PfBlocker

LinuxTracker

I combined the Bluetack Level 1 and the TBG Primary Threats lists.  I converted them into CIDR and (I hope) trimmed out the overlapping ranges.
Neither Pastebin nor Pastie would take 6MB pastes so I sent the gz files to an uploader service.

IPs .0-.68 http://efjf7g.dl4free.com/en/
IPs .69-.193 http://6pvjo6.dl4free.com/en/
IPs .194-255 http://zsh382.dl4free.com/en/

Here's the CIDR count

The original Peerguardian formatted files from IBlocklist seem to require a lot of resources to convert.

Also, BlueTackL1 and TGP-PT have a lot of overlap so I felt converting+filtering them would help minimize resources.

Sorry - I'm not clever enough to automate this process or offer a live update service.

Since these are blind d/l's for you, prudence dictates you examine the contents before use.

kilthro

@marcelloc:

Hi all,

The country lists that we use on pfblocker will move to a paid service, take a look:

Country IP Blocks is moving to a paid services model

att,
Marcello Coutinho

:-(

So does that mean we will have to subscribe and then add the lists into pfblocker ourselves?

LinuxTracker

US Spammers:
IPs 0-68 http://pastebin.com/iKTpuy9n
IPs 69-179 http://pastebin.com/8Z6iSCSp
IPs 180-255 http://pastebin.com/PJLjUWeA

Other Spammers:
Worst: http://pastebin.com/aKnBhMLX
Corp Spamvertisers: http://pastebin.com/3Yd97rZ4
Non-US: http://pastebin.com/t9ej10BZ

Worst Spammers are the nitwits who were filling up my logs so I moved them into their own group.
They may not be targeting you and could be wrapped into other lists.

Corp Spam is stuff like Constant Contact, Linked-In, FTD, PsychzNetworks, ExactTarget….
They may not be blacklisted by DNSBLs but they're a pain in my butt.

Attn: marcelloc and Tommyboy180
I can't tell if my PMs get through to you because my browser doesn't properly redirect after posting.

The URLs I sent you before you have new filenames.  They are:
US_SpamIPs_0-69.txt.gz
US_SpamIPs_70-179.txt.gz
US_SpamIPs_180-255.txt.gz
Non-US_Spam_IPs.txt.gz
CorporateSpam.txt.gz
Worst_Spammers.txt.gz

The rest of the URL is the same.

marcelloc, if you'd delete the old files you're hosting and post these instead I'd appreciate it.

marcelloc

Linuxtracker,
I did received Pm, I'll publish files this week.

Kilthro,
Updated lists will need a subscribe but the files we already have will still be there.

Until april I'll update lists again and of course try to implement countryip subscription on pfBlocker package.

kilthro

@marcelloc:

Linuxtracker,
I did received Pm, I'll publish files this week.

Kilthro,
Updated lists will need a subscribe but the files we already has will still be there.

Until april I'll update lists again and of course try to implement countryip subscription on pfBlocker package.

That's what I thought. Thanks for the clarification.

LinuxTracker

@marcelloc:

Linuxtracker,
I did received Pm, I'll publish files this week.

Kilthro,
Updated lists will need a subscribe but the files we already have will still be there.

Until april I'll update lists again and of course try to implement countryip subscription on pfBlocker package.

Not good enough marcelloc.  I want more things done and I want them done now.
. . . or not.

I guess busting your tail for little more than a thanks will have to be good enough for me.

freakalad

Hi guys,

This seems to be the most appropriate place to ask this question, since it closest matches my need.

There have been a few recent reports re issues associated with ads on mobiles, as well putting load on batteries (hardly seems surprising), and I don't want to root my Android to block ads (if I can block ads for all nodes, all the better):

• http://www.engadget.com/2012/03/19/android-study-privacy-security-risks-in-app-ads/
• http://www.csc.ncsu.edu/faculty/jiang/pubs/WISEC12_ADRISK.pdf
• http://www.pcworld.com/article/252204/free_android_apps_packed_with_ads_are_major_battery_drains.html

We have several such devices in-house, and I'd like to simply block the ads at the boundary.
I've seen posts (19756 & 12737) providing a hack by virtue of Squid (I'd like to avoid adding Squid for this limited function if possible, since it seems overkill), but I'd like to leverage something similar to the Android app AdFree, that simply does a hosts file amendment to void IP's/DNS's: http://www.mvps.org/winhelp2002/hosts.txt

I've tried manually adding this data to my firewall's hosts file, but it does not seem to take.

Any suggestions would be greatly appreciated.

LinuxTracker

Withdrawn for now.

LinuxTracker

@freakalad:

There have been a few recent reports re issues associated with ads on mobiles, as well putting load on batteries (hardly seems surprising), and I don't want to root my Android to block ads (if I can block ads for all nodes, all the better)

I've done this by creating an alias of the mobile ad servers and adding a rule that blocked outbound traffic to them.

However, first I had to find the addresses for the mobile ad servers.  I did that by packet capturing the IP of my mobile, while I opened the apps.

LinuxTracker

last edit:
This attempt to compile a list of malware IPs needs improvement.  It functions but is picking up some legit domains.
I need to better vet my sources

I'm leaving it for reference.

wget "http://urlquery.net/index.php" -O data.txt
grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' data.txt | tail -n +3 > ips.txt

wget "http://minotauranalysis.com/malwarelist.aspx" -O data.txt
grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' data.txt | tail -n +3 >> ips.txt

wget "http://siteinspector.comodo.com/public/recent_detections/index" -O data.txt
grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' data.txt | tail -n +3 >> ips.txt

wget "http://siteinspector.comodo.com/public/recent_detections?page=2" -O data.txt
grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' data.txt | tail -n +3 >> ips.txt

cp malwaredomains.txt domains.txt
cat ips.txt domains.txt | sort | uniq > malwaredomains.txt

UrlQuery is offering up - https://gist.github.com/2191871 207.97.227.243 - as a Malicious domain.
That's the sort of problem I was running into w/ Malc0de.

marcelloc

Linuxtracker,

I think It's time to move shell scripts to php.
This way you can use arrays funcions like sort,unique as well php ip funcions and preg_match and preg_replace. ;)

marcelloc

Freakalad,

You can configure these host nanes on an pfsense alias or use dns forwarder to overide these ads hostname's ips.

Try alias first and put rejecting(better then deny for outgoing users) ads rule on top of lan rules.

If you could compile a txt via script with ads ips, then pfBlocker can help you on updating it Every x hours.

freakalad

@marcelloc:

You can configure these host nanes on an pfsense alias or use dns forwarder to overide these ads hostname's ips.
Try alias first and put rejecting(better then deny for outgoing users) ads rule on top of lan rules.
If you could compile a txt via script with ads ips, then pfBlocker can help you on updating it Every x hours.

I'l have to look into previous posts re details, rather than trying to enter it manually through the GUI, one entry at a time.
I'll look into it end I get more time to attend to it.

LinuxTracker

@marcelloc:

Linuxtracker,

I think It's time to move shell scripts to php.
This way you can use arrays funcions like sort,unique as well php ip funcions and preg_match and preg_replace. ;)

I trust you're right.  Unfortunately I haven't a clue about PHP.

This bit I've hacked together came out of a semester of Unix, from 20 years ago.

I'll take it under advisement though.  Maybe I can start puzzling something out.

simby

On pfsense x64 i recive this error:

php: : There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table pfBlockerLevel1: Cannot allocate memory /tmp/rules.debug:20: cannot define table pfBlockerLevel2: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [18]: table <pfblockerlevel1>persist file "/var/db/aliastables/pfBlockerLevel1.txt"

php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table pfBlockerLevel1: Cannot allocate memory /tmp/rules.debug:20: cannot define table pfBlockerLevel2: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded The line in question reads [18]: table <pfblockerlevel1>persist file "/var/db/aliastables/pfBlockerLevel1.txt"

How can i fix this.

this is new fresh instal. Please, help.</pfblockerlevel1></pfblockerlevel1>

marcelloc

Increase Firewall Maximum Table Entries on system -> advanced -> firewall/NAT

phil.davis

I noticed that some of my systems (2.0.1 and 2.1-DEV) had the duplicated pfBlocker rules on the WAN as described by Andrew at http://forum.pfsense.org/index.php/topic,42543.msg225835.html#msg225835 This happens when there are floating rules. In the config file, the floating rules can have interface="". The floating rules are not in a separate section of the config file. In my case, they were mixed in with the WAN rules. The pfBlocker code found a section of WAN rules, so added its rules to WAN, found a section of floating rules, which it retains, then found another section of WAN rules and added its rules again to WAN.
I have fixed this in pfblocker.inc and submitted a pull request in Github.
Note: The duplicated rules didn't actually cause a problem - the 2nd copy would just never be matched.

marcelloc

Thanks phill.davis!  :)

I was trying to track this bug with no success.

phil.davis

I only seem to get the duplicate rules issue when I have floating, WAN, LAN and OPT1 rules. Systems without OPT1 don't seem to get the symptoms.

LinuxTracker

re: http://www.countryipblocks.net/

April 2nd, 2012

MAJOR ANNOUNCEMENT

Country IP Blocks is excited to announce we are about to release our new paid services model. We are anticipating the completion of our new control panels, for premium members, sometime this week. The only additional programming necessary will be the embedded shopping cart. We are still looking for an appropriate shopping cart and would be grateful to hear your ideas.

Answers to frequently asked questions:

Premium memberships will run $179 a year per license.
Premium members will have access to our daily updated database.
Premium members will be able to generate their access control lists through their control panel and, if they choose to do so, they can store their selections in the Country IP Blocks database and we will auto-generate their specific data each time we update the database. This data will be available each day through a user-specific URL. In other words, you make your country and format choices, set it and forget it, and we create your data for you.

We will be offering a 10% discount to the first 100 businesses or individuals who contact us.

For those planning on using our soon to be released API, our expected pricing is $299 a year per license or $39 per month.

We will continue to offer free services. These will include access to network information 30 to 60 days old (upgrade to a premium membership and get access to the most current data).

Free services will no longer include access to format specific text files. But premium members will have the ability to auto-generate their own downloadable files.

Free services will also include access to our searchable IP database.

What will it mean for pfBlocker?