Is pfBlocker safe to use with 2.2?

KOM

From what I have read, it's old and outdated.  pfBlockerNG is currently being developed and should be available "soon".

marcelloc

I've hang country list update process when bbcan started testing pfblockerng.

The first issue the package had with lists was source list used getting paid but it only affect country lists.

Any lists you find (not ip range lists of course) will work fine.

If you what to try pfblockerng, follow these steps.
https://forum.pfsense.org/index.php?topic=86212.msg481358#msg481358

jsvg

We only used the "Top Spammers" list, anyone know if that is affected by the convert ip range function bug?

BBcan177

The Top Spammers is not affected. But please note that the Country Database in pfBlocker is over 2 Years old and it severely out-of-date.

The only issue is with IBlock Files in Range format. (Some are ok, some aren't)

phil.davis

As far as I can see, the ip_range_to_subnet_array will be fixed by https://github.com/pfsense/pfsense/commit/7094c303b7d46c9f7b24c3f1bd4432187832e85c which fixes gen_subnetv4_max

So all this about pfBlocker problems is really just about 1 line of code in util.inc?

If that is so, why don't we all get the fix into the system and then pfBlocker will run like it used too and it will save all this banter on the forum, and the misunderstanding about what is really broken by the pfBlocker+pfSense-2.2 combination.

BBcan177

@phil.davis:

As far as I can see, the ip_range_to_subnet_array will be fixed by https://github.com/pfsense/pfsense/commit/7094c303b7d46c9f7b24c3f1bd4432187832e85c which fixes gen_subnetv4_max

I'm also hoping that they merge the IP Range to Subnet Function by Stilez…
https://github.com/pfsense/pfsense/pull/974

This will also make IPv6 conversions possible.

wcrowder

Or just finish certification of pfBlockerNG, with https://github.com/pfsense/pfsense-packages/pull/796. Which corrects the problem with the older package and the CIDR function, includes up-to-date country codes and many improvements.

wcrowder

If that is so, why don't we all get the fix into the system and then pfBlocker will run like it used too and it will save all this banter on the forum, and the misunderstanding about what is really broken by the pfBlocker+pfSense-2.2 combination.

pfBlocker has been broken for awhile, even with 2.1.*, NG works.

phil.davis

pfBlocker has been broken for awhile, even with 2.1.*, NG works.

Do you mean

1. broken in the "code fails"/"bugs" sense?
   Or
2. broken in the "various data it (like country block lists) is out of date…" sense and so the package is not so useful any more.

If (1), then it would be good to fix that so that existing users on 2.1.5 do not have trouble. And then presumably it will also "work" on 2.2.1 with the fixing of underlying code (like gen_subnet_max). Then users can still get the old functionality as it has been for some time. That would reduce the forum noise about "what to do".

jsvg

Got it. So, basically wait for NG…. :(

marcelloc

@j@svg:

Got it. So, basically wait for NG…. :(

There is a manual install steps on pfblockerng thread but I'll send pull request to remove pfblocker and enable pfblockerng on 2.2