pfBlockerNG

• B

  Pfblockerng suddenly starts associating lists to rules incorrectly
  • bbrendon

  17
  0
  Votes
  17
  Posts
  3227
  Views

  B

  In this case I wasn't concerned about the sigma list because I thought you meant by being unreliable it generated false positives, not corruption. We proved it wasn't the IPs in the list that were the problem, so I dismissed sigmalist as the problem. I didn't expect corruption to join the party. I guess it's good you discovered it because this could potentially happen with any other list, not just sigma. That was very good sleuthing! When I extracted the file on windows the smallest network in the list was a /10. Can I add a bug/feature report somewhere to add corruption checking on compressed lists? The country file is in the alias native so I can customize the order. see image i sent you. I''m assuming this is okay. EDIT: What about the sigma block showing up as a goodCountries alias in the log? Is this resolved because of the corruption or is this caused because of the way I'm using aliases? (or is there a 3rd option?) EDIT2: I couldn't stand that /3 got by me so I re-added them to pfSense and you're right. (should I be surprised I got a different result on windows?) . Wish I sorted by network size to begin with! EDIT3: Dug in some more to see whats up with the Alerts tab. I'm not sure how this works but based on how slow the page loads, I'm guessing that the block list information isn't stored in a logfile but instead the blocked IP is matched to a list dynamically so depending on how that works, I'm guessing a corrupt list could cause the log to malfunction. It seems to be working fine as of now. I looked through a few pages and looks like I would expect. https://s3.amazonaws.com/uploads.hipchat.com/9809/24877/2tOJuorc3rqUbcv/upload.png
• P

  PfBlockerNG DNSBL Virtual IP breaks the firewall rules (! Lan net)
  • pfcode

  9
  0
  Votes
  9
  Posts
  2664
  Views

  P

  I'm sorry to make you not happy. I'm here just want a fix, not a workaround: Is 192.168.1.100 a part of LAN net?  YES Is my firewall rule defined wrong:  Allowing OPT access all interfaces except LAN?  NO Should 192.168.1.100 be blocked by the rule:  YES, BUT its not blocking anymore. Again, I'm sorry made you feel so angry.  but thats the issue I'm having.  The rule was working perfectly until I installed your package, so of course, I need to ask you about this first,  if you think its not your package issue, then I will ask pfSense teams.
• B

  Pfblockerng
  • bertobass

  6
  0
  Votes
  6
  Posts
  1360
  Views

  

  Nothing strange there. Would you mind posting a screenshot of the pfBlockerNG dashboard widget. Edit: I forgot that you posted the widget before. I don't see any issues with what your posting. Have you tried a reboot or a filter reload?  You are also on pfSense  v2.04, maybe update to 2.2.6?
• A

  PFblockerNG whitelist LAN IP
  • Abhishek

  2
  0
  Votes
  2
  Posts
  1274
  Views

  F

  Go to pfBlockerNG \ DNSBL then scroll down to the very bottom and add www.googleadservices.com then save, switch to the Update tab and force a reload.
• A

  PFBlockerNG , DNSBL, XMLRPC & VIP
  • aniodon

  1
  0
  Votes
  1
  Posts
  657
  Views

  No one has replied

• D

  PfBlockerNG manual updates
  • danielchevalier

  2
  0
  Votes
  2
  Posts
  1438
  Views

  

  When you install the package, it downloads the latest MaxMind GeoIP files. Those are updated the first Tuesday of each month. You will need to download those files as required. In the General tab, click the checkbox to disable the cron download of the MaxMind files. MaxMind files are saved in:  /usr/pbi/pfblockerng-amd64/share/GeoIP    (amd64 or i386) (You will need to extract these files into that folder) http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip Followed by executing these two commands to convert the MaxMind files for pfBNG: php /usr/local/www/pfblockerng/pfblockerng.php gc php /usr/local/www/pfblockerng/pfblockerng.php uc In the IPv4/v6/DNSBL Feeds tabs, you can enter a local address in the "Source Fields". Hope that gets you started!
• K

  PfBlockerNG blocking Whatspp? (SOLVED)
  • killmasta93

  7
  0
  Votes
  7
  Posts
  4149
  Views

  K

  Hi pf3000, Thanks for the reply. So this is what i tried nothing makes sense anymore  :-\ Tried OpenDNS and it was working blocking the typical facebook then i went to navigate whatsapp.com also gets blocked but I connect my iphone immediately it connects to whatsapp. So failed miserably Then tried DNSBL when I did the Enable Domain/AS check it and added the list from the site you sent me and nothing :( but whats odd it shows that it gets blocked on the logs of the firewall I have no clue what is whatsapp servers doing. EDIT: BAM just blocked it it was using some IPs from amazon finally…. the whatsapp.txt has been updated I will keep it updated. I wonder how long until they update it :( http://www.mediafire.com/view/xnnzh0d00kbffpu/whatsapp.txt
• P

  [solved] pfblockerNG: what does the "permit both"-country-roule allow?
  • peter808

  6
  0
  Votes
  6
  Posts
  1489
  Views

  P

  ok. thanks for the confirmation, although I think that default behaviour (e.g. auto-creating of "wide-open"-NAT-roules) should be changed.
• R

  PfBlockerNG
  • repa

  7
  0
  Votes
  7
  Posts
  2158
  Views

  

  @repa: I think, we can't get this working with pfBlockerNG, right ? Yes
• K

  Help with setting pfSenseNG v2 DNSBL
  • kiekar

  4
  0
  Votes
  4
  Posts
  1570
  Views

  

  What browser are you using? Are you on a multi-subnet network? Ensure that you can ping and browse to the DNSBL VIP address.
• H

  PfBlockerNG v2 on an Alix
  • hda

  15
  0
  Votes
  15
  Posts
  3007
  Views

  H

  pfBNG 2.0.4 on 2.2.6. See extra.log Hmmm, when on .ro. (read-only) access to the filesystem seems a failure and when on .rw. it looks OK, but then dnsbl.log is reporting writing problems ? Besides in both cases I see double entries about download reports. So what is in general the supposed state (ro or rw) for using pfBNG ? extras.txt
• B

  [SOLVED] pfBlockerng sync and (occasional) LAN subnet blocks
  • bikefright

  5
  0
  Votes
  5
  Posts
  1865
  Views

  B

  Including some pfBlockerNG config screenshots              
• R

  IP Whitelisting in pfBlockerNG
  • rebytr

  4
  0
  Votes
  4
  Posts
  4704
  Views

  

  Yes, you can ignore those warning during a re-installation. During a re-install, all of the pfBlockerNG Aliases are removed and re-added at the end of the pkg installation. Since you manually added pfBlockerNG (alias) Firewall rules, there is a small window of time, where the pfBlockerNG alias does not exist, and you will get those warnings.  I don't have a workaround for that unfortunately.
• 

  PfBlockerNG iblocklist and Transmission
  • Soloam

  4
  0
  Votes
  4
  Posts
  1344
  Views

  H

  I was using premium for some time and in my experience it does not worth because free list from same provider blocks more than enough. Premium lists had maybe 4% blocked packages compering free ones. If you thing 4% is worth, well :) Cheers.
• 

  PfBlockerNG: Allowed memory size exhausted
  • Ruddimaster

  2
  0
  Votes
  2
  Posts
  1545
  Views

  

  Those are other issues are not related to your issue… How large is your pfSense Firewall log? Looks like that entry value is too large? Status: System Logs: Settings: GUI Log Entries to Display?
• H

  PfBlockerNG 2.0 DNSBL Log Browser
  • hda

  16
  0
  Votes
  16
  Posts
  5101
  Views

  H

  @doktornotor: There's a setting to limit the number of lines in the log file on the General tab… Ah thanks, I overlooked the variable. That 20000 will be about 5MB and 10% /var increase and then no problem for me. I'll check if/how it pans out.
• O

  PfBlockerNG US_v4 custom list shows 2.0.0.0/9
  • ovitemp

  6
  0
  Votes
  6
  Posts
  1389
  Views

  T

  lol Confirmed, and thanks for the Heads up on the path change :)
• F

  Pfblocker … is this normal after 3 hours of uptime
  • fantasypoo

  14
  0
  Votes
  14
  Posts
  7544
  Views

  T

  Thanks. Worked good… With all the PFSense boxes and WAN interfaces and firewall rules we use, I did it the lazy way :P I defined the alias as in this thread, then created a rule for each interface above the other rules that was a block if NOT the allowed Countries. Also kept it simple for troubleshooting.
• J

  Plea for pfBlockerNG Tutorial
  • joeplaysguitar

  3
  0
  Votes
  3
  Posts
  5522
  Views

  J

  @BBcan177: @The: What to do ? Create some floating rules (as i read in the Wiki) create some alias as you replied ? In v1.10 I added some additional text to the TOP20 tab to help with this issue. (See Note:) Instead of blocking the world, you can change all of the "Deny" rule(s) to be a single "Permit Inbound" Rule… For example: It seems like you want to allow South America only to hit your Zimbra mail server, follow the instructions below:    (  BTW: Big fan of Zimbra!!  ) Remove all of your existing Country Blocking Rules. Remove all of your existing "Pass" Firewall rules for Zimbra. You could also just disable these pass rules and keep them there as a backup, if pfBNG is disabled for any reason. Goto "South America" Country Tab. Select the IPv4/6 Countries that you want to allow access. List Action: "Permit Inbound" In "Advanced Inbound Firewall Rule Settings": * Enable the Custom Port checkbox Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_Ports" (Change the alias name to what ever you wish), and enter all of the Mail ports in the alias. * Enable Custom Destination checkbox Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_IPs" (Change the alias name to what ever you wish), and enter all of the Mail Destination IPs (ie: the 192.x.x.x address from your screenshot above) * Custom Protocol: Select "TCP/UDP" (Or as required) Hope that helps! This seems to be the pertinent post concerning setting up protection on my two open ports, but I am still not clear.  I was able to get the script to work, and it created 7 alias entries (IBlock, PRI1, PRI2, PRI3, SEC1, TOR, and MAIL).  In contrast to the above scenario where the firewall is already blocking unsolicited traffic to all ports, since my single port is open (via NAT under port forwarding) by default, would I set up the Advanced Inbound Firewall Rule to block everything except the US to that one port?  It seems that if I do the Permit Inbound as above, then I am already allowing traffic to the port in question, so I would need to deny all traffic except the US instead. Also, however I set it up, do I need to go in and do the same thing for each of the 7 alias/list entries created by the script? I'm going to assume that the port used by OpenVPN is inherently secure, since it is not treated as a regular open port. I apologize for my ignorance.  This is all very new to me, but I moved to pfsense after a fairly devastating hack into my server, and I want everything to be as secure as possible.
• R

  PfBlockerNG intermittent high CPU load
  • ret_t

  3
  0
  Votes
  3
  Posts
  1002
  Views

  

  pfBNG should only have load when it's cron process is executed, the Alerts Tab is viewed, or from the MaxMind GeoIP monthly update. Try running the "top" command and the "ps -aux or -wax" command to see some further details.
• S

  PfBlockerNG - disable from command line ?
  • sstretchh

  6
  0
  Votes
  6
  Posts
  2420
  Views

  D

  Nah, nothing that I'd know of…. pfctl -d disabled, pfctl -e re-enables. This would be done automagically anyway after a while. https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI#Remotely_Circumvent_Firewall_Lockout_by_Temporarily_Changing_the_Firewall_Rules
• B

  [pfBlockerNG] How to sync IPv4 FilterLists between CARP-Boxes
  • badger

  6
  0
  Votes
  6
  Posts
  1771
  Views

  J

  Well, I'm not sure what happened, I added a 3rd host to see if I could get that one to work and immediately after doing that, all 3 hosts sync'd successfully.
• V

  PFBlockerNG Log Parsing for syslog
  • vito

  5
  0
  Votes
  5
  Posts
  2181
  Views

  K

  hey vito for ELK server logs disable first all log capture by default and let pfblockerNG do all the log reporting. Then on Kibana (ELK) you will see the rule it will be filtering for ex: rule 85 is blocking all top IPv4 list while rule 92 is blocking youtube. see pictures hope this helps im working now on filtering the syslog (system logs for pfsense) but seems hopeless  :-[