PfBlocker
-
LinuxTracker,
Thanks for your contributions :)
-
I also use the following and they seem fine:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this blocks known russian business network, shadowserver command and control servers, dhsield and spamhaus.
http://rules.emergingthreats.net/blockrules/compromised-ips.txt (compromised hosts doing nastiness)If you choose one try the top one. Static blacklists are useful but many setups moving towards a more scored reputation rating for domains, IPs etc.
http://www.damballa.com/downloads/r_pubs/WP_Blacklists_Dynamic_Reputation.pdf
http://www.damballa.com/solutions/damballa_firstalert.phpHere are the Malware Lists that I've found to be safe to use.
(This is after testing a ½doz other lists that would blacklist urls for stupid reasons.)I put the addresses in pfBlocker list section and let them update hourly. You may prefer less freq updates.
This one is from Malware Domain List. I began testing it in February against known 0day threats.
At this point I have a lot of confidence in it.
http://www.malwaredomainlist.com/hostslist/ip.txtI also have two botnet lists that I've been running for a month or so.
http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist
https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklistThere are other lists I'm evaluating but am not comfortable releasing them as yet.
-
Oh and on these lists always set to log just like any countries you block. This makes it easier to identify blocked badness but also determine if something isn't working because of a blocklist (i.e I couldn't get to cuckoobox.org because site was in a country I had blocked at the time and I saw in logs blocked Syn packets trying to get to it).
-
I'm not sure why, but as a test I manually created a run to match one of the aliases and it worked.
Any ideas on what's happening and how to fix it?pfSense 2.0.1 i386 release, clean install with cron being the only other package installed.
Thanks,
Jon -
@nipstech:
I'm not sure why, but as a test I manually created a run to match one of the aliases and it worked.
Any ideas on what's happening and how to fix it?You mean you could reach an ip that is blocked?
If so, check rule action you selected for the list.
Deny inbound is to block access from blocked ip to you site
Deny outbound is to block access from your network to blocked ip.att,
Marcello Coutinho -
I needed a list of Yahoo's US Email Servers.
I'm getting a lot of spam off of Yahoo's networks and want to exclude Yahoo's US Email servers from my auto-gererated blacklists.I found lists of all Yahoo IPs here:
http://public.yahoo.com/~carloc/ymail.htmland lists of Yahoo Email Servers here:
http://public.yahoo.com/~vineet/ip.txt
http://public.yahoo.com/~vineet/subnet.txtI extracted the US addresses from the first list and a copy is here:
http://dl.dropbox.com/u/71477228/YahooIPsUS.txt -
No, pfblocker wasn't creating any rules. I had to manually enter them. Then, for no apparent reason, the automatically created rules appeared. ???
@nipstech:
I'm not sure why, but as a test I manually created a run to match one of the aliases and it worked.
Any ideas on what's happening and how to fix it?You mean you could reach an ip that is blocked?
If so, check rule action you selected for the list.
Deny inbound is to block access from blocked ip to you site
Deny outbound is to block access from your network to blocked ip.att,
Marcello Coutinho -
I also use the following and they seem fine:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this blocks known russian business network, shadowserver command and control servers, dhsield and spamhaus.
http://rules.emergingthreats.net/blockrules/compromised-ips.txt (compromised hosts doing nastiness)If you choose one try the top one. Static blacklists are useful but many setups moving towards a more scored reputation rating for domains, IPs etc.
http://www.damballa.com/downloads/r_pubs/WP_Blacklists_Dynamic_Reputation.pdf
http://www.damballa.com/solutions/damballa_firstalert.phpThose look promising. I'll plug 'em in over the next week and see how they do.
-
I found a bug in the parsing of lists. If the list in the IP format instead of CIDR (xx.xx.xx.xx without / xx) the first line is lost from the list. If the list contains one row the entire list is ignored.
Tested on text format. -
Interesting. I'm having difficulty replicating. Can you post a sample of the list you're using.
-
The code looks for a space/or <enter>after the ip address, can you check if the list you want to apply has it?
foreach ($url_list as $line){ # CIDR format 192.168.0.0/16 if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){ ${$alias}.= $matches[1]."\n"; $new_file.= $matches[1]."\n"; } # Single ip addresses if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){ ${$alias}.= $matches[1]."/32\n"; $new_file.= $matches[1]."/32\n"; } # Network range 192.168.0.0-192.168.0.254 if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)){ $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); if ($cidr != ""){ ${$alias}.= $cidr."\n"; $new_file.= $cidr."\n"; } } } ```</enter> -
Interesting. I'm having difficulty replicating. Can you post a sample of the list you're using.
I use my own list to ban some IP work within their own network. It generates by script from the SQL database and given over HTTP.
The code looks for a space/or <enter>after the ip address, can you check if the list you want to apply has it?
# Single ip addresses if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){ ..... ```</enter>That's the reason for such behavior. \s+ requires a complete IP-address by space character. My list was originally a form:
192.168.0.1\n
192.168.0.3\n
…
when using
192.168.0.1/32\n
192.168.0.3/32\n
everything works as expected.PS: I was wrong a little bit. Lost is not the first line but last line.
That is, /(\d+.\d+.\d+.\d+)\s+/ does not work on the "192.168.1.1\n<eof>"</eof> -
Michael Sh,
Try to remove the \s+ from that preg_match at /usr/local/pkg/pfblocker.inc file and see if works.
att,
Marcello Coutinho -
Hi Guys.
Loving your product so far and wanted to thank you for all of your hard work. I am especially liking custom lists for blocking malware, compromised and botnet sites.
Not sure if this had been requested before but I will ask anyway. :)
I will use IE9 as an example…
For the custom lists I am blocking both inbound and outbound. Naturally when I try to visit a site in one of the lists, I receive the generic "Internet Explorer cannot display the webpage " page. Is it possible have this redirected to a local webpage that provides more information? i.e. "The site you are trying to access has been blocked by your local administrator...blah blah blah."
Even better if we could make it customizable so my wife knows to come and find me! :)
This would help to determine root cause for not reaching a site...blocked or just down.
Thoughts?
Thanks!
John
-
That would be an awesome addition. I find myself in the same situation many times when the wife calls me and says _____ is not working. I have to VPN into the network and then check the logs of the firewall ect to see if it is indeed getting blocked or there are other network issues. I really hope that would be a possibility.
Thanks for the suggestion.
-
Is it possible have this redirected to a local webpage that provides more information? i.e. "The site you are trying to access has been blocked by your local administrator…blah blah blah."
You can get this using a proxy server like squidguard or dansguardian.
Pfblocker use firewall rules only.
You can try this by using created alias on a nat rule that forward to a web server.
On this web server, you can change 404 error page to your custom page.It's not impossible to do but not that easy too. :)
att,
Marcello Coutinho -
Michael Sh,
Try to remove the \s+ from that preg_match at /usr/local/pkg/pfblocker.inc file and see if works.
att,
Marcello CoutinhoIt works, but there will be problems with the ranges. They are already there. The second part of the range is seen as IP. I would have made more strict:
foreach ($url_list as $line){ # CIDR format 192.168.0.0/16 if (preg_match("/^\s*(\d+\.\d+\.\d+\.\d+\/\d+)\s*$/",$line,$matches)){ ${$alias}.= $matches[1]."\n"; $new_file.= $matches[1]."\n"; } # Single ip addresses if (preg_match("/^\s*(\d+\.\d+\.\d+\.\d+)\s*$/",$line,$matches)){ ${$alias}.= $matches[1]."/32\n"; $new_file.= $matches[1]."/32\n"; } # Network range 192.168.0.0-192.168.0.254 if (preg_match("/^\s*(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)\s*$/",$line,$matches)){ $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); if ($cidr != ""){ ${$alias}.= $cidr."\n"; $new_file.= $cidr."\n"; } } }While the testing found that the "/usr/local/bin/php -q /usr/local/www/pfblocker.php cron" does not work from 00:00 to 00:59.
I do not understand why it is done.pfblocker.php
$hour=date('H'); ..... if ($row['url'] != "" && $hour > 0){ ..... -
It works, but there will be problems with the ranges. They are already there. The second part of the range is seen as IP. I would have made more strict:
without the \s+, you need to move this if after network-range if
-
It works, but there will be problems with the ranges. They are already there. The second part of the range is seen as IP. I would have made more strict:
without the \s+, you need to move this if after network-range if
I think with the \s+, this if must be placed after network-range if too ;)
-
I think with the \s+, this if must be placed after network-range if too ;)
with \s+ it will be a different match from network range but it might be easier to read the code this way.
