PfBlocker
-
Great SPAM list!
Thank you. I really owe you guys. I'm not in a position to pay back properly, but I'm glad to contribute something.
I put a lot of time into keeping the list up to date. It's rewarding to know a wider audience can make use of it.
I have this one email account I keep alive as a honeypot.
The former employee must have left their address everywhere, seems like every spammer in the US hits on it.This is 12p-9p today on the same server.
After 5p the numbers ramped way up.
(I think 70%-80% were SMTP attempts, so I adjusted the rules tonight. My future numbers will all be SMTP.)And again - Thanks.
Especially to you TB180, because I was well served by CountryBlock and IPBlocklist for 18 months.
But also to marcelloc, JimP and other devs who've spent scads of their own time developing an open Enterprise Class Security Suite; that I couldn't possibly afford. -
First up:
I noticed a couple of interesting things happen at the top of the hour.-
During the pfBlocker list update; my filters drop offline for a few seconds.
-
There's often a brief spike in spam activity at the top of the hour. Just from certain hard core spammers (ie: whoever is at 91.205.234.240-91.205.234.245)
That spike lasts from about a minute before the hour till a minute after.
The result is I'll have 2-8 spams get through.
Any changes to the lists in pfBlocker also drops my filters for 3sec-5sec.
It happens at the change, not when I navigate to General Tab and press save.Notes:
The box is a P4 w/ HT, 1GB and an SATA drive. It runs pfBlocker, squid/squidGuard and Unbound.
It runs really well. RAM use averages 40% and CPU is mostly under 5%.I did put in NTOP last night. It seemed to weigh heavy on the system, so I uninstalled it tonight.
I'll see if that makes the difference.Secondly - about the Level1 Blocklist:
After pfBlocker converts it and loads into the table, it seems overly huge to me.
I've thought about streamlining the post-conversion CIDR ranges.
But doing that manually would be tedious. I also wouldn't know how to update it afterward.
I'm not sure anything can be done, but I thought I'd toss that out there.And yes. I know my P4 is old and slow.
However:
To me, all code Must Be Efficient. It's never the hardware's fault; till it is. -
-
I found an IP in the list that returned a ping. When using Level 3 list the blocker worked (would not return ping) but doing the same with the Level 1 list did not work (the ping returned).
what action did you choose to level1 list and what ip did you tested?
Thanks for your help!
I've backed up my VM and re-installed a fresh copy - modified according to your posts. The large lists now block.
Interesting is that trying to list the list the pfBlocker table still replies a blank page.
-
Interesting is that trying to list the list the pfBlocker table still replies a blank page.
The diagnostics -> table does not apply the 256 MB php memory limit. You may need to apply the DO AT YOUR OWN RISK patch there too.
-
-
During the pfBlocker list update; my filters drop offline for a few seconds.
-
There's often a brief spike in spam activity at the top of the hour. Just from certain hard core spammers (ie: whoever is at 91.205.234.240-91.205.234.245)
That spike lasts from about a minute before the hour till a minute after.
The result is I'll have 2-8 spams get through.
Any changes to the lists in pfBlocker also drops my filters for 3sec-5sec.
It happens at the change, not when I navigate to General Tab and press save.Both are related to same thing.
To prevent max table memory limit errors, pflBlocker cleans it's tables before reapply, that's why you have some seconds without "protection"
If you choose to update list every hour, then every hour you will have some seconds off.
-
-
I think I've found an issue with the password field in the XMLRPC Sync pane. The field seems to truncate some passwords as it does not escape at least a subset of symbols. As a result, configs don't get synced properly across systems.
Thanks again for such a great package!
-
To prevent max table memory limit errors, pflBlocker cleans it's tables before reapply, that's why you have some seconds without "protection"
If you choose to update list every hour, then every hour you will have some seconds off.
OK. That's helpful to know. I'll normally have the lists set for daily updates. It looks like that happens at 23:00.
I'll write a script to cycle the mail server service during that time.Thanks.
-
I think I've found an issue with the password field in the XMLRPC Sync pane. The field seems to truncate some passwords as it does not escape at least a subset of symbols. As a result, configs don't get synced properly across systems.
Thanks again for such a great package!
Sync problem you did was related to old package's version or password symbols?
-
Password symbols in the newest version (1.0.1)
-
OK. That's helpful to know. I'll normally have the lists set for daily updates. It looks like that happens at 23:00.
I'll write a script to cycle the mail server service during that time.Also take a look on other great packages to get even better antispam protection. ;D
Postfix forwarder and mailscanner.
-
Also take a look on other great packages to get even better antispam protection.
Postfix forwarder and mailscanner.
sigh I suppose I have to grow up and play with the big-boy toys sometime.
I have a ?
Is there a way to force pfBlocker to manually pull a list update? For the life of me, I can't figure out how to do it.
I keep having to wait for the scheduled updates to occur. -
This package seems not to work with multiple WAN interfaces. When more than 1 inbound interface is selected the firewall rules are only added to the 1 WAN interface.
-
Oi marcello, I got the multiple WAN interfaces working by adding a dummy rule and then starting pfblocker.
One thing I notice is when lists are added they consume RAM but when the list is removed the RAM is not returned.
Obrigado!
-
If you have no rules on inbound interfaces, you are already blocking everything.
The memory usage is controled by freebsd, there is no code to keep lists on memory after apply config is finished.
-
Memory consumed by the system will go inactive when not in use, like when you stop pfblocker or delete tables. That physical memory is still allocated by the OS for a period of time before it's released back into a shared pool.
That memory will return back to the OS after a little.
-
A screencap of 21 hours of spam blocking.
CustomSpamList and CorpSpam are the lists I maintain in response to the spams we get.
Considering this is for less than 10 email accounts I find these numbers appalling.We still have about 10 spams get through each day, mostly sent from compromised Hotmail/Yahoo accounts.
I'm hoping postfix will help me achieve total-spam-free-ness.
-
I have noticed when using some I-Blocklist lists in deny inbound and deny outbound with p2p file formats dns stops working with the machines on my lan side, but when I switch to cidr file formats dns works.
-
P2p lists are converted to cidr format after download. If p2p range generates a network mask bigger then /16, pfBlocker will TRF to find a network cidr for this, What could result on a /12 or /8 network. In this situation, you may have some non blacklisted ips blocked.
Cidr is the recommended format for lists.
-
Hi,
Like the package - great work.
I was just wondering if you plan on creating a report or some king of logs where it breaks down the attacks by country.
The dashboard widget is great as this give it you by region, if you can add the option to break it down by country and source (interface) that would be even better.
This way it will us the ability to see where that attacks are coming from.Regards.
George
-
No plans for that. :(
The continent based alias is there to reduce rules and for easy configuration.All denied rules will be logged if you select this feature but you will need to look for ip country source the same way.
Imagine an alias for each country. You can build these custom lists downloading from countryblock website, but i think you will need a subscription for that.
