PfBlocker
-
Here are Spamhaus criminal network block lists.
Thank's LinuxTracker. These lists are really usefull. :)
-
I have that happen occasionally.
Legend. Thank you. Fixed the dupe issue for me, and allowed a rule (that I'd setup to bypass the pfBlocker rule) to stay before the pfBlocker rule.
-
I made a list so I can block spam from Tor Exit nodes.
http://dl.dropbox.com/u/71477228/torexitnodes.txtIt pulls the IPs from here -> http://exitlist.torproject.org/ and updates every hour.
There are a lot of Tor Node lists, even a number of Tor Exit Node lists.
EmergingThreats, TorProject and dan.me.uk all maintain themFor whatever reason, I couldn't find a list of just Exit Nodes in the right format for pfBlocker.
I found about everything else though.As example, torexit.dan.me.uk is a DNSBL w/ a return value of 127.0.0.100
re: https://www.dan.me.uk/dnsblAnd this guy offers a Bash Script that will pull from dan.me.uk and upload right to IPTables.
https://github.com/jseidl/torblock/blob/master/torblock.shBut I couldn't find exactly what I wanted so I made it and there you are.
-
I have some rules that are being autocreated twice. Any timeline available?
I found out how to make this happen - On the GUI take a rule in the middle of your WAN rules, move it to the very end of the list. When you apply, the rule ends up by itself at the very end of the list of rules in the filter section of config.xml - there are WAN rules, then LAN rules then this 1 WAN rule. If you have lots of interfaces and move your rules order around from time to time, the rules for each interface end up in interspersed chunks in config.xml. Everything is fine for correct rule processing for pf, the rules for each interface are in the correct order in the filter section, it is just that rules for WAN, LAN, OPT1 OpenVPN etc get interspersed.
The pfBlocker code would apply pfBlocker rules every time it came to a "chunk" of rules for another interface. If there were 2 "chunks" of WAN rules in the filter section, then pfBlocker rules would be added before both "chunks".
I have fixed the logic so pfBlocker only adds the rules the very first time it comes across an interface.
@marcelloc - have a look at pull request https://github.com/bsdperimeter/pfsense-packages/pull/323 - it should fix this issue for good. -
@marcelloc - have a look at pull request https://github.com/bsdperimeter/pfsense-packages/pull/323 - it should fix this issue for good.
Thank's phil.davis, pull request merged. :)
-
@marcelloc - have a look at pull request https://github.com/bsdperimeter/pfsense-packages/pull/323 - it should fix this issue for good.
Thank's phil.davis, pull request merged. :)
I just finish an update to 2.1-BETA0 (i386) built on Mon Oct 1 14:51:39 EDT 2012. After all my packages were re-installed; I noticed there were no rules created by pfBlocker.. Uninstalled, rebooted then installed the package again.. It still wouldn't create the rules..
I reverted the change to https://github.com/bsdperimeter/pfsense-packages/blob/77d63137cfaafe5786ca958833558dcf0837a145/config/pf-blocker/pfblocker.inc and the rules were auto created in the interfaces.. Could this be an issue just with 2.1 and pfBlocker?
-
@Cino - you quoted some text from marcelloc and phil.davis (me), but your link to a commit of pfblocker.inc is a commit from a few months ago. I stared at the latest commit again at https://github.com/bsdperimeter/pfsense-packages/commit/90acaa6951653a8c40a4a14f9f0629e74ba47b81 but can't see what would go wrong.
Exactly which change did you revert to make it go? -
Sorry, I looked harder, there was an "=" where there should have been "==" in a test in /usr/local/www/pfblocker.inc:
- if ($processed_interface = $rule['interface']){ + if ($processed_interface == $rule['interface']){
Add the extra "=" and it works! Pull request https://github.com/bsdperimeter/pfsense-packages/pull/325/files
-
Fix merged. :)
-
that did the trick! Thanks for the quick fix Phil!!
-
Big difference between == and =
Nice catch.
-
Hi,
My background is cisco networking. i am trying to find a way to script the enabling / disabling of pfBlocker. This is for shutdown / startup purposes. i have a cron job to shut the server down in the morning and start it up again at night (i work during the day and summer days are very hot where i live).
Unfortunately it does not seem obvious to me, how to enable/disable pfBlocker by script. I have got as far as reading the /usr/local/pkg/pfblocker.xml + .inc files - but i am not knowledge with php. Could someone please advise how i can got about scripting the enabling/disabling of pfBlocker?
Thanks in advance
dirkPS: This is my first post and i hope i am posting in the right area. Please redirect me if i have posted in the wrong place.
-
follow these steps:
rename current pfblocker applied rules description
change pfblocker action to alias only
create a schedule
apply it to pfblocker rules you renamed descriptions -
Thanks Marcelloc,
I should have given more detail. For whatever reasons, snort does not start up, if i reboot the server with pfblocker enabled. Its an error i have tried to resolve and failed. (i am guessing i have been overenthusiastic subscribing to blacklists and blocking many countries as well.).
In the cron'ed script i would like to disable pfblocker and then halt the server. If the server is booted, i would like to enable pfblocker via one of the RC scripts. Obviously i need a largish sleep count, to make sure snort has started up first.
-
Maybe you could make a shell script with a test loop to see if Snort is running. You can invoke it with cron on startup, Try just keeping it simple with grep, like:
–---------------
#!/bin/bash
while : ## while true
do ## do the followingps auxwww |grep snort |grep -v grep ## grep for snort, and also take that output and remove any grep specific output with the '-v' option, (inverse the match).
if ! [ $? = 0 ]; then ## if the exit status of the ps command is not successful ('0'), then…
continue ## continue checking as long as the exit status ($?) of the 'ps' command is not successful, ('0').
else
break ## as soon as the exit status ($?) is equal to '0', break out of the if test.
fidone ## when we break out of the if test, we are done with the while do loop.
You can insert whatever command you need to run just before the break. You will have '&&' in between your command and the break command, like this:
/usr/sbin/enablepfBlockerscript && break
For the sleep you could insert it before the continue, ie:
sleep 5; continue
I didn't test this on pfSense, just a Linux box, but I think it can provide you with a skeleton to play with.
Good luck. :)
Thanks Marcelloc,
I should have given more detail. For whatever reasons, snort does not start up, if i reboot the server with pfblocker enabled. Its an error i have tried to resolve and failed. (i am guessing i have been overenthusiastic subscribing to blacklists and blocking many countries as well.).
In the cron'ed script i would like to disable pfblocker and then halt the server. If the server is booted, i would like to enable pfblocker via one of the RC scripts. Obviously i need a largish sleep count, to make sure snort has started up first.
-
Note: I am trialing this list. I'll report back after I run it for a while (not all lists work out).
I may tweak it in the future to exclude IPs that have a low submission rate.
end-Note.This one is a list of malicious IPs from urlquery.net.
It re-compiles from scratch every hour.It's lightweight - ~550 IPs today.
The below link will work in pfBlocker or Aliases
http://dl.dropbox.com/u/71477228/urlquery.txtI primarily deploy it using a blocking/rejecting LAN rule.
Anecdotally, I'd rate it 30%-70% effective against the 0day malware I'm targeting (see below) - but it'll block other bad stuff too.Original Source:
http://urlquery.net/stats.php#tab-IPBackground:
This is in response to malicious spams that contain links back to blackhole servers.
The spams typically pose as legit mail from American Express, BBB, DHL, UPS, USPS and others.As spams are discovered, NetSec admins run the suspicious urls through URL Query - who keep logs of dodgy IPs.
More:
I started out looking for a way to block incoming SMTP traffic from 0Access peer servers/zombots.
I had a decent sized sample group of infected IPs but over ½ of them were never flagged by anyone for anything - very not good.I eventually figured out that UrlQuery's database should help me prevent initial infections. That's something.
-
re: UrlQuery based blocklist.
Well the urlquery list seems to have gone off the rails, but I haven't abandoned it yet.
Here's what's up.
-
The source site dumped it's data sometime today and is reporting 0 malicious IPs. I'm hopeful this is a temporary glitch.
As a workaround, I'm auto-pulling IPs from the prior day's Google's cache so the list won't go to zero. -
I also found that some valid IPs had climbed onto this list (ie: url shorteners) and wrote a filter to exempt them.
Other list related info:
I have some nebulous plans to post any/all lists to a central blog that I'd keep updated.Also - I'm investigating some free alternatives to dropbox - it's been good but not bulletproof. Suggestions are welcome.
Update: As of this evening, urlquery is back up.
-
-
Thanks for the double rules fix! :)
-
re: UrlQuery based blocklist.
Well the urlquery list seems to have gone off the rails, but I haven't abandoned it yet.
The UrlQuery stats page is no longer updating it's data reliably. I am pulling the list.
and
I've come to the conclusion that these list-posts of mine are cluttering up the thread.
I'd prefer to go back and update the original post but the allotted time-window to do that isn't long enough.I'll have a better way of announcing block lists in the near future.
-
First I wanted to say thanks for a great utility. This has been quite helpful in many ways.
I was hoping that if someone could shed a little bit of light of if there is a possibility of importing / utilizing a list from the given site. Or if there is a way of cleaning it up to be utilized in PFBlocker?http://hosts-file.net/?s=Download
Thanks again…