PfBlockerNG
-
Made progress…
If I de-select the US IPv6 list in the NA country list then the tunnel seems to be fine. Also I am back to the default PfB block/Reject rule load. So looks like the culprit is an IPv6 address on the US list..but now the question is which one is it that's blocking the HE tunnel?
-
If your using pfBlockerNG to create floating rules and not using it to create your pass list for whitelisted IPs, then pfSense Pass | PfB Pass | PfB Block/Reject would be the way to go. This way your whitelisted alias is before the pfBlockerNG rules.
-
This is working for me with floating rules enabled.
Default Order: | pfB_Block/Reject | All other Rules | (original format)
but now the US IPv6 list is de-selected.
-
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
[ WhitelistIPv6_custom_v6 ] Custom List Error ]
I tried adding /64 in the end to that IP as well. Doesn't work.
-
Create an alias outside of pfSenseNG for the IPv6 subnet you want to whitelist. Then add a manual permit rule to your floating rules (with quick checked). You will probably have to change the rule order to what I suggested before.
The IPv6 regex still needs some adjustments in pfBlockerNG. When we tested this a few months ago, I was able to get it work with some test IPv6 addresses I was using for testing. At the time, I couldn't locate any good list to thoroughly test like I did with IPv4
-
PfBlocker enabled
All countries - Deny InboundHmmm… There's default deny rule already. The above is an exercise in wasting memory and creating useless rules, or what exactly have I missed here?
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
I tried adding /64 in the end to that IP as well. Doesn't work.Yeah, of course the /64 does not work. Should be 2001:470:xxxx:xxx::/1 without the bogus trailing 1. Other than that, seeing people shooting themselves in the foot by completely nonsensical blocking makes me wonder. WTF.
-
PfBlocker enabled
All countries - Deny InboundHmmm… There's default deny rule already. The above is an exercise in wasting memory and creating useless rules, or what exactly have I missed here?
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
I tried adding /64 in the end to that IP as well. Doesn't work.Yeah, of course the /64 does not work. Should be 2001:470:xxxx:xxx::/1 without the bogus trailing 1. Other than that, seeing people shooting themselves in the foot by completely nonsensical blocking makes me wonder. WTF.
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install. PfBlocker has the settings unchecked and disabled at first install and is at users discretion to enable them how one wants for tighter control.
-
Create an alias outside of pfSenseNG for the IPv6 subnet you want to whitelist. Then add a manual permit rule to your floating rules (with quick checked). You will probably have to change the rule order to what I suggested before.
The IPv6 regex still needs some adjustments in pfBlockerNG. When we tested this a few months ago, I was able to get it work with some test IPv6 addresses I was using for testing. At the time, I couldn't locate any good list to thoroughly test like I did with IPv4
I will try it and if it doesn't work will hold off till there is a good update to the IPv6 address list.
-
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.
Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.
-
2001:470:xxxx:xxx::/1 or even just 2001:470:xxxx:xxx:: has not change. It still gives the same error…
[ WhitelistIPv6_custom_v6 ] Custom List Error ]
IPv6 area of PfBlocker definitely needs some work.
-
I have no idea what you are trying to to. First of all, if you wish to block the entire world except for one particular subnet, then nuke your "allow any" rule, allow only the respective subnet and forget about creating an incredibly huge "All countries" alias for blocking something that'd get implicitly blocked anyway if you designed your rules in a sane way.
-
Just installed the latest updates on 2 nategate pfsense firewalls and installed the latest pfblockerng on both. I selected all of the top 20 spammer countries IPV4 list set it to deny both and enabled. When I enable pfblockerng and hit save it is not creating any fire wall rules. I see where it created the alias URL but no rules under floating, Wan or Lan. I tried selecting the floatiing rules but that didn't do anything either. I tired running the force update, Force Cron and Force Reload and still no rules.
On my dashboard I enabled the pfblockerng widget and it shows pfblockerng is active but has a red down arrow that says No rules are defined for this alias.
The error log does not show any errors.
When I do a reload this shows in the logs
"No Changes to Firewall Rules, Skipping Filter Reload"Any suggestions on what I need to do to get the rules created?
-
Any suggestions on what I need to do to get the rules created?
Changes are Applied via CRON or 'Force Update'. In red, and in bold letters at the bottom.
-
I don't have a terribly compelling use for pfblockerng right now, but I was playing around with it just to see if I could get it to block ads with reasonable effectiveness. I added some lists from iblocklist (the ads list there, plus the YoYo list) and configured them to reject on outbound LAN. When I had logging on, I saw lots of hits (so many I turned off logging), but no noticeable decrease in ads. Is this to be expected?
I'm guessing that DNSBL+Adblock-easylist functionality in pfblockerng-v2 will improve things, I'm just curious how this lines up with other users' experiences.
-
Install adblock in firefox and "borrow" the list from there…it works.
-
-
Corrected :D
Install adblock in firefox and steal the list from there…it works.
borrow :)
-
Sorry for my ignorance, but that works? Maybe I'm missing something. Are you saying that I can use the easyList with pfblockerNG already?
I thought we needed to use IP lists. The easyList rules appear to be URL filters- and not even full URLs.
Is there some other list I'm not aware of?
-
Any suggestions on what I need to do to get the rules created?
Changes are Applied via CRON or 'Force Update'. In red, and in bold letters at the bottom.
I have already tried the force update. When I run it I get this
UPDATE PROCESS START [ 02/05/15 13:15:17 ]
[ pfB_Top_v4 ] exists, Reloading File [ 02/05/15 13:15:18 ]
===[ Aliastables / Rules ]================================
No Changes to Firewall Rules, Skipping Filter Reload
Updating: pfB_Top_v4
no changes.UPDATE PROCESS ENDED [ 02/05/15 13:15:22 ]
After running this I have no blocking rules
Any suggestions
-
Here is the logfile you asked for.
Hi Jonna, The log file shows that its failing to download the Maxmind files. Can you run the following command from the shell and try to see what is stopping it from completing?
Suggestions:
Try to goto the MaxMind Website and see if you can get there first? If you are having issues getting to that site, you need to fix that first.
The following command can be executed from the Shell to manually download the MaxMind Database and Update the pfBNG XML files.
php /usr/local/www/pfblockerng/pfblockerng.php dc