network alias blocks more than defined

nopanic

Hello all,

Im having a chinese attack and want to stop them. I created a network alias and worked with the pfsense-log, whois and ipcalc. Now I have about ~150 nets in my blacklist. But Im no longer getting mails from debian mailinglist, ubuntu mailing-list or xing. Checking the log it tells me that my blacklist is blocking.
I searched multiple times but can not find these nets in my blacklist,

Whats wrong? Is pfsense here not correct working?
Can I debug this?
Can someone help?

Tia
Stefan

johnpoz

@nopanic what IPs are being blocked exactly, and what nets are in your alias - if rule is blocking that has your alias, then clearly you have that network in your alias.. You need to validate your using the correct masks for your networks for the networks you want to block.

For example you might have something like 192.168.0.0/23 vs a /24 and now 192.168.1.x address would also be blocked but you might not notice that in a visual scan of your alias networks.

nopanic

@johnpoz thanks for your reply,

yes you are correct. Im sure that the masks are okay, casue I checked with whois and ipcalc which gives me the correct masks!
I also had a look to higher mask, I had the same suspicion as you. But I can not find such net.

Do I have to do a new alias and copy step by step from old to new one if its running or not.
Or are there other methods to debug this?

thanks!
Stefan

SteveITS

@nopanic So you are hosting your own email server? I suggest:

• use a third party spam filtering service, and only allow the service's IPs to connect to your mail server

or

• use pfBlocker and enable block lists such as Spamhaus and other PR1 feeds (the "top spammers" GeoIP list/page blocks entire countries, I suggest ignoring that part of the GUI)

johnpoz

@nopanic said in network alias blocks more than defined:

casue I checked with whois and ipcalc which gives me the correct masks!

that doesn't mean your not blocking more than what you want to block..

Whois can give a large block, but maybe the who you want to block is using just a portion of that.

Please post up your alias and the block your seeing in the log for the IP.

You can export your alias, and then attach the file.

login-to-view

rfc1918.txt

See my export of my rfc1918 alias as example.

If pfsense is blocking per a rule you have with alias of networks - then the IP is in there.. So either you have a wrong mask or your blocking a larger network than what you want to block.

nopanic

@johnpoz
okay
thanks I attach the file.

@SteveITS yes, my own mailserver which is very secure. The ip's are blocked on firewall....

thanks!
Stefan
1_badguys_most_china_assholes.txt

nopanic

@johnpoz inthe attached file: china is beginninbg with inetnum in discription

Thanks Stefan

johnpoz

@nopanic and which specific IP is being blocked and logged that you feel is wrong?

nopanic

@johnpoz ex. the mailinglist server of debian:

;; ANSWER SECTION:
bendel.debian.org. 600 IN A 82.195.75.100

thanks
Stefan

johnpoz

@nopanic that is in your log? that 82.195.75.100 IP - just because that is what the A record and dns shows - doesn't mean that is the IP that actually sending email - please show the log where a specific IP was blocked.

there is no 82.x in that alias list you posted.

example: here are some IPs that were blocked by different rules I have with aliases

login-to-view

login-to-view

Also notice that not allowed rule is a ! rule, so the stuff it blocks would be IPs that are NOT listed in the alias/table

edit2: dude - this entry would block that

64.0.0.0/2

Which would be this huge range that 82.x falls into
64.0.0.0 - 127.255.255.255

That for sure can not be correct..

You also have a 128.0.0.0/2 which is also huge
128.0.0.0 - 191.255.255.255

I think something went wrong why does the 64/2 show this for text?

64.0.0.0/2 inetnum: 58.56.0.0 - 58.59.127.255 netname:

These don't seem correct for sure

login-to-view

edit3: just a quick scan, and you have lots of them in there that are way to big for what the text says it should be blocking

27.115.0.0/17 inetnum: 27.115.5.0 - 27.115.5.7 netname:

that /17 would block all ips between 27.115.0.0 - 27.115.127.255, not just what the text says 27.115.5.0 - 27.115.5.7

edit4: another one that is just huge compared to the text

36.192.0.0/11 inetnum: 36.212.0.0 - 36.215.255.255 netname:

36.192/11 would block 36.192.0.0 - 36.223.255.255, not that 36.212-215 range. If you wanted to block 36.212 to 36.215 that would be a 36.212.0.0/14 mask. not a 36.192/11

nopanic

@johnpoz ahh okay thanks!!!

I attach the screenshot of the block:
login-to-view

nopanic

@johnpoz

I get the inetnum from whois. ipcalc deaggrigate some nets so I have same discription ....

tia
Stefan

SteveITS

@nopanic 10.x.x.x is a private IP range...?

johnpoz

@nopanic you might want to start over - there is a lot of wrong stuff in there for sure

8.0.0.0/8 net 8 Alibaba Cloud

Not sure how that is Alibaba Cloud, the 8/8 is owned by multiple different companies.

NetRange:       8.0.0.0 - 8.8.3.255
CIDR:           8.0.0.0/13, 8.8.0.0/22
Organization:   Level 3 Parent, LLC (LPL-141)

I show

inetnum:        8.128.0.0 - 8.159.255.255
netname:        ALICLOUD

So you can not block 8/8 without blocking a whole bunch of stuff you prob don't want to block.

edit: If you are wanting to block whole countries, etc. you might want to look into pfblocker as someone else mentioned.. It allows you to create aliases based on countries - so you could block china and korea, etc. etc..

johnpoz

@nopanic however your creating these netblocks - your blocking way more than just the netblock of the bad guy.. I mean that 64.0.0.0/2 is a HUGE amount of addresses - HUGE!!

nopanic

@johnpoz super!
you helped my a lot.I will have a look to pfblocker and I check the alias again.

Thanks for help!
Stefan