PfBlocker
-
Michael Sh,
Try to remove the \s+ from that preg_match at /usr/local/pkg/pfblocker.inc file and see if works.
att,
Marcello CoutinhoIt works, but there will be problems with the ranges. They are already there. The second part of the range is seen as IP. I would have made more strict:
foreach ($url_list as $line){ # CIDR format 192.168.0.0/16 if (preg_match("/^\s*(\d+\.\d+\.\d+\.\d+\/\d+)\s*$/",$line,$matches)){ ${$alias}.= $matches[1]."\n"; $new_file.= $matches[1]."\n"; } # Single ip addresses if (preg_match("/^\s*(\d+\.\d+\.\d+\.\d+)\s*$/",$line,$matches)){ ${$alias}.= $matches[1]."/32\n"; $new_file.= $matches[1]."/32\n"; } # Network range 192.168.0.0-192.168.0.254 if (preg_match("/^\s*(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)\s*$/",$line,$matches)){ $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); if ($cidr != ""){ ${$alias}.= $cidr."\n"; $new_file.= $cidr."\n"; } } }While the testing found that the "/usr/local/bin/php -q /usr/local/www/pfblocker.php cron" does not work from 00:00 to 00:59.
I do not understand why it is done.pfblocker.php
$hour=date('H'); ..... if ($row['url'] != "" && $hour > 0){ ..... -
It works, but there will be problems with the ranges. They are already there. The second part of the range is seen as IP. I would have made more strict:
without the \s+, you need to move this if after network-range if
-
It works, but there will be problems with the ranges. They are already there. The second part of the range is seen as IP. I would have made more strict:
without the \s+, you need to move this if after network-range if
I think with the \s+, this if must be placed after network-range if too ;)
-
I think with the \s+, this if must be placed after network-range if too ;)
with \s+ it will be a different match from network range but it might be easier to read the code this way.
-
I think with the \s+, this if must be placed after network-range if too ;)
with \s+ it will be a different match from network range but it might be easier to read the code this way.
So I say, if we use a "foreach" without interruption, we must use a more stringent re.
Without this, the 192.168.0.0-192.168.0.15 work twice in any case. One time as IP, the second time as a range. -
I'm having an issue (or rather my wife is)…
I have the following config/rules applied:
Enable Logging: Yes
Inbound Interface: WAN, Block
Outbound Interface: LAN, RejectAll custom lists - Disabled
Top Spammers - All Selected - Deny Inbound
Africa - All Selected - Deny Inbound
Asia - All Selected - Deny Inbound
Europe - Russian Federation - Deny Inbound
North America - Mexico, Dominican Republic - Deny InboundMy wife works from home 5 days a week and connects to her corporate network via VPN. She is able to establish a VPN connection without issue, however, she is unable to connect to their Exchnage server via Outlook. I checked the firewall logs and do not see any traffic being blocked other than the few IPs from China that are constantly scanning me. If I disable pfBlocker, she is able to connect to Exchange without issue.
Where should I begin to look? I was hoping that the FW logs would at least provide the IP that is being rejected but there isn't anything.
TIA!
John
-
The easiest way to workaround this is to create a custom list with action allow outbound(or both) and put companies ips there.
This way, these ips will be allowed before any coutry rule.
-
The easiest way to workaround this is to create a custom list with action allow outbound(or both) and put companies ips there.
This way, these ips will be allowed before any coutry rule.
How do I know what range/ip is being blocked if nothing is being written to the FW logs?
John
-
You can use nslookup and/or tcpdump.
nslookup owa.company.com
tcpdump -ni your_pfsense_lan_interface host your_internal_pc_ip
-
The easiest way to workaround this is to create a custom list with action allow outbound(or both) and put companies ips there.
This way, these ips will be allowed before any coutry rule.
Unless I am missing it, there is not an option to "Permit Both". Should I create two lists: "Permit Inbound" and "Permit Outbound"?
Thx,
John
-
You could make a list with alias only and then just add the firewall rule on both wan and lan to permit it. That way you only have one list but reference it in both locations for both ways.
-
You could make a list with alias only and then just add the firewall rule on both wan and lan to permit it. That way you only have one list but reference it in both locations for both ways.
Good idea! :)
Thanks!
-
To use this way, you may need to change pfblocker action to alias only and then create your rules.
By default, pfblocker stays on top of rules.
-
This only happens if I reboot/shutdown my pfSense, when I perform boot it's there (this is why is important to perform at last a reboot to check if everything comes up fine again).
[filter_load] There were errors(s) loading the rules: /tmp/rules.debug:20
cannot define table pfBlockerAsia
cannot allocate memory/tmp/rules.debug:24
cannot define table pfBlockerNorthAmerica
cannot allocate memory/tmp/rules.debug.28
cannot define table pfBlockerTopSpammers
cat /tmp/rules.debug
#System aliases loopback = "{ lo0 }" WAN1 = "{ pppoe0 }" LAN1 = "{ em0 }" LAN2 = "{ em2 }" VDSL2 = "{ em1 }" #SSH Lockout Table table <sshlockout> persist table <webconfiguratorlockout> persist #Snort tables table <snort2c> table <virusprot> # User Aliases table <pfblockerafrica> persist file "/var/db/aliastables/pfBlockerAfrica.txt" pfBlockerAfrica = "<pfblockerafrica>" table <pfblockerasia> persist file "/var/db/aliastables/pfBlockerAsia.txt" <<< line 20 pfBlockerAsia = "<pfblockerasia>" table <pfblockereurope> persist file "/var/db/aliastables/pfBlockerEurope.txt" pfBlockerEurope = "<pfblockereurope>" table <pfblockernorthamerica> persist file "/var/db/aliastables/pfBlockerNorthAmerica.txt" <<< line 24 pfBlockerNorthAmerica = "<pfblockernorthamerica>" table <pfblockersouthamerica> persist file "/var/db/aliastables/pfBlockerSouthAmerica.txt" pfBlockerSouthAmerica = "<pfblockersouthamerica>" table <pfblockertopspammers> persist file "/var/db/aliastables/pfBlockerTopSpammers.txt" <<< line 28 pfBlockerTopSpammers = "<pfblockertopspammers>"</pfblockertopspammers></pfblockertopspammers></pfblockersouthamerica></pfblockersouthamerica></pfblockernorthamerica></pfblockernorthamerica></pfblockereurope></pfblockereurope></pfblockerasia></pfblockerasia></pfblockerafrica></pfblockerafrica></virusprot></snort2c></webconfiguratorlockout></sshlockout>Cannot allocate memorypfctl
syntax error in config file: pf rules not loaded The line in question reads [20]: table <pfblockerasia>persist file /var/db/aliastables/pfBlockerAsia.txt
I didn't changed any of those files, I'm only blocking that area from the files it came with pfBlocker.
Any solution?
/var/db/aliastables(15): ls -la
total 1384
drwxr-xr-x 2 root wheel 512 May 6 01:42 .
drwxr-xr-x 12 root wheel 1024 May 13 12:38 ..
-rw-r–r-- 1 root wheel 41499 May 13 14:12 pfBlockerAfrica.txt
-rw-r--r-- 1 root wheel 196104 May 13 14:12 pfBlockerAsia.txt
-rw-r--r-- 1 root wheel 71153 May 13 14:12 pfBlockerEurope.txt
-rw-r--r-- 1 root wheel 772252 May 13 14:12 pfBlockerNorthAmerica.txt
-rw-r--r-- 1 root wheel 36792 May 13 14:12 pfBlockerSouthAmerica.txt
-rw-r--r-- 1 root wheel 242707 May 13 14:12 pfBlockerTopSpammers.txt</pfblockerasia> -
Did you go to system > Advanced > Firewall/Nat tab and increase the Firewall Maximum Table Entries?
I have had to increase mine quite a bit to run all my tables. I currently have mine set to 999999999 and no longer get any memory allocation errors.
-
Did you go to system > Advanced > Firewall/Nat tab and increase the Firewall Maximum Table Entries?
I have had to increase mine quite a bit to run all my tables. I currently have mine set to 999999999 and no longer get any memory allocation errors.
Nope.
Will do. Hope is only this.
Thanks!
-
I've been really busy (figuring out Postfix).
I don't have time to update my previously posted spam lists.(Note: http://forum.pfsense.org/index.php/topic,42543.msg258273.html#msg258273)
For now I have a routine that extracts all new Spam IPs into one list - updated 2x/hour.
http://dl.dropbox.com/u/71477228/freshspam1.txtI'm also now harvesting spam IPs from a 2nd email server I manage.
http://dl.dropbox.com/u/71477228/freshspam2.txtAs I update these routines, the next rewrites will:
- filter out any IPs of major WebMail providers (GMail, AOL, Yahoo, Hotmail, etc)
For now, I whitelist US Yahoo email servers and Hotmail/Live/Microsoft Hosting.
http://dl.dropbox.com/u/71477228/YahooIPsUS.txt
http://dl.dropbox.com/u/71477228/hotmail.comIPs.txt- Sort spam IPs into my existing US and non-US spam lists
- Include relevant comment for each IP
- Drop off addresses that haven't had a spam hit in x#of days.
Edit: Here's a list of AOL outbound Email Servers
http://dl.dropbox.com/u/71477228/AOL_MailIPs.txtIt's compiled from the information on this page.
http://postmaster.info.aol.com/info/servers.html -
These spam lists have been effective w/o giving me false positives.
This is a list of fresh US Spam IPs from a major source, updated hourly.
http://dl.dropbox.com/u/71477228/usspamips.txtThis list contains fresh Spam IPs from US and other countries, updated hourly.
I'll eventually get it sorted into US/non-US.
http://dl.dropbox.com/u/71477228/worldspamips.txtPM me if you want more detail about them.
-
Just an FYI.
I looked around a lot for a versatile, online IP converter.
The only one I ever found is by Bluetack and it never showed up in any of my Google search queries.http://www.bluetack.co.uk/converter/
-
Hi there,
Sorry if I'm being a bit thick here and/or this question has already been asked, but can i use this package download blocklists, create Aliases against them, and then use standard pfsense firewall rules to block those ranges talking to/from just ONE port on a particular IP address (ie, allow it for all other ports)?
Thanks!