pfBlockerNG

• 

  pfBlockerNG-devel v2.2.5_18
  • BBcan177

  20
  5
  Votes
  20
  Posts
  1711
  Views

  S

  @bbcan177 If I have multiple Vlans configured and I want different rules for different Vlans, How do I do it? How do I create aliases using DNS blacklist atleast via pfblockerNG?
• N

  Bypassing DNSBL for specific IPs
  • Ns8h

  5
  0
  Votes
  5
  Posts
  2383
  Views

  H

  Revisiting this thread as I needed to exclude my Roku devices on my network as they need to reach ad sites for the news feeds to work. (sucks) Getting it to work has raised some questions that maybe others can chime in on and maybe my configuration / findings may help others. I am using Cloudflares DNS over TLS hence the forward-zone configuration. In addition I run a Plex server at home and need to define the private-domain to allow internal resolution to a private IP address. I have three Roku devices that use the "bypass" view Everything else on my three network segments uses DNSBL to block ads. I have native IPv6 and hence need to add access control as some hosts use IPv6 for DNS transport. There are a number of host overrides configured to resolve private IP addresses and hidden hosts from the internal Intranet and not use the public IP addresses resolved by my external NS. Example of my custom options: - server: private-domain: "plex.direct" access-control-view: 192.168.1.51/32 bypass access-control-view: 192.168.1.61/32 bypass access-control-view: 192.168.1.83/32 bypass access-control-view: 2601:abcd:abcd:abc0::/64 dnsbl access-control-view: 2601:abcd:abcd:abc1::/64 dnsbl access-control-view: 2601:abcd:abcd:abc2::/64 dnsbl access-control-view: 192.168.1.0/24 dnsbl access-control-view: 192.168.2.0/24 dnsbl access-control-view: 192.168.3.0/24 dnsbl rrset-roundrobin: yes forward-zone: name: "." forward-ssl-upstream: yes # Cloudflare DNS forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853 forward-addr: 2606:4700:4700::1111@853 forward-addr: 2606:4700:4700::1001@853 view: name: "bypass" view-first: yes #include: /var/unbound/host_entries.conf view: name: "dnsbl" view-first: yes include: /var/unbound/host_entries.conf include: /var/unbound/pfb_dnsbl.*conf What I have found is if I use a 192.168.0.0/22 mask (CIDR) for the IPv4 subnets it does not work, I instead had to define each subnet with /24. Maybe a /16 would have worked? Same problem with IPv6. (note, the examples mask my real IPv6 prefix), I had to define multiple /64's as a single /62 did not work. The dnsbl view needed to have include: /var/unbound/host_entries.conf otherwise the host overrides did not resolve. For some reason however that was not required for the bypass view, which seems to operate quite happily without the include: hence it is commented out. Not what I expected. I also, had a number of issues, that I did not continue confirming exactly the behavior, when trying to format for readability the custom options by indenting some lines using spaces. This caused it to fail. so no leading spaces on any line. :-) unbound "view" is not very well documented, but does provide some potential for client specific workarounds that I've needed every now and then. Debug seems limited in the log files regarding matching of access-control-view and which view is being used. Maybe I had too much verbosity enabled and message were deep and I missed them? With multiple hosts for testing and having dig/nslookup forced to use IPv4 or IPv6 I was able to finally reproduce what I believe is a working config. Albeit with some configuration options that I don't fully understand why they work how they do. Will see how it goes . . . . If anyone can comment on the subnet masks and the include:
• 

  Support pfBlockerNG development!
  • ivor

  3
  2
  Votes
  3
  Posts
  2892
  Views

  A

  I can not wait to see how he is going to do the mass import for IP4 and DNSBL, I hope its just a simple text doc you can just upload just like you would a backup file on Ublock extension. Looking forward to it. I may have to get some more Ram lol only got 8 gig and I bet doing mass list imports will hit the Ram hard. Great work hope it's coming along well ;) Great job.
• K

  Thanks BBCAN177 !
  • Koent

  5
  0
  Votes
  5
  Posts
  2286
  Views

  S

  As pointed out to me in another post. https://forum.pfsense.org/index.php?topic=139634.0
• 

  PfBlockerNG v2.1 w/TLD
  • BBcan177

  122
  0
  Votes
  122
  Posts
  49812
  Views

  H

  I'm having problems with iOS 11.3 BETA. It seems that safari can't go to 0.0.0.0 and pages can't load. Solution was to reinstall package and use the VIP address, as I was using the certificate hack and 0.0.0.0.
• 

  PfBlockerNG v2.0 w/DNSBL
  • BBcan177

  1066
  0
  Votes
  1066
  Posts
  420416
  Views

  I

  @bbcan177 said in PfBlockerNG v2.0 w/DNSBL: @ibbetsion said in PfBlockerNG v2.0 w/DNSBL: I'm looking to get started with PfBlockerNG but am confused as to which version I should get started with, the "dev" version or the stable one? Any pointers on differences between the two will be immensely helpful. https://forum.netgate.com/topic/135708/is-pfblockerng-devel-stable Thank you.
• W

  PfBlockerNG
  • wbennett77

  1189
  0
  Votes
  1189
  Posts
  402557
  Views

  

  @BrettC: Hi, one thing i am noticing with pfBlockerNG is that it may be missing an end-double quote on its shell commands? No the quote is used in the grep command to find an exact match starting with the first quotation mark in the line…  The 502 error is being worked on...  The upcoming release doesn't seem to be affected by this and will hopefully be released shortly... Stay tuned!
• 

  What is the proper way to allow Geo access to specific country?
  • chudak

  14
  0
  Votes
  14
  Posts
  223
  Views

  

  It's not just a pfsense thing, but security 101 practice of least privilege. Sure if you could lock down to specific source IP sure.. But you have no idea where your going to be right... Why are you making it more difficult for yourself.. If you know your going to be traveling.. If your really paranoid you could lock down your vpn access to only the countries your going to be in.. But what happens when whatever network your connected to while traveling has their geoip stuff messed up in the databases.. And now you can not vpn in? Openvpn when correctly configured is more than secure enough to just leave it open to the world.. I don't even travel and have mine wide open. Just not worth the hassle to lock it down to source IP for my use.. You never know where there is going to be mixup in the geoip stuff... Shoot one our IP blocks out of parent /16 was being listed as being in Vietnam for gosh sakes... I tried for months to get it fixed - and to be honest still think its wrong... But since we shutdown that connection anyway not worth messing with any more.. I submitted the correct to maxmind multiple times - and they only update it like the 2nd tuesday of the month.. So by time you didn't notice it didn't update, now you have to wait another month after submitting to see if corrected..
• Q

  Download Fail
  • Qinn

  1
  0
  Votes
  1
  Posts
  19
  Views

  No one has replied

• J

  Suppress IP still being blocked
  • jeffhammett

  4
  0
  Votes
  4
  Posts
  931
  Views

  B

  Yeah, due to my blocked Server (as Portforwarding inbound within the 10.0.0.0 /8) Range I just switched to Alias Deny to getting able to Suppress this /32 and it worked. On first Testings the Server responds and a page is being delivered. If you read this in the future: Native Alias works good. As I have seen Deny Alias works better. I just didn't had to set my Suppress up (List is empty, just checked it!) I only can suggest that with the Deny Alias maybe pfBlockerNG recognizes / admits the Portforwarding as a higher Priority and lets the Traffic to that IP pass. I will just have to figure out if this happens only eg from my own Adresses or whether even Contacts from IPs within the defined Block Lists will also get passed / "ignored"... If anybody is aware of that case or knows an Answer I'd highly appreciate your effort here, as it saves many time seizing the Logs for denied Inbounds by each List. Edit: As I just saw that I did not mention that clearly... I was before using the Native Alias and just shortly switched to use the lists as a Deny Alias. The portforwarding did not work before as the lists were set to Native Alias.
• B

  [SOLVED] SEC-WAY | Rules for equal "Native Aliases"
  • BSA66

  1
  0
  Votes
  1
  Posts
  55
  Views

  No one has replied

• M

  Unable to re run wizard
  • mikeelawson

  5
  0
  Votes
  5
  Posts
  40
  Views

  M

  @grimson Sorted, thanks, have a nice Christmas, I am off to specsavers!
• 

  Group alert entries
  • TMiland

  1
  0
  Votes
  1
  Posts
  43
  Views

  No one has replied

• Y

  DNSBL Whitelist vs TLD Exclusion list?
  • yyz

  1
  0
  Votes
  1
  Posts
  49
  Views

  No one has replied

• D

  Alexa
  • dasanco

  1
  0
  Votes
  1
  Posts
  43
  Views

  No one has replied

• Z

  Why is so difficult to block this specific website when using mobilephone's Chrome App?
  • Zist

  4
  0
  Votes
  4
  Posts
  86
  Views

  

  Didn't say you should or could, just telling you how chrome is prob getting around your blocks. Block the proxy network if you don't want your devices to use the google proxy to circumvent your blocks.
• B

  DNSBL is out of sync. Perform a Force Reload to correct.
  • bonedrums

  3
  0
  Votes
  3
  Posts
  81
  Views

  B

  @ronpfs Thanks for the reply. I JUST finished updating all of the packages I have and updating PFsense to the newest version. After restoring a fully working config from a few months ago and it seems to be working okay now.
• A

  Iblocklist How to add my IP Lists
  • anttechs

  14
  0
  Votes
  14
  Posts
  2307
  Views

  B

  That's an awesome List, thank you for sharing it @anttechs I was just surfing all the way up and down to find sth similar, here it is. Just amazing! Edit I really do not know if it should have had been mentioned here but on http://iplists.firehol.org/ there is a comparison of several free accessible Lists. As it surely needs a little "work-in" imo it got the option to provide a good overview over several lists and even how individual lists overlaps one with an other. I just found it shortly. As I see it might provide one with a nice and unique overview though it might even need some time to get even this. Anyway, I guess it might be a good addition for any searches.
• 

  User definable refresh time for IP lists
  • JeGr

  5
  0
  Votes
  5
  Posts
  122
  Views

  

  I don't have any dealings with unbound in my use case. I was just pointing out to @BBcan177 that work on DNSBL parts of pfBNG don't have happen on the same timetable/cronjob as IP-only based processing. I'd like to see pfSense-core have the ability to import IP lists via URL on a 2-5min interval but until that may or may not be happening, pfBNG is the next best thing to do that. Even our loadbalancer has the ability to include custom black and whitelists and refresh them every minute (configurable per list) and block those IPs from accessing the balanced-IP. But as I'd like to have IP processing on a central point - firewall that is - I'd love to see the ability come to pfSense or pfBNG so you have the ability for a quick-reaction list to take action without waiting an hour or more to refresh. BTW: Devel version already includes techniques for just "refreshing" instead of reloading unbound without cache-loss. But besides that I don't see a use for BIND anywhere in this thread ;) Greets, Jens
• 

  IPv6 Feeds won't show up in list
  • JeGr

  1
  0
  Votes
  1
  Posts
  40
  Views

  No one has replied

• 

  Abuse.ch Feed Notice
  • BBcan177

  2
  2
  Votes
  2
  Posts
  150
  Views

  

  If I checked correctly, the Feodo Feed has also changed: the two URLs (BadIPs / Block) no longer work as both point to a newly designed site. Also I can't find a BadIPs list anymore but the IP-Block should now be this URL https://feodotracker.abuse.ch/downloads/ipblocklist.txt Greets Jens
• V

  white list to domains amazonaws.com
  • varazir

  1
  0
  Votes
  1
  Posts
  38
  Views

  No one has replied

• Y

  Replace 1x1 with whitelist options?
  • yyz

  1
  0
  Votes
  1
  Posts
  38
  Views

  No one has replied

• Y

  CIDR Aggregation?
  • yyz

  1
  0
  Votes
  1
  Posts
  38
  Views

  No one has replied

• L

  Is there a quick way to query or determine which list contains a blocked IP or DNS entry?
  • lohphat

  3
  0
  Votes
  3
  Posts
  154
  Views

  

  Try this : grep "maxmind.com" /var/db/pfblockerng/dnsbl/*.txt /var/db/pfblockerng/dnsblorig/*.orig /var/unbound/pfb_dnsbl.conf /usr/local/pkg/pfblockerng/dnsbl_tld it provides some more info about pfblockerNG db.
• 

  PfBlockerNG and Plex port problems
  • chudak

  5
  0
  Votes
  5
  Posts
  953
  Views

  

  @tac57 I don't use Plex anymore, so no comments, sorry
• Y

  Custom blacklist for a hostname?
  • yyz

  3
  0
  Votes
  3
  Posts
  73
  Views

  Y

  @bbcan177 Sure enough indeed it is. Not sure if I would’ve spotted that. I Thank you very much and so does every iOS user in my household! iad.apple.com should be in everyone’s blacklist Indeed using -dev. Will the final version be called pfblocker(NG)^2 ?
• S

  Another feed "down" - www.malwaredomainlist.com
  • silentnomad

  2
  0
  Votes
  2
  Posts
  135
  Views

  

  Change the State to Flex
• R

  How allow (disable pfblocker) to my tivo vlan?
  • roveer

  3
  0
  Votes
  3
  Posts
  70
  Views

  R

  That must have felt good. Happy holidays.
• J

  Log Browser
  • JonH

  16
  0
  Votes
  16
  Posts
  445
  Views

  J

  @yyz said in Log Browser: Running safari 12.x on Mac 10.14.x (mojave). Cannot get any logs to appear, even when doing the "select again" trick. FWIW, latest OSX update did not fix it. And latest iOS update still allows multiple selection to work. But then you have a logfile that is frustratingly long to browse through on a little screen. I find it easier to load a VM and use either Windows or Linux to view these logs. Or to used Diagnostics menu->command prompt or Edit to browse the log. I've read comments at various sites that this Safari issue may be related to Ajax. I don't know if that is applicable to pfBlockerNG or not.
• 

  devel v2.2.5_19 - Feeds not added to 'DNSBL Feeds'
  • RyanM

  11
  1
  Votes
  11
  Posts
  226
  Views

  L

  @bbcan177 OK fresh reinstall of 2.2.5_19. The feeds are not listed. I have not applied the fix of creating a dummy list then removing it to make the real feeds appear. Both the IP and DNSBL UIs show no lists defined even though they're checked off in the Feeds section. If I do add the dummy list and remove it in each section, the lists appear correctly. Question 1 response: [2.4.4-RELEASE][admin@pfSense.localdomain]/root: grep "<config></config>" /conf/config.xml <config></config> <config></config> Question 2 response: [2.4.4-RELEASE][admin@pfSense.localdomain]/root: grep -A400 "<pfblockernglistsv4" /conf/config.xml <pfblockernglistsv4> <config></config> <config> <aliasname>PRI1</aliasname> <description><![CDATA[PRI1 - Collection of Feeds from the most reputable blocklist providers. (Primary tier)]]></description> <action>Deny_Both</action> <cron>01hour</cron> <dow>1</dow> <sort>sort</sort> <aliaslog>enabled</aliaslog> <stateremoval><![CDATA[enabled]]></stateremoval> <autoaddrnot_in></autoaddrnot_in> <autoports_in></autoports_in> <aliasports_in></aliasports_in> <autoaddr_in></autoaddr_in> <autonot_in></autonot_in> <aliasaddr_in></aliasaddr_in> <autoproto_in></autoproto_in> <agateway_in>default</agateway_in> <autoaddrnot_out></autoaddrnot_out> <autoports_out></autoports_out> <aliasports_out></aliasports_out> <autoaddr_out></autoaddr_out> <autonot_out></autonot_out> <aliasaddr_out></aliasaddr_out> <autoproto_out></autoproto_out> <agateway_out>default</agateway_out> <suppression_cidr>Disabled</suppression_cidr> <whois_convert></whois_convert> <custom></custom> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.csv</url> <header>Abuse_DYRE</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt</url> <header>Abuse_IPBL</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://sslbl.abuse.ch/blacklist/sslipblacklist.csv</url> <header>Abuse_SSLBL</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://zeustracker.abuse.ch/blocklist.php?download=badips</url> <header>Abuse_Zeus</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt</url> <header>BBC_C2</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://cinsarmy.com/list/ci-badguys.txt</url> <header>CINS_army</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt</url> <header>ET_Block</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://rules.emergingthreats.net/blockrules/compromised-ips.txt</url> <header>ET_Comp</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://feodotracker.abuse.ch/blocklist/?download=badips</url> <header>Feodo_BadIPs</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://feodotracker.abuse.ch/blocklist/?download=ipblocklist</url> <header>Feodo_Block</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://isc.sans.edu/api/sources/attacks/1000/30?text</url> <header>ISC_1000_30</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://isc.sans.edu/feeds/block.txt</url> <header>ISC_Block</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://pulsedive.com/premium?key=[key removed]&amp;types=ip</url> <header>Pulsedive</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://www.spamhaus.org/drop/drop.txt</url> <header>Spamhaus_Drop</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://www.spamhaus.org/drop/edrop.txt</url> <header>Spamhaus_eDrop</header> </row> <row> <format>auto</format> <state><![CDATA[Enabled]]></state> <url>https://www.talosintelligence.com/feeds/ip-filter.blf</url> <header>Talos_BL</header> </row> </config> </pfblockernglistsv4> Question 3 response: File attached.0_1544128781420_pkg_log_pfSense-pkg-pfBlockerNG-devel.txt
• 

  Unbound restarting more frequently?
  • RyanM

  8
  0
  Votes
  8
  Posts
  130
  Views

  

  Exact. Static ones are ok, they are known - and when the lease is renewed, DNS doesn't restart. Classic DHCP, if checked, will restart DNS. This is a known subject (I won't call it an issue, but if unbound has a lot of work to do at startup, like rowing through all these pfBlockerNG 's feeds files; and you have a 'light' system (processor, disk, whatever) then yes, it starts to take time).
• L

  Activated Feed group name missing
  • lohphat

  1
  0
  Votes
  1
  Posts
  45
  Views

  No one has replied

• J

  pfblocker defend rdp/rds brute force attacks
  • jogovogo

  5
  0
  Votes
  5
  Posts
  131
  Views

  

  Security through obscurity.. (if you believe that..) Use a different port number. That will keep some of it down.
• L

  Ram used
  • lcbbcl

  4
  0
  Votes
  4
  Posts
  133
  Views

  L

  @bbcan177 I am already using pfBlockerNG-devel, and i read yesterday about this bug with unbound reported after @RonpfS told me. Pfblocker is doing his job from what i saw,i was just curios about the ram behavior. Thanks both for the help .
• A

  Does it really matter????
  • anttechs

  3
  0
  Votes
  3
  Posts
  163
  Views

  A

  @ronpfs said in Does it really matter????: A SSD could improve processing, but a decent HD should be ok. Many thanks that's all I needed to know really. bless you, my friend, and have a happy xmass and new year ;)
• S

  PfBlockerNG 2.0 & BIND 9.4
  • simby

  6
  0
  Votes
  6
  Posts
  832
  Views

  G

  Won't this option work from my previous post: DNSBL is hardcoded to only use Unbound. However, you can still use Bind but would have to set Binds Outbound Forwarder to point to the pfSense Resolver so that DNSBL could be utilized. Sure, I've succesfully tried to use unbound as bind's forwarder to allow DNSBL. The downside of this solution is the poor dns performance and the overall complexity of the setup. The advantages of a setup using pfBlockerNG and bind are: an autoritative dns server to host local zones DNSBL features in place per view (which can be similiar as defining DNSBL per Interface) the functionalities from bind itsself few dependencies I found a very nice way to put all the zones from pfBlockerNG into bind using RPZ feature. (http://www.zytrax.com/books/dns/ch9/rpz.html) This way I've added ~300.000 blocklist zones into several views with very low memory footprint :) I'll update the script into my github repo.
• 

  pfBlockerNG-devel spamming php error keep current gateway
  • dragoangel

  4
  0
  Votes
  4
  Posts
  126
  Views

  

  @dragoangel I still don't see this related to the package. It sounds like something is incorrectly configured for the gateways... Check the pfblockerng.log, resolver.log, system.log for more clues to see if you can narrow it down. Best to post this question to the applicable Forum for more traction.
• E

  DNSBL alias
  • expert_az

  4
  0
  Votes
  4
  Posts
  123
  Views

  

  @expert_az https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips
• T

  Blocking Youtube Ads
  • thezfunk

  24
  0
  Votes
  24
  Posts
  3745
  Views

  T

  It looks like some people over on reddit might be onto something: https://www.reddit.com/r/pihole/comments/9w5swx/i_think_ive_managed_to_block_youtube_ads_with/