Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlocker

    Scheduled Pinned Locked Moved pfSense Packages
    896 Posts 143 Posters 1.4m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LinuxTracker
      last edited by

      @AudiAddict:

      Some feature requests, which I hope you can add to make it even better:

      1) Traffic being blocked by pfblocker logged in a different tab (instead of the firewall log?) Easy to debug if something is being blocked by my own rules or the pfblocker app.
      I do know that you can see that if something is blocked by pfblocker you can see that by looking at the details, but when you have allot of blocked records it's hard to filter

      2) Users are complaining specific sites are being blocked. Is there a whitelisting feature available to ignore certain websites? Or do I have to enter them in a alias in my firewall manually?

      5) Ignore tab –> where I can enter my own ip for outbound and my servers for inbound? Just to make 100 % sure these do not get blocked?

      #1 - I'd sort of like that.  Prob is I have 10+ block lists in addition to pfBlocker's country lists.  I'd want them all logged individually and that doesn't seem practical.
      Maybe a filtered syslog server could be a solution.

      For now, looking at ports/IPs in the firewall log can clue me in on what list is blocking.

      If I suspect a site is blocked and I need to figure out which list is responsible; I'll run something like```
      grep -r -o -Dskip 111.222.3.4 /

      
      #2 I have a Whitelist alias that I keep at the top of the rules list.  I figure adding an IP to the alias is as simple as any option pfBlocker could provide.
      **Edit: You could also create a new Custom List in pfBlocker and set it to the top of your rules list.**
      
      #5 - See #2 (providing I understand correctly).
      1 Reply Last reply Reply Quote 0
      • L
        LinuxTracker
        last edited by

        @caustic386:

        I have some rules that are being autocreated twice.  Any timeline available?

        I have that happen occasionally. 
        I'll delete the dupes and finish my usual setup and it doesn't bother me again after that.

        Just for the record, my usual setup:

        • Under Rules: Edit - I make sure the "Auto Rule" text is chopped off the end of the Description - of the rules I want to keep.

        • I delete the duplicate rules (and reorder the remaining ones if necessary).  Apply rule changes.

        • Under pfBlocker -> Lists - I make sure Action is set to Alias_only for every list and repeat for Continent tabs.

          Unless Action is set to Alias_only, pfBlocker will:

          • Create a new rule if the old one is modified

          • Restore the original order of it's rules

        1 Reply Last reply Reply Quote 0
        • L
          LinuxTracker
          last edited by

          For anyone who's read the I-Blocklist doesn't protect Bittorrent users from being monitored article;
          http://torrentfreak.com/anti-pirates-caught-spying-on-thousands-of-torrents-120829/
          I put together a block list that comprises all 6 monitoring subnets, mentioned in the original study.

          http://dl.dropbox.com/u/71477228/P2PCIDRList.txt

          Original P2P monitoring Study:
          http://www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf
          If you P2P, I strongly recommend you read it.

          A more accurate summary of the study is that I-Blocklist missed about a third of the monitoring IPs and also had a lot of false positives.
          They study authors mentioned 6 subnets that harbored P2P monitors and that's what's in this list.

          Disclaimer: My list is serious overkill.  99.9% of the IP addresses in it don't monitor anything.
          The list is what it is because the study authors didn't mention specific IPs, just AS#'s (page #14). 
          So the list is all the IPs that fall under those AS#'s.

          1 Reply Last reply Reply Quote 0
          • L
            LinuxTracker
            last edited by

            @LinuxTracker:

            @caustic386:

            I have some rules that are being autocreated twice.  Any timeline available?

            I have that happen occasionally. 
            I'll delete the dupes and finish my usual setup and it doesn't bother me again after that.

            On 2nd thought, maybe I shouldn't dismiss caustic386's point so quickly.

            I added a list yesterday and had 5 duplicate rules (6 total) show up in WAN.

            My theory is that it's tied to the length of time it takes my firewall rules to reload.
            Could there be a loop that repeats until the firewall rules finish loading?

            (I have a lot of lists in my pfSense rig.  I suspect if I add more lists, I'll have a greater # of dupes created.)

            All my pfBlocker lists are configured as Alias - so not a big deal for me.
            But this could be a real issue for someone who set their pfBlocker list config as Deny or Allow.  Dupe rules could be created at every list reload.

            1 Reply Last reply Reply Quote 0
            • L
              LinuxTracker
              last edited by

              Here are Spamhaus criminal network block lists.
              Drop: http://www.spamhaus.org/drop/drop.txt
              EDrop: http://www.spamhaus.org/drop/edrop.txt

              DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by criminals and professional spammers.

              The DROP list will not include any IP address space under the control of any legitimate network - even if being used by "the spammers from hell".
              DROP will only include netblocks allocated directly by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC
              or direct RIR allocations illicitly taken from the original allocatee, that is, the troubling run of "hijacked" IP address blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by netblock thieves or sold to criminal spammers.

              EDROP is an extension of the DROP list that includes suballocated netblocks controlled by cyber criminals.
              EDROP is meant to be used in addition to the direct allocations on the DROP list.

              From http://www.spamhaus.org/drop/

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                @LinuxTracker:

                Here are Spamhaus criminal network block lists.

                Thank's LinuxTracker. These lists are really usefull.  :)

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • R
                  Rezin
                  last edited by

                  @LinuxTracker:

                  I have that happen occasionally.

                  Legend. Thank you. Fixed the dupe issue for me, and allowed a rule (that I'd setup to bypass the pfBlocker rule) to stay before the pfBlocker rule.

                  1 Reply Last reply Reply Quote 0
                  • L
                    LinuxTracker
                    last edited by

                    I made a list so I can block spam from Tor Exit nodes. 
                    http://dl.dropbox.com/u/71477228/torexitnodes.txt

                    It pulls the IPs from here -> http://exitlist.torproject.org/ and updates every hour.

                    There are a lot of Tor Node lists, even a number of Tor Exit Node lists.
                    EmergingThreats, TorProject and dan.me.uk all maintain them

                    For whatever reason,  I couldn't find a list of just Exit Nodes in the right format for pfBlocker.
                    I found about everything else though.

                    As example, torexit.dan.me.uk is a DNSBL w/ a return value of 127.0.0.100
                    re: https://www.dan.me.uk/dnsbl

                    And this guy offers a Bash Script that will pull from dan.me.uk and upload right to IPTables.
                    https://github.com/jseidl/torblock/blob/master/torblock.sh

                    But I couldn't find exactly what I wanted so I made it and there you are.

                    1 Reply Last reply Reply Quote 0
                    • P
                      phil.davis
                      last edited by

                      @caustic386:

                      I have some rules that are being autocreated twice.  Any timeline available?

                      I found out how to make this happen - On the GUI take a rule in the middle of your WAN rules, move it to the very end of the list. When you apply, the rule ends up by itself at the very end of the list of rules in the filter section of config.xml - there are WAN rules, then LAN rules then this 1 WAN rule. If you have lots of interfaces and move your rules order around from time to time, the rules for each interface end up in interspersed chunks in config.xml. Everything is fine for correct rule processing for pf, the rules for each interface are in the correct order in the filter section, it is just that rules for WAN, LAN, OPT1 OpenVPN etc get interspersed.
                      The pfBlocker code would apply pfBlocker rules every time it came to a "chunk" of rules for another interface. If there were 2 "chunks" of WAN rules in the filter section, then pfBlocker rules would be added before both "chunks".
                      I have fixed the logic so pfBlocker only adds the rules the very first time it comes across an interface.
                      @marcelloc - have a look at pull request https://github.com/bsdperimeter/pfsense-packages/pull/323 - it should fix this issue for good.

                      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                      1 Reply Last reply Reply Quote 0
                      • marcellocM
                        marcelloc
                        last edited by

                        @phil.davis:

                        @marcelloc - have a look at pull request https://github.com/bsdperimeter/pfsense-packages/pull/323 - it should fix this issue for good.

                        Thank's phil.davis, pull request merged.  :)

                        Treinamentos de Elite: http://sys-squad.com

                        Help a community developer! ;D

                        1 Reply Last reply Reply Quote 0
                        • C
                          Cino
                          last edited by

                          @marcelloc:

                          @phil.davis:

                          @marcelloc - have a look at pull request https://github.com/bsdperimeter/pfsense-packages/pull/323 - it should fix this issue for good.

                          Thank's phil.davis, pull request merged.  :)

                          I just finish an update to  2.1-BETA0 (i386) built on Mon Oct 1 14:51:39 EDT 2012. After all my packages were re-installed; I noticed there were no rules created by pfBlocker.. Uninstalled, rebooted then installed the package again.. It still wouldn't create the rules..

                          I reverted the change to https://github.com/bsdperimeter/pfsense-packages/blob/77d63137cfaafe5786ca958833558dcf0837a145/config/pf-blocker/pfblocker.inc and the rules were auto created in the interfaces.. Could this be an issue just with 2.1 and pfBlocker?

                          1 Reply Last reply Reply Quote 0
                          • P
                            phil.davis
                            last edited by

                            @Cino - you quoted some text from marcelloc and phil.davis (me), but your link to a commit of pfblocker.inc is a commit from a few months ago. I stared at the latest commit again at https://github.com/bsdperimeter/pfsense-packages/commit/90acaa6951653a8c40a4a14f9f0629e74ba47b81 but can't see what would go wrong.
                            Exactly which change did you revert to make it go?

                            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                            1 Reply Last reply Reply Quote 0
                            • P
                              phil.davis
                              last edited by

                              Sorry, I looked harder, there was an "=" where there should have been "==" in a test in /usr/local/www/pfblocker.inc:

                              -          if ($processed_interface = $rule['interface']){
                              +          if ($processed_interface == $rule['interface']){
                              

                              Add the extra "=" and it works! Pull request https://github.com/bsdperimeter/pfsense-packages/pull/325/files

                              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                Fix merged.  :)

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • C
                                  Cino
                                  last edited by

                                  that did the trick! Thanks for the quick fix Phil!!

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tommyboy180
                                    last edited by

                                    Big difference between == and =

                                    Nice catch.

                                    -Tom Schaefer
                                    SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                    Please support pfBlocker | File Browser | Strikeback

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      fuzzyozzy408
                                      last edited by

                                      Hi,

                                      My background is cisco networking. i am trying to find a way to script the enabling / disabling of pfBlocker. This is for shutdown / startup purposes. i have a cron job to shut the server down in the morning and start it up again at night (i work during the day and summer days are very hot where i live).

                                      Unfortunately it does not seem obvious to me, how to enable/disable pfBlocker by script. I have got as far as reading the /usr/local/pkg/pfblocker.xml + .inc files - but i am not knowledge with php. Could someone please advise how i can got about scripting the enabling/disabling of pfBlocker?

                                      Thanks in advance
                                      dirk

                                      PS: This is my first post and i hope i am posting in the right area. Please redirect me if i have posted in the wrong place.

                                      1 Reply Last reply Reply Quote 0
                                      • marcellocM
                                        marcelloc
                                        last edited by

                                        follow these steps:
                                        rename current pfblocker applied rules description
                                        change pfblocker action to alias only
                                        create a schedule
                                        apply it to pfblocker rules you renamed descriptions

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          fuzzyozzy408
                                          last edited by

                                          Thanks Marcelloc,

                                          I should have given more detail. For whatever reasons, snort does not start up, if i reboot the server with pfblocker enabled. Its an error i have tried to resolve and failed. (i am guessing i have been overenthusiastic subscribing to blacklists and blocking many countries as well.).

                                          In the cron'ed script i would like to disable pfblocker and then halt the server. If the server is booted, i would like to enable pfblocker via one of the RC scripts. Obviously i need a largish sleep count, to make sure snort has started up first.

                                          1 Reply Last reply Reply Quote 0
                                          • W
                                            wm408
                                            last edited by

                                            Maybe you could make a shell script with a test loop to see if Snort is running.  You can invoke it with cron on startup,  Try just keeping it simple with grep, like:

                                            –---------------

                                            #!/bin/bash

                                            while :           ## while true
                                            do                 ## do the following

                                            ps auxwww |grep snort |grep -v grep   ## grep for snort, and also take that output and remove any grep specific output with the '-v' option, (inverse the match).
                                              if ! [ $? = 0 ]; then                           ## if the exit status of the ps command is not successful ('0'), then…
                                                continue   ## continue checking as long as the exit status ($?) of the 'ps' command is not successful, ('0').
                                              else
                                                break       ## as soon as the exit status ($?) is equal to '0', break out of the if test.
                                              fi

                                            done             ## when we break out of the if test, we are done with the while do loop.


                                            You can insert whatever command you need to run just before the break.  You will have '&&' in between your command and the break command, like this:

                                            /usr/sbin/enablepfBlockerscript && break

                                            For the sleep you could insert it before the continue, ie:

                                            sleep 5; continue

                                            I didn't test this on pfSense, just a Linux box, but I think it can provide you with a skeleton to play with.

                                            Good luck.   :)

                                            @fuzzyozzy408:

                                            Thanks Marcelloc,

                                            I should have given more detail. For whatever reasons, snort does not start up, if i reboot the server with pfblocker enabled. Its an error i have tried to resolve and failed. (i am guessing i have been overenthusiastic subscribing to blacklists and blocking many countries as well.).

                                            In the cron'ed script i would like to disable pfblocker and then halt the server. If the server is booted, i would like to enable pfblocker via one of the RC scripts. Obviously i need a largish sleep count, to make sure snort has started up first.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.