Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Creating My Own IP4 Deny List Within PFB

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 4 Posters 2.3k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @LPD7
      last edited by johnpoz

      @lpd7yeah if your using some non root account. Like I created a testuser and put them in the admin group, and this does not work. Permission denied, but that is because the permissions are locked to only root being able to access that.

      [22.05-RELEASE][testuser@sg4860.local.lan]/var/db/pfblockerng: ls -la
      total 124
      drwxr-xr-x  11 root  wheel      15 Aug 25 20:14 .
      drwxr-xr-x  21 root  wheel      45 Aug 25 18:53 ..
      drwxr-xr-x   2 root  wheel       2 Jul 25 08:03 ET
      drwxr-xr-x   2 root  wheel       3 Aug 25 15:16 deny
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 dnsbl
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 dnsblalias
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 dnsblorig
      -rw-r--r--   1 root  wheel   10001 Aug  4 22:00 geoip.txt
      -rw-r--r--   1 root  wheel  143360 Aug 25 20:14 ip_cache.sqlite
      -rw-r--r--   1 root  wheel       0 Jul 25 08:03 mastercat
      -rw-r--r--   1 root  wheel       0 Jul 25 08:03 masterfile
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 match
      drwxr-xr-x   2 root  wheel      10 Aug 25 15:00 native
      drwxr-xr-x   2 root  wheel      10 Aug 25 15:00 original
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 permit
      [22.05-RELEASE][testuser@sg4860.local.lan]/var/db/pfblockerng: 
      

      If you had installed the sudo package you should be able to allow your other user to su up to root.. And then you could do it.

      [22.05-RELEASE][testuser@sg4860.local.lan]/var/db/pfblockerng: sudo su
      
      We trust you have received the usual lecture from the local System
      Administrator. It usually boils down to these three things:
      
          #1) Respect the privacy of others.
          #2) Think before you type.
          #3) With great power comes great responsibility.
      
      Password:
      # ls -la
      total 247
      drwxr-xr-x  11 root  wheel      15 Aug 25 20:14 .
      drwxr-xr-x  21 root  wheel      45 Aug 25 18:53 ..
      drwxr-xr-x   2 root  wheel       2 Jul 25 08:03 ET
      drwxr-xr-x   2 root  wheel       3 Aug 25 15:16 deny
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 dnsbl
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 dnsblalias
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 dnsblorig
      -rw-r--r--   1 root  wheel   10001 Aug  4 22:00 geoip.txt
      -rw-r--r--   1 root  wheel  143360 Aug 25 20:14 ip_cache.sqlite
      -rw-r--r--   1 root  wheel       0 Jul 25 08:03 mastercat
      -rw-r--r--   1 root  wheel       0 Jul 25 08:03 masterfile
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 match
      drwxr-xr-x   2 root  wheel      10 Aug 25 15:00 native
      drwxr-xr-x   2 root  wheel      10 Aug 25 15:00 original
      drwxr-xr-x   2 root  wheel       2 Feb 14  2022 permit
      # cd deny
      # whoami
      root
      # touch newfile.txt
      # ls -la
      total 20
      drwxr-xr-x   2 root  wheel   4 Aug 25 21:12 .
      drwxr-xr-x  11 root  wheel  15 Aug 25 20:14 ..
      -rw-r--r--   1 root  wheel   0 Aug 25 15:16 myipblocklist.txt
      -rw-r--r--   1 root  wheel   0 Aug 25 21:12 newfile.txt
      # 
      

      .I will need to deny individual ip's as well as whole networks, does that throw a wrench into my plans?

      It would for the way to block domains with unbound options, either directly or loaded by file in the custom options box in unbound. This would only work for actual domains to be prevented from being looked up.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07 | Lab VMs 2.8, 25.07

      LPD7L 1 Reply Last reply Reply Quote 0
      • LPD7L Offline
        LPD7 @johnpoz
        last edited by

        @johnpoz
        You just id'd my next issue...Sudo is not available and I cant do apt-get or any update. I was trying to use nano to edit the txt file which is how I stumble upon this. Not sure why. I know I did this on my Ubuntu VM instances from the terminal but dont recall installing any packages on the FW outside of what PFS installed when I built it.

        How do i crack this nut?

        Thinking cap is on tonight.

        Intelligence is not a substitute for common sense.
        Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
        Putting legacy equipment into service and out of landfills.

        S johnpozJ 2 Replies Last reply Reply Quote 0
        • S Offline
          SteveITS Rebel Alliance @LPD7
          last edited by

          @lpd7 you’re making it hard. :)

          Diagnostics/Edit file.

          System/Packages , install sudo package.

          pfSense is not Linux, and it isn’t designed to have lots of things installed on it.

          Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @LPD7
            last edited by

            @lpd7 @SteveITS is right I think your making this harder than it needs to be, and just install the sudo package via the gui

            pkg.jpg

            Also to the linux comment by Steve - while sure there is cmd line, and stuff you can do from that - generally speaking pfsense is meant to be fully managed by the gui. You should really never have to do anything directly from the cmd line.

            While you might be used to editing files directly on linux, conf files, and etc - with pfsense your meant to do it via the gui.

            Also nano can just be installed with pkg install nano

            I have it installed on mine, it is in the pfsense repo

            [22.05-RELEASE][admin@sg4860.local.lan]/root: pkg info nano
            nano-6.0
            Name           : nano
            Version        : 6.0
            Installed on   : Sat Jul  2 09:25:52 2022 CDT
            Origin         : editors/nano
            Architecture   : FreeBSD:12:amd64
            Prefix         : /usr/local
            Categories     : editors
            Licenses       : GPLv3
            Maintainer     : danilo@FreeBSD.org
            WWW            : http://www.nano-editor.org/
            Comment        : Nano's ANOther editor, an enhanced free Pico clone
            Options        :
                    DOCS           : off
                    EXAMPLES       : off
                    NLS            : on
            Shared Libs required:
                    libintl.so.8
            Annotations    :
                    FreeBSD_version: 1203506
                    build_timestamp: 2022-06-01T19:10:49+0000
                    built_by       : poudriere-git-3.3.99.20211130
                    port_checkout_unclean: no
                    port_git_hash  : 44b5542e32b4
                    ports_top_checkout_unclean: yes
                    ports_top_git_hash: eac3af4a7698
                    repo_type      : binary
                    repository     : pfSense
            Flat size      : 2.38MiB
            Description    :
            nano is a small, free and friendly editor which aims to replace
            Pico, the default editor included in the non-free Pine package.
            Rather than just copying Pico's look and feel, nano also implements
            some missing (or disabled by default) features in Pico, such as
            "search and replace" and "goto line number".
            
            WWW: http://www.nano-editor.org/
            [22.05-RELEASE][admin@sg4860.local.lan]/root: 
            

            If what your looking to do is block IPs and CIDRs - that is just much easier to do with the built in aliases to be honest via gui, you can load in a bunch if you have them already in some other file.

            import.jpg

            You can then just edit that added to it remove from it via the gui.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • stephenw10S Online
              stephenw10 Netgate Administrator
              last edited by

              Yes, 'big' here would be a list of >10,000 subnets for example.

              If you are dealing with, say, <1000 subnets then just use an alias in pfSense directly.

              Side note; whilst not as powerful as Nano the Easy Editor ee is included in pfSense by default and is more than enough to edit a few txt files. Also it has almost zero learning curve!

              Steve

              LPD7L 1 Reply Last reply Reply Quote 1
              • LPD7L Offline
                LPD7 @stephenw10
                last edited by LPD7

                @stephenw10 @johnpoz @SteveITS
                All good info, I know that I may be going about this the hard way but thats how I learn that is until my brain overloads and I need to take a twizzler and pepsi break or maybe something stronger like a skittles and red bull. Let me digest this and take some notes and summarize and see if I cant settle on a solution you think would work best. Thank you.

                Intelligence is not a substitute for common sense.
                Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                Putting legacy equipment into service and out of landfills.

                1 Reply Last reply Reply Quote 0
                • LPD7L Offline
                  LPD7
                  last edited by

                  @lpd7 said in Creating My Own IP4 Deny List Within PFB:

                  @stephenw10 @johnpoz @SteveITS

                  Hello all my apologies for the delay but I can only devote time in chunks, my family wont give me space to play unless its something they want to play. I have to remind myself where I left off but I did enter a bunch of TikTok ip addresses via the bulk import option but yet I can still access the web site, I am going to do a bit more digging to see if I cant locate more addresses to see if there are others that were missed. Since the kids are back to school my oldest is once again "playing silly buggers" so I have to find a way to clamp down or at the very least log with specific detail (url, duration, frequency, etc) what they are up to so we can decide on how best to address or ban the devices all together (now wouldnt that make me popular). I will regroup and see where I had left off (need to take notes) and go from there. Thanks for all of your help.

                  Intelligence is not a substitute for common sense.
                  Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                  Putting legacy equipment into service and out of landfills.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Online
                    stephenw10 Netgate Administrator
                    last edited by

                    Something like Tiktok exists over many, many IP addresses. If I was attempting that I would first try using their AS number in an alias via pfBlocker. That usually blocks enough things to make it unusable even if not blocked entirely. Works quite well for Facebook and Netflix. I've never tried it for Tikok.

                    Steve

                    LPD7L 1 Reply Last reply Reply Quote 0
                    • LPD7L Offline
                      LPD7 @stephenw10
                      last edited by LPD7

                      @stephenw10
                      Hey Stephen thanks for the recommend, I may give this a whirl. Now the question, how do I find the AS numbers? I did a search for TikTok AS routing and nothing came up, gonna have to do a bit more research. Would they be listed in an internet registry somewhere? Thanks.

                      Intelligence is not a substitute for common sense.
                      Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                      Putting legacy equipment into service and out of landfills.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator @LPD7
                        last edited by johnpoz

                        @lpd7

                        tiktok.jpg

                        its right there built into pfblocker

                        But there prob way more than that - because I believe lots of it is hosted on other CDNs

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07 | Lab VMs 2.8, 25.07

                        LPD7L 1 Reply Last reply Reply Quote 0
                        • stephenw10S Online
                          stephenw10 Netgate Administrator
                          last edited by

                          Yup. Many, many IPs!
                          But that's usually enough to break it sufficiently. 😉

                          LPD7L 1 Reply Last reply Reply Quote 0
                          • LPD7L Offline
                            LPD7 @johnpoz
                            last edited by

                            @johnpoz
                            Thanks for that John. Just by way of education, how would I find all the numbers associated with a domain? I found https://ipinfo.io which had the AS# you mentioned and seems if I input an IP it will provide the AS# is there a way (hoping) where I can input the domain name and get a complete list?

                            Intelligence is not a substitute for common sense.
                            Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                            Putting legacy equipment into service and out of landfills.

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • LPD7L Offline
                              LPD7 @stephenw10
                              last edited by

                              @stephenw10
                              So if I filter one or two AS's it should be enough to break it to the point where it becomes unusable?

                              Intelligence is not a substitute for common sense.
                              Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                              Putting legacy equipment into service and out of landfills.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S Online
                                stephenw10 Netgate Administrator
                                last edited by

                                Yup, that has been my experience with other sites like Netflix and Facebook.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator @LPD7
                                  last edited by johnpoz

                                  @lpd7 said in Creating My Own IP4 Deny List Within PFB:

                                  find all the numbers associated with a domain?

                                  Can entail some detective work to be sure. For example you have www.domain.com, while easy enough to look up that IP.. And from that IP get the ASN that IP is part of, so any other IPs in that ASN.

                                  But what if this company using domain.com also hosts their backend stuff for their services of CDNnetwork, or OtherCompany, etc. etc..

                                  So while you might be able to block some of their front end stuff they host on ASN1, but they could providing their whole software or system using ASN2, and ASNX, etc.

                                  The more global and complex a system might be, the harder it can be to block or find all the possible IPblocks being used to host that system on a global scale. Don't forget IPv6 as well - that would be completely different ASNs

                                  And don't forget if you start blocking CDNnetworkX ASN, you could end up blocking other stuff hosted there that you didn't want to block.

                                  If it was me, I would just block on dns - don't allow clients to use external dns. Blocking doh can come with its own headaches, but easier than trying to block a huge list of IPs service might use, and some of these ip ranges these days quite often shared with other services you might not want to block.. Most everything these days is hosted of very large CDNs (content delivery network)..

                                  Blocking those can be very problematic when comes to stuff you want to work, now not working.

                                  Prob easier to just find the fqdn client is trying to access to get it to said service, and block those via dns.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07 | Lab VMs 2.8, 25.07

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.