Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No IP block list using pfblockerng

    Scheduled Pinned Locked Moved pfBlockerNG
    7 Posts 2 Posters 970 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asadz
      last edited by asadz

      I'm on pf sense version 22.05-RELEASE (amd64) and pfblockerng according to system->packet-manger->available packages as 3.1.0_8

      I'm getting logs under the report as "unified" or "alerts" or "dnsbl" but there are no ip_block entries.

      Also, note I had to create up_block file since none was present.

      Under Firewall->rules-

      I tested by manually entering the IP addresses seen on hover on event. See screenshot.ip-pf.png

      I see the message as I open to "unable to upload", then when I goto Firewall-Pfblockerng->Reports->Alerts

      I see no alerts against the browsed IP. I also check the patch
      using these steps

      ssh into your pfSense
      
      run vi /usr/local/pkg/pfblockerng/pfblockerng.inc
      
      Search for $r = explode(')', $result, 2); and replace it with $r = explode(' ', $result, 2);
      
      Open Status → Services
      
      Hit restart on the pfb_filter service
      

      Theexplode code is no present in the .inc file, so I don't think the patch is valid to me.

      The output of pfblockerng shows as
      [ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL

      Firewall and/or IDS (Legacy mode only) are not blocking download.

      ===[ Deny List IP Count=============
      
      16799 total
      
      13802 /var/db/pfblockerng/deny/CINS_army_v4.txt
      
      1481 /var/db/pfblockerng/deny/ET_Block_v4.txt
      
      649 /var/db/pfblockerng/deny/Talos_BL_v4.txt
      
      580 /var/db/pfblockerng/deny/ET_Comp_v4.txt
      
      153 /var/db/pfblockerng/deny/Abuse_Feodo_C2_v4.txt
      
      59 /var/db/pfblockerng/deny/Spamhaus_eDrop_v4.txt
      
      40 /var/db/pfblockerng/deny/Abuse_SSLBL_v4.txt
      
      19 /var/db/pfblockerng/deny/ISC_Block_v4.txt
      
      14 /var/db/pfblockerng/deny/FireHOLLevel1_v4.txt
      
      1 /var/db/pfblockerng/deny/Spamhaus_Drop_v4.txt
      
      1 /var/db/pfblockerng/deny/FireHOLLevel2_v4.txt
      

      Further,under firewall->pfblockerng->alerts under block I get

      "Found 0 Alert Entries - Insufficient Alerts found."

      NollipfSenseN A 2 Replies Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @asadz
        last edited by

        @asadz You will need to go to: Status > System Logs > Firewall to see the blocked IP...that's where pfBlockerNg tells the firewall to log it.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        A 2 Replies Last reply Reply Quote 0
        • A
          asadz @NollipfSense
          last edited by

          @nollipfsense Thanks, but no i don't see no block event under that firewall logs, I always thought that ip_block is your file for pfblockerng block events. I can see blocks events under "unfied logs", as color red yet which is strange

          1 Reply Last reply Reply Quote 0
          • A
            asadz @NollipfSense
            last edited by

            @nollipfsense
            I'm looking at
            Log/File Path: /var/log/pfblockerng/ip_block.log

            1 Reply Last reply Reply Quote 0
            • A
              asadz @asadz
              last edited by

              @asadz IP BLOCKS.png

              As you can see i can see under "unified logs" the blocks of DNS but on highlighted IP Block set there is no IP?

              A NollipfSenseN 2 Replies Last reply Reply Quote 0
              • A
                asadz @asadz
                last edited by

                @asadz also I can see the IP present under
                /var/db/pfblockerng/deny/* but why not shown in IP block set?

                1 Reply Last reply Reply Quote 0
                • NollipfSenseN
                  NollipfSense @asadz
                  last edited by

                  @asadz If you click on the Info button, see arrow, it should show the IP you were trying to go to. You don't need to mask you LAN address as no one can get to it.

                  Screenshot 2022-12-14 at 1.19.40 PM.png

                  pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                  pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.