Creating My Own IP4 Deny List Within PFB
-
Yes, 'big' here would be a list of >10,000 subnets for example.
If you are dealing with, say, <1000 subnets then just use an alias in pfSense directly.
Side note; whilst not as powerful as Nano the Easy Editor
ee
is included in pfSense by default and is more than enough to edit a few txt files. Also it has almost zero learning curve!Steve
-
@stephenw10 @johnpoz @SteveITS
All good info, I know that I may be going about this the hard way but thats how I learn that is until my brain overloads and I need to take a twizzler and pepsi break or maybe something stronger like a skittles and red bull. Let me digest this and take some notes and summarize and see if I cant settle on a solution you think would work best. Thank you. -
@lpd7 said in Creating My Own IP4 Deny List Within PFB:
Hello all my apologies for the delay but I can only devote time in chunks, my family wont give me space to play unless its something they want to play. I have to remind myself where I left off but I did enter a bunch of TikTok ip addresses via the bulk import option but yet I can still access the web site, I am going to do a bit more digging to see if I cant locate more addresses to see if there are others that were missed. Since the kids are back to school my oldest is once again "playing silly buggers" so I have to find a way to clamp down or at the very least log with specific detail (url, duration, frequency, etc) what they are up to so we can decide on how best to address or ban the devices all together (now wouldnt that make me popular). I will regroup and see where I had left off (need to take notes) and go from there. Thanks for all of your help.
-
Something like Tiktok exists over many, many IP addresses. If I was attempting that I would first try using their AS number in an alias via pfBlocker. That usually blocks enough things to make it unusable even if not blocked entirely. Works quite well for Facebook and Netflix. I've never tried it for Tikok.
Steve
-
@stephenw10
Hey Stephen thanks for the recommend, I may give this a whirl. Now the question, how do I find the AS numbers? I did a search for TikTok AS routing and nothing came up, gonna have to do a bit more research. Would they be listed in an internet registry somewhere? Thanks. -
its right there built into pfblocker
But there prob way more than that - because I believe lots of it is hosted on other CDNs
-
Yup. Many, many IPs!
But that's usually enough to break it sufficiently. -
@johnpoz
Thanks for that John. Just by way of education, how would I find all the numbers associated with a domain? I found https://ipinfo.io which had the AS# you mentioned and seems if I input an IP it will provide the AS# is there a way (hoping) where I can input the domain name and get a complete list? -
@stephenw10
So if I filter one or two AS's it should be enough to break it to the point where it becomes unusable? -
Yup, that has been my experience with other sites like Netflix and Facebook.
-
@lpd7 said in Creating My Own IP4 Deny List Within PFB:
find all the numbers associated with a domain?
Can entail some detective work to be sure. For example you have www.domain.com, while easy enough to look up that IP.. And from that IP get the ASN that IP is part of, so any other IPs in that ASN.
But what if this company using domain.com also hosts their backend stuff for their services of CDNnetwork, or OtherCompany, etc. etc..
So while you might be able to block some of their front end stuff they host on ASN1, but they could providing their whole software or system using ASN2, and ASNX, etc.
The more global and complex a system might be, the harder it can be to block or find all the possible IPblocks being used to host that system on a global scale. Don't forget IPv6 as well - that would be completely different ASNs
And don't forget if you start blocking CDNnetworkX ASN, you could end up blocking other stuff hosted there that you didn't want to block.
If it was me, I would just block on dns - don't allow clients to use external dns. Blocking doh can come with its own headaches, but easier than trying to block a huge list of IPs service might use, and some of these ip ranges these days quite often shared with other services you might not want to block.. Most everything these days is hosted of very large CDNs (content delivery network)..
Blocking those can be very problematic when comes to stuff you want to work, now not working.
Prob easier to just find the fqdn client is trying to access to get it to said service, and block those via dns.