Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlocker

    Scheduled Pinned Locked Moved pfSense Packages
    896 Posts 143 Posters 1.3m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfnoober
      last edited by

      I want to thank marcelloc for a wonderful new package and all his hard work.

      I wanted to ask do you think it would be possible to add in an option on the Lists tab, when adding a new one, then under Update Frequency, would it be possible to add an option for maybe once a week?  For example one thing I use this feature for is to block ads and stuff from the mvps hosts.txt file they have available for download.  It isn't really a big deal to get the absolute latest spam blocks for me, so that's why I ask if once a week could be done.

      1 Reply Last reply Reply Quote 0
      • S
        sun-sense
        last edited by

        Hello.  I'm new to this package.  I would like to clear something up.

        If  just select Firewall - pfblocker - North America and only select United States, permit inbound and save.

        Will that just allow US IP's to connect and deny every other country ?

        That's the way I'm looking at it anyway.

        Oh, a follow-up question.  Linuxtracker has been talking about other Spammers IP's.  The lists section want a local file or URL in .txt or .gz format.  Is there a good URL for this that is safe ?

        Thanks…great work.

        m1n1wall - ALIX.2D3 System Board with 500 MHz AMD Geode LX800 CPU 3 10/100 Ethernet ports (VIA VT6105M 10/100)
        1 miniPCI slot for future expansion (VPN Acceleration, wireless, etc.) 2 USB ports 256 MB DDR DRAM

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          The lists from linuxtracker are in gz format.

          To allow only us ips on your firewall but not allowing all access to it, change action to alias only and apply it as source alias for your Nat/rules

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • L
            LinuxTracker
            last edited by

            @sun-sense:

            Linuxtracker has been talking about other Spammers IP's.  The lists section want a local file or URL in .txt or .gz format.  Is there a good URL for this that is safe ?

            Marcelloc keeps a copy of the lists here.
            http://e-sac.siteseguro.ws/pfBlocker/lists/

            Since I was skiddish about publishing my personal host, marcelloc stepped up and graciously offered his own.

            His links can be used for live updates and he uploads updated versions, when time permits.

            My own latest copies are dated 4/12.  If you want them, I can attach them here or pasetbin the contents.

            Sidenote:
            I've discovered that dropbox direct download links work well in pfBlocker.
            I've been using one for an auto-generated malware list I'm testing.

            I may use that to publish the spam lists.
            The dropbox app would push out updates, as soon as I make them available.

            I'll consider it tomorrow, after some sleep.
            .

            1 Reply Last reply Reply Quote 0
            • L
              LinuxTracker
              last edited by

              For anyone who wants live updates to the most recent spam lists, here are dropbox links to them.
              pfBlocker should pull right from these links.

              http://dl.dropbox.com/u/71477228/P2P_0-68.txt.gz
              http://dl.dropbox.com/u/71477228/P2P_0-68.txt.gz
              http://dl.dropbox.com/u/71477228/P2P_194-255.txt.gz
              http://dl.dropbox.com/u/71477228/Non-US_Spam_IPs.txt.gz
              http://dl.dropbox.com/u/71477228/Worst_Spammers.txt.gz
              http://dl.dropbox.com/u/71477228/CorporateSpam.txt.gz

              I tend to update my lists about 2x week.  The updated lists hit dropbox ~11:30pm EDT.

              I'll add some details/comments to the top of the files this week.

              I also have a malware list that seems to be behaving.
              It targets 0day threats and gets wiped every day at midnight.  After that, new IP ranges are added each hour.
              I need to review it again.  If I feel good about it, I'll post a live update link.
              .

              1 Reply Last reply Reply Quote 0
              • L
                LinuxTracker
                last edited by

                Here are the Malware Lists that I've found to be safe to use.
                (This is after testing a ½doz other lists that would blacklist urls for stupid reasons.)

                I put the addresses in pfBlocker list section and let them update hourly. You may prefer less freq updates.

                This one is from Malware Domain List. I began testing it in February against known 0day threats.
                At this point I have a lot of confidence in it.
                http://www.malwaredomainlist.com/hostslist/ip.txt

                I also have two botnet lists that I've been running for a month or so.
                http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist
                https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist

                There are other lists I'm evaluating but am not comfortable releasing them as yet.

                1 Reply Last reply Reply Quote 0
                • T
                  taryezveb
                  last edited by

                  LinuxTracker,

                  Thanks for your contributions :)

                  1 Reply Last reply Reply Quote 0
                  • K
                    kevross33
                    last edited by

                    I also use the following and they seem fine:

                    http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this blocks known russian business network, shadowserver command and control servers, dhsield and spamhaus.
                    http://rules.emergingthreats.net/blockrules/compromised-ips.txt (compromised hosts doing nastiness)

                    If you choose one try the top one. Static blacklists are useful but many setups moving towards a more scored reputation rating for domains, IPs etc.

                    http://www.damballa.com/downloads/r_pubs/WP_Blacklists_Dynamic_Reputation.pdf
                    http://www.damballa.com/solutions/damballa_firstalert.php

                    @LinuxTracker:

                    Here are the Malware Lists that I've found to be safe to use.
                    (This is after testing a ½doz other lists that would blacklist urls for stupid reasons.)

                    I put the addresses in pfBlocker list section and let them update hourly. You may prefer less freq updates.

                    This one is from Malware Domain List. I began testing it in February against known 0day threats.
                    At this point I have a lot of confidence in it.
                    http://www.malwaredomainlist.com/hostslist/ip.txt

                    I also have two botnet lists that I've been running for a month or so.
                    http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist
                    https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist

                    There are other lists I'm evaluating but am not comfortable releasing them as yet.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kevross33
                      last edited by

                      Oh and on these lists always set to log just like any countries you block. This makes it easier to identify blocked badness but also determine if something isn't working because of a blocklist (i.e I couldn't get to cuckoobox.org because site was in a country I had blocked at the time and I saw in logs blocked Syn packets trying to get to it).

                      1 Reply Last reply Reply Quote 0
                      • JSmoradaJ
                        JSmorada
                        last edited by

                        I'm not sure why, but as a test I manually created a run to match one of the aliases and it worked.
                        Any ideas on what's happening and how to fix it?

                        pfSense 2.0.1 i386 release, clean install with cron being the only other package installed.

                        Thanks,
                        Jon

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          @nipstech:

                          I'm not sure why, but as a test I manually created a run to match one of the aliases and it worked.
                          Any ideas on what's happening and how to fix it?

                          You mean you could reach an ip that is blocked?

                          If so, check rule action you selected for the list.
                          Deny inbound is to block access from blocked ip to you site
                          Deny outbound is to block access from your network to blocked ip.

                          att,
                          Marcello Coutinho

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • L
                            LinuxTracker
                            last edited by

                            I needed a list of Yahoo's US Email Servers.
                            I'm getting a lot of spam off of Yahoo's networks and want to exclude Yahoo's US Email servers from my auto-gererated blacklists.

                            I found lists of all Yahoo IPs here:
                            http://public.yahoo.com/~carloc/ymail.html

                            and lists of Yahoo Email Servers here:
                            http://public.yahoo.com/~vineet/ip.txt
                            http://public.yahoo.com/~vineet/subnet.txt

                            I extracted the US addresses from the first list and a copy is here:
                            http://dl.dropbox.com/u/71477228/YahooIPsUS.txt

                            1 Reply Last reply Reply Quote 0
                            • JSmoradaJ
                              JSmorada
                              last edited by

                              No, pfblocker wasn't creating any rules. I had to manually enter them. Then, for no apparent reason, the automatically created rules appeared. ???

                              @marcelloc:

                              @nipstech:

                              I'm not sure why, but as a test I manually created a run to match one of the aliases and it worked.
                              Any ideas on what's happening and how to fix it?

                              You mean you could reach an ip that is blocked?

                              If so, check rule action you selected for the list.
                              Deny inbound is to block access from blocked ip to you site
                              Deny outbound is to block access from your network to blocked ip.

                              att,
                              Marcello Coutinho

                              1 Reply Last reply Reply Quote 0
                              • L
                                LinuxTracker
                                last edited by

                                @kevross33:

                                I also use the following and they seem fine:

                                http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this blocks known russian business network, shadowserver command and control servers, dhsield and spamhaus.
                                http://rules.emergingthreats.net/blockrules/compromised-ips.txt (compromised hosts doing nastiness)

                                If you choose one try the top one. Static blacklists are useful but many setups moving towards a more scored reputation rating for domains, IPs etc.

                                http://www.damballa.com/downloads/r_pubs/WP_Blacklists_Dynamic_Reputation.pdf
                                http://www.damballa.com/solutions/damballa_firstalert.php

                                Those look promising.  I'll plug 'em in over the next week and see how they do.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  Michael Sh.
                                  last edited by

                                  I found a bug in the parsing of lists. If the list in the IP format instead of CIDR (xx.xx.xx.xx without / xx) the first line is lost from the list. If the list contains one row the entire list is ignored.
                                  Tested on text format.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tommyboy180
                                    last edited by

                                    Interesting. I'm having difficulty replicating. Can you post a sample of the list you're using.

                                    -Tom Schaefer
                                    SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                    Please support pfBlocker | File Browser | Strikeback

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      The code looks for a space/or <enter>after the ip address, can you check if the list you want to apply has it?

                                      	foreach ($url_list as $line){
                                      											# CIDR format 192.168.0.0/16
                                      											if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){
                                      												${$alias}.= $matches[1]."\n";
                                      												$new_file.= $matches[1]."\n";
                                      											}
                                      											# Single ip addresses 
                                      											if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){
                                      												${$alias}.= $matches[1]."/32\n";
                                      												$new_file.= $matches[1]."/32\n";
                                      											}
                                      											# Network range 192.168.0.0-192.168.0.254
                                      											if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)){
                                      												$cidr= pfblocker_Range2CIDR($matches[1],$matches[2]);
                                      												if ($cidr != ""){
                                      													${$alias}.= $cidr."\n";
                                      													$new_file.= $cidr."\n";
                                      												}
                                      											}
                                      										}
                                      ```</enter>

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        Michael Sh.
                                        last edited by

                                        @tommyboy180:

                                        Interesting. I'm having difficulty replicating. Can you post a sample of the list you're using.

                                        I use my own list to ban some IP work within their own network. It generates by script from the SQL database and given over HTTP.

                                        @marcelloc:

                                        The code looks for a space/or <enter>after the ip address, can you check if the list you want to apply has it?

                                        
                                        # Single ip addresses 
                                        if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){
                                        .....
                                        
                                        ```</enter>
                                        

                                        That's the reason for such behavior. \s+ requires a complete IP-address by space character. My list was originally a form:
                                        192.168.0.1\n
                                        192.168.0.3\n
                                        …
                                        when using
                                        192.168.0.1/32\n
                                        192.168.0.3/32\n
                                        everything works as expected.

                                        PS: I was wrong a little bit. Lost is not the first line but last line.
                                        That is, /(\d+.\d+.\d+.\d+)\s+/ does not work on the "192.168.1.1\n<eof>"</eof>

                                        1 Reply Last reply Reply Quote 0
                                        • marcellocM
                                          marcelloc
                                          last edited by

                                          Michael Sh,

                                          Try to remove the \s+ from that preg_match at /usr/local/pkg/pfblocker.inc file and see if works.

                                          att,
                                          Marcello Coutinho

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            johnodon
                                            last edited by

                                            Hi Guys.

                                            Loving your product so far and wanted to thank you for all of your hard work.  I am especially liking custom lists for blocking malware, compromised and botnet sites.

                                            Not sure if this had been requested before but I will ask anyway.  :)

                                            I will use IE9 as an example…

                                            For the custom lists I am blocking both inbound and outbound.  Naturally when I try to visit a site in one of the lists, I receive the generic "Internet Explorer cannot display the webpage " page.  Is it possible have this redirected to a local webpage that provides more information?  i.e. "The site you are trying to access has been blocked by your local administrator...blah blah blah."

                                            Even better if we could make it customizable so my wife knows to come and find me!  :)

                                            This would help to determine root cause for not reaching a site...blocked or just down.

                                            Thoughts?

                                            Thanks!

                                            John

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.