Can i block all of china and russia?
-
can i block all of china and russia? any way to keep a running tab on naughty IPs with IPv4 and CIDR. or is it possible with IPv6? just seems as if most attacks come from outside america, so why even keep them? thanks
-
Install the pfblocker package. Then you can choose countries and/or use various lists.
-
Install the pfblocker package. Then you can choose countries and/or use various lists.
The Country Blocking in pfBlocker has been out of date for 2 years. It won't be accurate to use.
-
Install the pfblocker package. Then you can choose countries and/or use various lists.
The Country Blocking in pfBlocker has been out of date for 2 years. It won't be accurate to use.
Not only that but I recently did an experiment on it for China websites and it turns out that they are using US relays on some sites so it doesn't matter in some cases whether they are blocked or not. For instance the Gigabyte motherboards website was not relayed before so it would block if I chose to block China. It's really tricky to block things now but it's still possible. You could make your own list from Iblocklist as well. But even if you do they don't update very often now. I would just set up Snort with a good suppression list and it will catch almost everything.
Also with pfblocker, I would set it up normally by selecting WAN for incoming and LAN for outgoing just to have that activated but for actual blocks I prefer using an alias so that it can be put in the floating rules section. This way my regular LAN and WAN rules stays untouched and clean. So for my blocks I only use the floating rules. It's up to you though. It just makes it more readable and organized for me. Also, if you're interested in blacklists you could check out squid blacklists but I do believe that it's not free and to me it's kind of a waste of money because unless your running a public facing server I just wouldn't worry about it. Or, if I was running an internet Cafe then I could really see a use for it to prevent people from going to certain countries. This may seem a bit stringent but when a government actually supports hacking other countries it would just be wise to keep them out of your network.
-
Cmellons, can you perhaps provide some instruction on how to setup snort with a good blocklist? I had a play with the package but there are so many options its somewhat daunting and I'm worried I'll block legitimate traffic by being overzealous.
-
I block China and Russia with pfblocker and the free block lists from .. https://www.countryipblocks.net/country_selection.php
It's a manual process, but it works.
-
For things pertaining to Snort check out some of Bmeeks posts. He is really helpful at setting up Snort. Just go to the packages section of this forum and look it up.
I'll give you the basic idea of what I do.
It's not the greatest practice either but I suppress what I need to. For instance, I let snort run and then I go to a popular site such as Amazon. If it's blocking things from there I just suppress the actual rule because more than likely the same rule will trigger at other sites. For block lists I would rather use an Alias either with pfblocker's custom lists or pfsense's built in alias feature. I like pfblocker because you can create a list and just copy/paste an entire list or just add to it as you need to with no hassle.
-
There are numerous posts from Bill Meeks (Snort/Suricata Package Maintainer) and others which will help setup Snort.
https://forum.pfsense.org/index.php?topic=61018.0
https://forum.pfsense.org/index.php?topic=64674.0
(and this one for Suricata)
https://forum.pfsense.org/index.php?topic=78062.0You can start Snort in "non-blocking" mode and weed out the False Positives. Then turn Blocking Mode on after that process.
Snort/Suricata is not something you turn on and walk away. Also before you suppress, you need to determine what the Alert means. If the Rule is something that you never want to see, its best to "Disable" the Rule. If you want to still have the Rule Active but Suppress it for a certain website for example, that is when you should use a "Suppression". This makes the Performance better as Rules are Disabled instead of having the Alert and suppressing the output.
Maxmind has a free GeoIP Database for Countries that is Updates each month and is 98% accurate. It needs to be formated so it can be incorporated into pfBlocker thou.
