PfBlocker

Michael Sh.

I found a bug in the parsing of lists. If the list in the IP format instead of CIDR (xx.xx.xx.xx without / xx) the first line is lost from the list. If the list contains one row the entire list is ignored.
Tested on text format.

tommyboy180

Interesting. I'm having difficulty replicating. Can you post a sample of the list you're using.

marcelloc

The code looks for a space/or <enter>after the ip address, can you check if the list you want to apply has it?

	foreach ($url_list as $line){
											# CIDR format 192.168.0.0/16
											if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){
												${$alias}.= $matches[1]."\n";
												$new_file.= $matches[1]."\n";
											}
											# Single ip addresses 
											if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){
												${$alias}.= $matches[1]."/32\n";
												$new_file.= $matches[1]."/32\n";
											}
											# Network range 192.168.0.0-192.168.0.254
											if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)){
												$cidr= pfblocker_Range2CIDR($matches[1],$matches[2]);
												if ($cidr != ""){
													${$alias}.= $cidr."\n";
													$new_file.= $cidr."\n";
												}
											}
										}
```</enter>

Michael Sh.

@tommyboy180:

Interesting. I'm having difficulty replicating. Can you post a sample of the list you're using.

I use my own list to ban some IP work within their own network. It generates by script from the SQL database and given over HTTP.

@marcelloc:

The code looks for a space/or <enter>after the ip address, can you check if the list you want to apply has it?
# Single ip addresses 
if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){
.....

```</enter>

That's the reason for such behavior. \s+ requires a complete IP-address by space character. My list was originally a form:
192.168.0.1\n
192.168.0.3\n
…
when using
192.168.0.1/32\n
192.168.0.3/32\n
everything works as expected.

PS: I was wrong a little bit. Lost is not the first line but last line.
That is, /(\d+.\d+.\d+.\d+)\s+/ does not work on the "192.168.1.1\n<eof>"</eof>

marcelloc

Michael Sh,

Try to remove the \s+ from that preg_match at /usr/local/pkg/pfblocker.inc file and see if works.

att,
Marcello Coutinho

johnodon

Hi Guys.

Loving your product so far and wanted to thank you for all of your hard work. I am especially liking custom lists for blocking malware, compromised and botnet sites.

Not sure if this had been requested before but I will ask anyway. :)

I will use IE9 as an example…

For the custom lists I am blocking both inbound and outbound. Naturally when I try to visit a site in one of the lists, I receive the generic "Internet Explorer cannot display the webpage " page. Is it possible have this redirected to a local webpage that provides more information? i.e. "The site you are trying to access has been blocked by your local administrator...blah blah blah."

Even better if we could make it customizable so my wife knows to come and find me! :)

This would help to determine root cause for not reaching a site...blocked or just down.

Thoughts?

Thanks!

John

kilthro

That would be an awesome addition. I find myself in the same situation many times when the wife calls me and says _____ is not working. I have to VPN into the network and then check the logs of the firewall ect to see if it is indeed getting blocked or there are other network issues. I really hope that would be a possibility.

Thanks for the suggestion.

marcelloc

@johnodon:

Is it possible have this redirected to a local webpage that provides more information? i.e. "The site you are trying to access has been blocked by your local administrator…blah blah blah."

You can get this using a proxy server like squidguard or dansguardian.

Pfblocker use firewall rules only.

You can try this by using created alias on a nat rule that forward to a web server.
On this web server, you can change 404 error page to your custom page.

It's not impossible to do but not that easy too. :)

att,
Marcello Coutinho

Michael Sh.

@marcelloc:

Michael Sh,

Try to remove the \s+ from that preg_match at /usr/local/pkg/pfblocker.inc file and see if works.

att,
Marcello Coutinho

It works, but there will be problems with the ranges. They are already there. The second part of the range is seen as IP. I would have made more strict:


                                                      foreach ($url_list as $line){
                                                              # CIDR format 192.168.0.0/16
                                                              if (preg_match("/^\s*(\d+\.\d+\.\d+\.\d+\/\d+)\s*$/",$line,$matches)){
                                                                      ${$alias}.= $matches[1]."\n";
                                                                      $new_file.= $matches[1]."\n";
                                                              }
                                                              # Single ip addresses
                                                              if (preg_match("/^\s*(\d+\.\d+\.\d+\.\d+)\s*$/",$line,$matches)){
                                                                      ${$alias}.= $matches[1]."/32\n";
                                                                      $new_file.= $matches[1]."/32\n";
                                                              }
                                                              # Network range 192.168.0.0-192.168.0.254
                                                              if (preg_match("/^\s*(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)\s*$/",$line,$matches)){
                                                                      $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]);
                                                                      if ($cidr != ""){
                                                                              ${$alias}.= $cidr."\n";
                                                                              $new_file.= $cidr."\n";
                                                                      }
                                                              }
                                                      }

While the testing found that the "/usr/local/bin/php -q /usr/local/www/pfblocker.php cron" does not work from 00:00 to 00:59.
I do not understand why it is done.

pfblocker.php


        $hour=date('H');
.....
                                if ($row['url'] != "" && $hour > 0){
.....

marcelloc

@Michael:

It works, but there will be problems with the ranges. They are already there. The second part of the range is seen as IP. I would have made more strict:

without the \s+, you need to move this if after network-range if

Michael Sh.

@marcelloc:

@Michael:

It works, but there will be problems with the ranges. They are already there. The second part of the range is seen as IP. I would have made more strict:

without the \s+, you need to move this if after network-range if

I think with the \s+, this if must be placed after network-range if too ;)

marcelloc

@Michael:

I think with the \s+, this if must be placed after network-range if too ;)

with \s+ it will be a different match from network range but it might be easier to read the code this way.

Michael Sh.

@marcelloc:

@Michael:

I think with the \s+, this if must be placed after network-range if too ;)

with \s+ it will be a different match from network range but it might be easier to read the code this way.

So I say, if we use a "foreach" without interruption, we must use a more stringent re.
Without this, the 192.168.0.0-192.168.0.15 work twice in any case. One time as IP, the second time as a range.

johnodon

I'm having an issue (or rather my wife is)…

I have the following config/rules applied:

Enable Logging: Yes
Inbound Interface: WAN, Block
Outbound Interface: LAN, Reject

All custom lists - Disabled
Top Spammers - All Selected - Deny Inbound
Africa - All Selected - Deny Inbound
Asia - All Selected - Deny Inbound
Europe - Russian Federation - Deny Inbound
North America - Mexico, Dominican Republic - Deny Inbound

My wife works from home 5 days a week and connects to her corporate network via VPN. She is able to establish a VPN connection without issue, however, she is unable to connect to their Exchnage server via Outlook. I checked the firewall logs and do not see any traffic being blocked other than the few IPs from China that are constantly scanning me. If I disable pfBlocker, she is able to connect to Exchange without issue.

Where should I begin to look? I was hoping that the FW logs would at least provide the IP that is being rejected but there isn't anything.

TIA!

John

marcelloc

The easiest way to workaround this is to create a custom list with action allow outbound(or both) and put companies ips there.

This way, these ips will be allowed before any coutry rule.

johnodon

@marcelloc:

The easiest way to workaround this is to create a custom list with action allow outbound(or both) and put companies ips there.

This way, these ips will be allowed before any coutry rule.

How do I know what range/ip is being blocked if nothing is being written to the FW logs?

John

marcelloc

You can use nslookup and/or tcpdump.

nslookup owa.company.com

tcpdump -ni your_pfsense_lan_interface host your_internal_pc_ip

johnodon

@marcelloc:

The easiest way to workaround this is to create a custom list with action allow outbound(or both) and put companies ips there.

This way, these ips will be allowed before any coutry rule.

Unless I am missing it, there is not an option to "Permit Both". Should I create two lists: "Permit Inbound" and "Permit Outbound"?

Thx,

John

kilthro

You could make a list with alias only and then just add the firewall rule on both wan and lan to permit it. That way you only have one list but reference it in both locations for both ways.

johnodon

@kilthro:

You could make a list with alias only and then just add the firewall rule on both wan and lan to permit it. That way you only have one list but reference it in both locations for both ways.

Good idea! :)

Thanks!