lists, but why expose any service to sources that are considered "bad" for one reason or another? Would think that most folks would like the advantage of knowing that blocked addresses are simply rejected in total to reduce superfluous traffic. However that obviously backfires if an address ends up on a list. If pfBlocker logically allows the firewall to "block itself", the protection becomes equal to the risk of not blocking those addresses. External interface with logical rule ordering:

    Block RFC-1918 Block Bogon Block from <lists> Block to <lists> All other rules

    As a temporary 'hack' added the following shell script to remove anything that matches for the specific IP Address, but does little if for some reason the network were to end up in a list. This was added to the cron jobs by tacking on " && /bin/sh <script-name>" so that at conclusion of each update, any interface IP addresses would be removed. Not the "best" solution, but a "gross" temporary means. It still unfortunately means that until the processing by pfBlocker is completed - some services could be interrupted (vs performing exclusion prior to pushing the new table data in which would protect legitimate connections). With pfBlocker set to a cron interval of 1 hour - this means that any connection exceeding 1 hour would be 'clipped'. Script:

    #!/bin/sh

    export SCRIPTNAME="echo $0|sed -e's/^.*.\///'"
    for IP in ifconfig -a | grep 'inet '|sed -e's/^.*.inet //'| sed -e's/ .*//'|grep -v '127.0.0.1'|sort -u
    do
    for TABLE in pfctl -s Tables | grep '^pfB'|sort -u
    do
    export CHECK="pfctl -t ${TABLE} -T show | grep ${IP}"
    if [ "x${CHECK}" != "x" ]; then
    pfctl -t ${TABLE} -T delete ${IP} >/dev/null 2>&1 3>&1
    logger -t ${SCRIPTNAME} " : ${TABLE} : ${IP}"
    fi
    done
    done

    The point still remains that if by way of DHCP IP address changes or unexpected entry to a list - production services could be blocked inadvertently. The complexity (programmatically) could be a bit daunting based on what's available for efficient and fast processing of v4 and v6 addressing. Using something in 10.0.0.0/8 as crude example:

    Interface IP Address: 10.57.93.84
    Network in block list: 10.56.0.0/15
    Would need to translate to: 10.56.0.0/16,10.57.0.0/18, 10.57.64.0/20,... 10.57.93.0, ... 10.57.93.83, 10.57.93.85, ... 10.57.93.255, 10.57.94.0/23, 10.57.96.0/22, ...

    Noting that 10.57.93.84 being removed from list as it occurs on an interface. This would increase table sizes where its network centric. It also adds overhead to the process as each leading octet would need to be vetted (ability to ignore processing where lead octet doesn't match any of the leading octets for interfaces present).

    Notionally, maintaining all of the other "blocks" while excluding (at a minimum) interface address and potentially interface network(s). Otherwise, you'd end up either losing a significant protection or having to use overrides that nullify the advantages.

    Assertion being that if an IP Address ends up in a list - you don't want communication with that IP Address. Unfortunately, when the IP address on one of the firewall's interfaces ends up in a list.... After realizing what happens, it becomes a palm-to-forehead moment that could result in a less than enjoyable discussion.

    Granted, one might hope to think that any given address static or dynamic that they use wouldn't end up on a list, but its possible. Interestingly enough, the dynamic IP Address was evidently already on a list for a type of service that is specifically denied outbound in the firewall (making it all the more agitating).

  • Blocking everything except...

    7
    0 Votes
    7 Posts
    1k Views
    OceanwatcherO

    @jdeloach Sounds exactly what is needed! Thank you!

  • There were error(s) loading the rules - contains bad data

    4
    0 Votes
    4 Posts
    468 Views
    Z

    That did not solve the issue. Then I tried your 2nd suggestion and it seems to have worked. No issues so far. Thanks a lot for the quick help.

  • dnsbl Crashing

    6
    0 Votes
    6 Posts
    647 Views
    JeGrJ

    @Stewart said in dnsbl Crashing:

    Congratulations. I've seen plenty of instances where c-icap, Squid, SquidGuard, Snort, etc. have crashed. Many times it's because of lack of space, usually because a log file (often Snort or Suricata) gets out of control and fills the entire SSD.

    And how does using the watchdog to restart them makes any sense in that cases? If disk is full the service dies. That's normal. It's just like @Gertjan says: simply restarting with a "dumb" service checker doesn't do any good. I've tested the package myself and simply found no use case at all. All points where one could use it have underlying problems as cause that you have to fix yourself (or by correcting settings etc. etc.) so simply hitting restart after restart doesn't do any good to them.

    But besides that, with Surricata and probably other memory eaters, 4GB seem a bit on the very low side when running DNSBL mode with pfBNG. Do you have other memory intensive settings activated in pfBNG?

  • pfBlokerNG 2.2.5_26 on pfsense 2.5.0-DEVELOPMENT - How to unblock a site?

    9
    0 Votes
    9 Posts
    946 Views
    P

    @Elliott32224 so it turns out it didn't fix my issue actually. Lol AliExpress apparently uses a plethora of sources for images on their site/app... I may have to figure something else out in order to get it to work lol

  • pfBlockerNG prevents photos from loading on Instagram on android phone

    Locked Moved
    10
    0 Votes
    10 Posts
    3k Views
    E

    @Gertjan Cool! Thanks!

  • Non-empty list considered an empty list in devel 2.2.5_26

    5
    0 Votes
    5 Posts
    628 Views
    S

    I think I know what is going on. One of my other block lists already included this lists IP addresses (via an ASN list), so they must be interefering due to the deduplication list. After disabling dedupe and forcing a reload I can see the list as it should be.

  • Dnsbl service not starting

    6
    0 Votes
    6 Posts
    2k Views
    J

    Sorry for bringing up such an old post, but the recommendations @BBcan177 mentioned worked for me. In my case, I had to make sure the two ports used for HTTP and HTTPS traffic didn't overlap with any other rules I had already defined.

  • pfBlockerNG Certificate Errors

    8
    0 Votes
    8 Posts
    1k Views
    NollipfSenseN

    It appears that the site you were visiting has been blocked by the DNSBL. You'll need to create another DNSBL list and add the sites you were visiting that you know to be safe...be sure to set group order to primary and disable logging as shown below. Then add the sites to the DNSBL Custom_List. Then, force reload pfBlockerNG.

    Screen Shot 2019-11-21 at 11.30.20 PM.png

    Screen Shot 2019-11-21 at 11.30.52 PM.png

  • www. not blocked?

    2
    0 Votes
    2 Posts
    383 Views
    M

    I can tell there are many of you dying to know what happened with this. </sarcasm> I rebooted the whole firewall. Botta bing botta boom. Both are blocked now. That didn't cross my mind to do that because you wouldn't think that'd be necessary for such a problem, but...isn't that actually always the answer?

  • Can I block IPs of my DNS-based lists?

    4
    0 Votes
    4 Posts
    542 Views
    NollipfSenseN

    @mh13 said in Can I block IPs of my DNS-based lists?:

    Automatically?

    That's the feature we're waiting on you to develop.

  • pfBlokerNG 2.2.5_26 on pfsense 2.5.0-DEVELOPMENT

    3
    0 Votes
    3 Posts
    289 Views
    W

    @BBcan177

    Thanks for your help. It's error was resolved.

  • Youtube redesign - and the ads are back

    3
    0 Votes
    3 Posts
    567 Views
    R

    I'm using Safari.
    At least, to view Youtube.

    I'll try to block outbound DNS not using the resolver on pfSense and disable DoH on Firefox.

  • Issues using DNSBL and IP to block domains

    26
    0 Votes
    26 Posts
    3k Views
    R

    @BBcan177
    I see. I was hoping there would be a way that I was just ignorant of. Thank you for taking the time to review this.

    If anyone else has a suggestion beyond manually resolving these domains externally and manually updating the lists, please let us know!

  • DNSBL modify default bloked webpage

    45
    1 Votes
    45 Posts
    22k Views
    BBcan177B

    @ryanca said in DNSBL modify default bloked webpage:

    Thanks, but I would rather go back to the old way with the (GIF Image, 1 × 1 pixels). Could i just upload that gif image to the /usr/local/www/pfblockerng/www/ folder and delete the default html files in there? Or do I need to do something else?

    Copy the default page and create a new one with your modifications. Then select the new page in the DNSBL Tab.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.