PfBlockerNG
-
Not in front of a pfsense box now, but you can find various options on where to put the automatically created rules in the pfblockerng package. One of them should allow you to have your defined rules first, and the automatically created ones (pfblockerng's) last. If you chose that option, and the rule is still created in the end, tick the rule and move it to the top manually.
-
Great program works well for us. However would like to suggest 2 items:
-
in the alert tab add a filter so we can easily find an offending rule affecting an IP (something like the filter in Snort).
-
If somebody could provide the suggested block list to use. We have added several from IblockList but I presume there are some that are better than others. Some direction and expertise on which to use would be very helpful
Again a great program and congratulation to the team that put it together.
cjb
-
-
I have set it to the second option as well..
pfSense Pass | PfB Pass | PfB Block/Reject
Now exactly which IP do I need to add to the top of the floating rules for HE Tunnel to work. I have tried the typical 66.220.2.74 and the gif remote address as well. Also where is the whitelist option?
-
What would be the point of that?
Everything is passed through to the servers no matter what country it origins from.
:D
pfB pass/reject -> all others comes second.
-
I have set it to the second option as well..
pfSense Pass | PfB Pass | PfB Block/Reject
Now exactly which IP do I need to add to the top of the floating rules for HE Tunnel to work. I have tried the typical 66.220.2.74 and the gif remote address as well. Also where is the whitelist option?
The gif address (remote) should make it work. Are you sure the floating rule you created is a quick pass rule?
-
This is exactly what I have done… let me know what I may have missed..
PfBlocker enabled
All countries - Deny InboundIPv4 tab - Alias named Whitelist. Added IPv4 Custom Address - 66.220.2.74 and the gif remote address - List action is set to Permit both (open communications between pfSense and the 2 HE IP addresses)
Checked the Rules and its on the top by default through PfBlocker configuration.
Reloaded and even rebooted pfSense. Yet the tunnel is blocked. The moment I deselect the entire NA country list the tunnel is back on.
-
This is exactly what I have done… let me know what I may have missed..
PfBlocker enabled
All countries - Deny InboundIPv4 tab - Alias named Whitelist. Added IPv4 Custom Address - 66.220.2.74 and the gif remote address - List action is set to Permit both (open communications between pfSense and the 2 HE IP addresses)
Checked the Rules and its on the top by default through PfBlocker configuration.
Reloaded and even rebooted pfSense. Yet the tunnel is blocked. The moment I deselect the entire NA country list the tunnel is back on.
Looks like its configured ok. Dunno why it's not working. I'll let someone else with access to a pf box to help along.
-
Made progress…
If I de-select the US IPv6 list in the NA country list then the tunnel seems to be fine. Also I am back to the default PfB block/Reject rule load. So looks like the culprit is an IPv6 address on the US list..but now the question is which one is it that's blocking the HE tunnel?
-
If your using pfBlockerNG to create floating rules and not using it to create your pass list for whitelisted IPs, then pfSense Pass | PfB Pass | PfB Block/Reject would be the way to go. This way your whitelisted alias is before the pfBlockerNG rules.
-
This is working for me with floating rules enabled.
Default Order: | pfB_Block/Reject | All other Rules | (original format)
but now the US IPv6 list is de-selected.
-
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
[ WhitelistIPv6_custom_v6 ] Custom List Error ]
I tried adding /64 in the end to that IP as well. Doesn't work.
-
Create an alias outside of pfSenseNG for the IPv6 subnet you want to whitelist. Then add a manual permit rule to your floating rules (with quick checked). You will probably have to change the rule order to what I suggested before.
The IPv6 regex still needs some adjustments in pfBlockerNG. When we tested this a few months ago, I was able to get it work with some test IPv6 addresses I was using for testing. At the time, I couldn't locate any good list to thoroughly test like I did with IPv4
-
PfBlocker enabled
All countries - Deny InboundHmmm… There's default deny rule already. The above is an exercise in wasting memory and creating useless rules, or what exactly have I missed here?
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
I tried adding /64 in the end to that IP as well. Doesn't work.Yeah, of course the /64 does not work. Should be 2001:470:xxxx:xxx::/1 without the bogus trailing 1. Other than that, seeing people shooting themselves in the foot by completely nonsensical blocking makes me wonder. WTF.
-
PfBlocker enabled
All countries - Deny InboundHmmm… There's default deny rule already. The above is an exercise in wasting memory and creating useless rules, or what exactly have I missed here?
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
I tried adding /64 in the end to that IP as well. Doesn't work.Yeah, of course the /64 does not work. Should be 2001:470:xxxx:xxx::/1 without the bogus trailing 1. Other than that, seeing people shooting themselves in the foot by completely nonsensical blocking makes me wonder. WTF.
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install. PfBlocker has the settings unchecked and disabled at first install and is at users discretion to enable them how one wants for tighter control.
-
Create an alias outside of pfSenseNG for the IPv6 subnet you want to whitelist. Then add a manual permit rule to your floating rules (with quick checked). You will probably have to change the rule order to what I suggested before.
The IPv6 regex still needs some adjustments in pfBlockerNG. When we tested this a few months ago, I was able to get it work with some test IPv6 addresses I was using for testing. At the time, I couldn't locate any good list to thoroughly test like I did with IPv4
I will try it and if it doesn't work will hold off till there is a good update to the IPv6 address list.
-
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.
Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.
-
2001:470:xxxx:xxx::/1 or even just 2001:470:xxxx:xxx:: has not change. It still gives the same error…
[ WhitelistIPv6_custom_v6 ] Custom List Error ]
IPv6 area of PfBlocker definitely needs some work.
-
I have no idea what you are trying to to. First of all, if you wish to block the entire world except for one particular subnet, then nuke your "allow any" rule, allow only the respective subnet and forget about creating an incredibly huge "All countries" alias for blocking something that'd get implicitly blocked anyway if you designed your rules in a sane way.
-
Just installed the latest updates on 2 nategate pfsense firewalls and installed the latest pfblockerng on both. I selected all of the top 20 spammer countries IPV4 list set it to deny both and enabled. When I enable pfblockerng and hit save it is not creating any fire wall rules. I see where it created the alias URL but no rules under floating, Wan or Lan. I tried selecting the floatiing rules but that didn't do anything either. I tired running the force update, Force Cron and Force Reload and still no rules.
On my dashboard I enabled the pfblockerng widget and it shows pfblockerng is active but has a red down arrow that says No rules are defined for this alias.
The error log does not show any errors.
When I do a reload this shows in the logs
"No Changes to Firewall Rules, Skipping Filter Reload"Any suggestions on what I need to do to get the rules created?
-
Any suggestions on what I need to do to get the rules created?
Changes are Applied via CRON or 'Force Update'. In red, and in bold letters at the bottom.