PfBlocker
-
@ghm:
Try to Increase Firewall Maximum Table Entries in system -> advanced
increased to 1000000 and it happens still, in particular Reboot.
Oh, and blinkled stops working as a service and cannot be restarted when pfBlocker is activeRaise the limit to 1500000 or 2000000.
You may also have to raise the number of Firewall Maximum States -
@ghm:
How many lists/countries do you have applied?
only pfBlockerTopSpammers, rest is disabled. May be a startup issue though as it gets calmer later (about 3 mins after router's webIF is accessible).
Another thing I have noted is that blinkled can be started again (much) later, probably after the power LED gets released from its error blinking task.Can you get boot log from serial console?
-
Can you get boot log from serial console?
Not easily as last time I got scrambled readings even though I used a null modem cable and 9600 8n1. I suspect the gender changer I had to fiddle in or the cable. Need to buy other cable I guess.
Weird thing is that I never had this issue running Countryblock. Same system.
-
Raise the limit to 1500000 or 2000000.
You may also have to raise the number of Firewall Maximum States…but I have only a small block list enabled anyway and my states are south of 200/23000 when this happens.
-
@ghm:
Weird thing is that I never had this issue running Countryblock. Same system.
Disable all lists and try a reboot.
On nanobsd version somebody posted a error during boot on url tables.PfBlocker uses only native pfsense 2.0 functions to fill up aliases and create rules.
unfortunately i have no alix box to debug it. -
Anyone else having problems with lists?
For some reason when PFBlocker is bringing in a list from a text file, it's making up it's own entries. Using the list for qwest ISP
Here is a copy paste of my current text file:
Qwest:67.40.0.0-67.42.255.255 Qwest:155.70.0.0-155.70.255.255 Qwest:205.168.0.0-205.171.255.255 Qwest:204.147.80.0-204.147.95.255 Qwest:71.208.0.0-71.223.255.255 Qwest:208.44.0.0-208.47.255.255 Qwest:66.77.0.0-66.77.255.255 Qwest:216.206.0.0-216.207.255.255 Qwest:71.32.0.0-71.39.255.255 Qwest:206.81.192.0-206.81.223.255 Qwest:206.196.128.0-206.196.159.255 Qwest:63.224.0.0-63.231.255.255 Qwest:65.112.0.0-65.127.255.255 Qwest:63.144.0.0-63.151.255.255 Qwest:63.152.0.0-63.159.255.255 Qwest:63.232.0.0-63.239.255.255 Qwest:209.3.0.0-209.3.255.255 Qwest:209.45.128.0-209.45.255.255 Qwest:209.180.0.0-209.181.255.255 Qwest:209.201.0.0-209.201.127.255 Qwest:209.211.0.0-209.211.255.255 Qwest:216.111.0.0-216.111.255.255 Qwest:216.160.0.0-216.161.255.255 Qwest:207.108.0.0-207.109.255.255 Qwest:207.159.64.0-207.159.127.255 Qwest:207.224.0.0-207.225.255.255 Qwest:206.80.192.0-206.80.223.255 Qwest:205.215.192.0-205.215.223.255 Qwest:204.245.64.0-204.245.127.255 Qwest:204.131.0.0-204.134.255.255 Qwest:204.98.0.0-204.98.255.255 Qwest:204.26.64.0-204.26.127.255 Qwest:199.117.0.0-199.117.255.255 Qwest:198.36.128.0-198.36.255.255 Qwest:198.186.195.0-198.186.198.255 Qwest:198.233.0.0-198.233.255.255 Qwest:198.243.0.0-198.243.255.255 Qwest:192.104.175.0-192.104.180.255 Qwest:192.41.239.0-192.41.243.255 Qwest:168.103.0.0-168.103.255.255 Qwest:151.116.0.0-151.119.255.255 Qwest:150.159.0.0-150.159.255.255 Qwest:148.155.0.0-148.158.255.255 Qwest:144.163.0.0-144.163.255.255 Qwest:137.106.0.0-137.107.255.255 Qwest:130.13.0.0-130.13.255.255 Qwest:75.160.0.0-75.175.255.255 Qwest:72.164.0.0-72.166.255.255 Qwest:70.56.0.0-70.59.255.255 Qwest:68.176.0.0-68.177.255.255 Qwest:69.8.192.0-69.8.255.255 Qwest:67.0.0.0-67.7.255.255 Qwest:67.12.0.0-67.14.159.255 Qwest:67.128.0.0-67.135.255.255 Qwest:67.144.0.0-67.148.255.255 Qwest:66.86.0.0-66.86.255.255 Qwest:65.128.0.0-65.159.255.255 Qwest:65.100.0.0-65.103.255.255 Qwest:97.112.0.0-97.127.255.255 Qwest:174.16.0.0-174.31.255.255
Here is what PFBlocker sets for the table:
130.13.0.0/16 130.200.0.0/14 130.224.0.0/12 131.0.0.0/11 132.154.0.0/16 132.172.0.0/16 134.0.0.0/13 134.24.0.0/14 134.80.0.0/14 135.0.0.0/13 135.32.0.0/13 137.96.0.0/15 137.106.0.0/15 138.17.128.0/18 140.112.0.0/14 142.64.0.0/13 143.160.0.0/12 144.163.0.0/16 145.72.0.0/14 148.152.0.0/14 150.159.0.0/16 151.64.0.0/12 151.116.0.0/14 155.70.0.0/16 162.11.72.96/28 168.103.0.0/16 174.16.0.0/12 192.41.232.0/21 192.104.168.0/21 194.224.0.0/12 198.36.128.0/17 198.186.192.0/22 198.233.0.0/16 198.243.0.0/16 199.117.0.0/16 204.26.64.0/18 204.98.0.0/16 204.128.0.0/14 204.147.80.0/20 204.245.64.0/18 205.168.0.0/14 205.215.192.0/19 206.80.192.0/19 206.81.192.0/19 206.196.128.0/19 207.108.0.0/15 207.159.64.0/18 207.224.0.0/15 208.44.0.0/14 209.3.0.0/16 209.45.128.0/17 209.180.0.0/15 209.201.0.0/17 209.211.0.0/16 216.111.0.0/16 216.160.0.0/15 216.206.0.0/15 254.64.0.0/13 254.96.0.0/13 255.128.0.0/13 255.160.0.0/13
I've looked over the list a few times and can't find any typos. One of the ranges includes dell.com
143.160.0.0/12
No where is that defined in the list, but somehow it ends up in the table.
I took a small chunk of the file and it looks like PFBlocker isn't correctly pulling in any of the addresses with only 2 digits in them.
I'm not running 2.0 release yet… but I'm not sure if that would have anything to do with this.
-
I am getting this in the System Log. Any ideas?
php: : The command '/usr/local/pkg/pf/IP-Blocklist.sh start' returned exit code '2', the output was 'not running root: IP-Blocklist was found not running 0 table deleted. 0 table deleted. rm: /tmp/rules.debug.tmp: No such file or directory /usr/local/pkg/pf/IP-Blocklist.sh: cannot create /usr/local/www/packages/ipblocklist /errorOUT.txt: No such file or directory rm: /tmp/rules.debug.tmp: No such file or directory 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 cat: /usr/local/www/packages/ipblocklist/interfaces.txt: No such file or directory 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 rm: /usr/local/www/pac
-
Bman2121,
When you pass a range, pfBlocker will find a CIDR that matches it.
I saw in your list a realy large range( > /16).
Change this list to a CIDR format and see what happens. -
hankjrfan00,
It's related to ip-blocklist package.
If you had removed it, maybe you need to delete this remaining script.'/usr/local/pkg/pf/IP-Blocklist.sh start'
Also look for ipblocklist scripts in /usr/local/etc/rc.d
-
hankjrfan00,
It's related to ip-blocklist package.
If you had removed it, maybe you need to delete this remaining script.'/usr/local/pkg/pf/IP-Blocklist.sh start'
Also look for ipblocklist scripts in /usr/local/etc/rc.d
Thanks! Removing '/usr/local/pkg/pf/IP-Blocklist.sh' seems to have fixed the problem!
-
Ran into problems today, rules were not applied correctly … anyhow.
I removed pfblocker for my test, but the tables were still there.
The widget was also complaining
I removed /var/db/aliastables/pfBblocker* but I can still see them in Diagnositic: Table !How to remove them?
So I reinstalled pfBlocker, create a table with the same name, with no list, nothing happenned.
I added a list, the table was recreated ... fine ;o)
I I renamed it to the second table, table is renamed ok.
Now I delete the table ... nothing happens, table still present
I disabled pfBlocker, all the tables were gone :D
I enabled pfBlocker, the old tables were finaly gone.So I created another table, I deleted it but the table remain available until your click Save in Firewall: pfBlocker: General
Do we need a Save or Apply changes button under Firewall: pfBlocker: Lists? -
How/where could I apply a pfBlocker list to filter inbound traffic on a NAT-PMP port created by miniupnpd?
-
How/where could I apply a pfBlocker list to filter inbound traffic on a NAT-PMP port created by miniupnpd?
Try first on floating rules and go testing access with tcpdump on console.
-
Found a few good pfBlocker compatible blocklists:
I am specifically worried about Malware.
formats: txt
Known AD server IPs:
http://pgl.yoyo.org/adservers/iplist.php?ipformat=peerblock&showintro=0&mimetype=plaintext
Main page: http://pgl.yoyo.org/adservers/Malcode (anti-malware):
http://malc0de.com/bl/IP_Blacklist.txtAMaDa C&C IP Blocklist:
http://amada.abuse.ch/blocklist.php?download=ipblocklistabuse.ch ZeuS IP blocklist:
http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklistSucuri Security Malware Scanning IPs:
http://tools.sucuri.net/blacklist/MS-iplist.txt
CI Army Malicious IP List:
http://www.ciarmy.com/list/ci-badguys.txtRussian Business Network:
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt -
Thanks for your contribution.
Do you know how often its Updated?
-
I don't know how often the advertising blacklist is updated, it doesn't seem to be very effective. I'm the "cup half full" type of person so I block those IP's anyways.
As to the known malware IP's, I believe from looking at the commented-out time stamp within the files they look to be updated daily.
-
Can somebody please tell me why PFblocker widget isn't showing all my block lists as being blocked?
Specifically the Russian Business Network Malverisers IP list is working however their CI Army list is not…. but the IP lists are of the same structure.
Working: http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
Not working or showing on Pfblocker widget: http://www.ciarmy.com/list/ci-badguys.txt
Please help!
-
Check first in diagnostics tables if this list was filled up.
Then check rule description for this alias rule.
-
Check first in diagnostics tables if this list was filled up.
Then check rule description for this alias rule.
Can you please explain this in further detail? I don't see alias rules for these lists, shouldn't they have been automatically made?
-
The pfBlocker is great! It's easy to use and very effective! Thank you!
I have 2 dumb questions.
- I have Russia blocked but need to allow for the access to my network from the IP 213.238.8.10. I looked up the CiDR for it. How do I enter the IP to allow it past the Russia block list?
CIDR results for 213.238.8.10
213.238.8.10/32 = 213.238.8.10 through 213.238.8.10 [1 IP - Single IP]
213.238.8.10/31 = 213.238.8.10 through 213.238.8.11 [2 IPs]
213.238.8.8/30 = 213.238.8.8 through 213.238.8.11 [4 IPs]
213.238.8.8/29 = 213.238.8.8 through 213.238.8.15 [8 IPs]
213.238.8.0/28 = 213.238.8.0 through 213.238.8.15 [16 IPs]
213.238.8.0/27 = 213.238.8.0 through 213.238.8.31 [32 IPs]
213.238.8.0/26 = 213.238.8.0 through 213.238.8.63 [64 IPs]
213.238.8.0/25 = 213.238.8.0 through 213.238.8.127 [128 IPs]
213.238.8.0/24 = 213.238.8.0 through 213.238.8.255 [256 IPs - Class C]
213.238.8.0/23 = 213.238.8.0 through 213.238.9.255 [512 IPs]
213.238.8.0/22 = 213.238.8.0 through 213.238.11.255 [1024 IPs]
213.238.8.0/21 = 213.238.8.0 through 213.238.15.255 [2048 IPs]
213.238.0.0/20 = 213.238.0.0 through 213.238.15.255 [4096 IPs]
213.238.0.0/19 = 213.238.0.0 through 213.238.31.255 [8192 IPs]
213.238.0.0/18 = 213.238.0.0 through 213.238.63.255 [16384 IPs]
213.238.0.0/17 = 213.238.0.0 through 213.238.127.255 [32768 IPs]
213.238.0.0/16 = 213.238.0.0 through 213.238.255.255 [65536 IPs - Class B]
213.238.0.0/15 = 213.238.0.0 through 213.239.255.255 [131072 IPs]
213.236.0.0/14 = 213.236.0.0 through 213.239.255.255 [262144 IPs]
213.232.0.0/13 = 213.232.0.0 through 213.239.255.255 [524288 IPs]
213.224.0.0/12 = 213.224.0.0 through 213.239.255.255 [1048576 IPs]
213.224.0.0/11 = 213.224.0.0 through 213.255.255.255 [2097152 IPs]
213.192.0.0/10 = 213.192.0.0 through 213.255.255.255 [4194304 IPs]
213.128.0.0/9 = 213.128.0.0 through 213.255.255.255 [8388608 IPs]
213.0.0.0/8 = 213.0.0.0 through 213.255.255.255 [16777216 IPs - Class A]
212.0.0.0/7 = 212.0.0.0 through 213.255.255.255 [33554432 IPs]
212.0.0.0/6 = 212.0.0.0 through 215.255.255.255 [67108864 IPs]
208.0.0.0/5 = 208.0.0.0 through 215.255.255.255 [134217728 IPs]
208.0.0.0/4 = 208.0.0.0 through 223.255.255.255 [268435456 IPs]
192.0.0.0/3 = 192.0.0.0 through 223.255.255.255 [536870912 IPs]
192.0.0.0/2 = 192.0.0.0 through 255.255.255.255 [1073741824 IPs]
128.0.0.0/1 = 128.0.0.0 through 255.255.255.255 [2147483648 IPs]- I would like to go view the stats of what is blocked by pfBlocker. I saw your screen capture at the beginning of the pfBlocker forum. Where or how do I access this?
Again, great work!