network alias blocks more than defined
-
@nopanic said in network alias blocks more than defined:
casue I checked with whois and ipcalc which gives me the correct masks!
that doesn't mean your not blocking more than what you want to block..
Whois can give a large block, but maybe the who you want to block is using just a portion of that.
Please post up your alias and the block your seeing in the log for the IP.
You can export your alias, and then attach the file.
See my export of my rfc1918 alias as example.
If pfsense is blocking per a rule you have with alias of networks - then the IP is in there.. So either you have a wrong mask or your blocking a larger network than what you want to block.
-
@johnpoz
okay
thanks I attach the file.@SteveITS yes, my own mailserver which is very secure. The ip's are blocked on firewall....
thanks!
Stefan
1_badguys_most_china_assholes.txt -
@johnpoz inthe attached file: china is beginninbg with inetnum in discription
Thanks Stefan
-
@nopanic and which specific IP is being blocked and logged that you feel is wrong?
-
@johnpoz ex. the mailinglist server of debian:
;; ANSWER SECTION:
bendel.debian.org. 600 IN A 82.195.75.100thanks
Stefan -
@nopanic that is in your log? that 82.195.75.100 IP - just because that is what the A record and dns shows - doesn't mean that is the IP that actually sending email - please show the log where a specific IP was blocked.
there is no 82.x in that alias list you posted.
example: here are some IPs that were blocked by different rules I have with aliases
Also notice that not allowed rule is a ! rule, so the stuff it blocks would be IPs that are NOT listed in the alias/table
edit2: dude - this entry would block that
64.0.0.0/2
Which would be this huge range that 82.x falls into
64.0.0.0 - 127.255.255.255That for sure can not be correct..
You also have a 128.0.0.0/2 which is also huge
128.0.0.0 - 191.255.255.255I think something went wrong why does the 64/2 show this for text?
64.0.0.0/2 inetnum: 58.56.0.0 - 58.59.127.255 netname:
These don't seem correct for sure
edit3: just a quick scan, and you have lots of them in there that are way to big for what the text says it should be blocking
27.115.0.0/17 inetnum: 27.115.5.0 - 27.115.5.7 netname:
that /17 would block all ips between 27.115.0.0 - 27.115.127.255, not just what the text says 27.115.5.0 - 27.115.5.7
edit4: another one that is just huge compared to the text
36.192.0.0/11 inetnum: 36.212.0.0 - 36.215.255.255 netname:
36.192/11 would block 36.192.0.0 - 36.223.255.255, not that 36.212-215 range. If you wanted to block 36.212 to 36.215 that would be a 36.212.0.0/14 mask. not a 36.192/11
-
@johnpoz ahh okay thanks!!!
I attach the screenshot of the block:
-
I get the inetnum from whois. ipcalc deaggrigate some nets so I have same discription ....
tia
Stefan -
@nopanic 10.x.x.x is a private IP range...?
-
@nopanic you might want to start over - there is a lot of wrong stuff in there for sure
8.0.0.0/8 net 8 Alibaba Cloud
Not sure how that is Alibaba Cloud, the 8/8 is owned by multiple different companies.
NetRange: 8.0.0.0 - 8.8.3.255 CIDR: 8.0.0.0/13, 8.8.0.0/22 Organization: Level 3 Parent, LLC (LPL-141)I show
inetnum: 8.128.0.0 - 8.159.255.255 netname: ALICLOUDSo you can not block 8/8 without blocking a whole bunch of stuff you prob don't want to block.
edit: If you are wanting to block whole countries, etc. you might want to look into pfblocker as someone else mentioned.. It allows you to create aliases based on countries - so you could block china and korea, etc. etc..
-
@nopanic however your creating these netblocks - your blocking way more than just the netblock of the bad guy.. I mean that 64.0.0.0/2 is a HUGE amount of addresses - HUGE!!
-
@johnpoz super!
you helped my a lot.I will have a look to pfblocker and I check the alias again.Thanks for help!
Stefan
