• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PfBlockerNG

pfBlockerNG
210
1.2k
1.8m
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    Topper727
    last edited by Feb 10, 2015, 7:53 PM Feb 10, 2015, 7:09 PM

    When you say 'block both' - do you mean block inbound and outbound?

    Yes, inbound and outbound.  Helps keep your browser from going to those IP's to begin with there for never waking the monsters in the cave.

    Dell 2950 g3 server
    Intel(R) Xeon(R) CPU E5430 @ 2.66GHz
    Current: 2000 MHz, Max: 2667 MHz
    8 CPUs: 2 package(s) x 4 core(s)
    8152 MiB and 600meg 10k drive
    Pfsense 2.4 .. Hoping to get the phpvirtualbox going again.

    1 Reply Last reply Reply Quote 0
    • B
      BBcan177 Moderator
      last edited by Feb 10, 2015, 9:13 PM

      @doktornotor:

      Whoever puts 0.0.0.0 in a blocklist should not maintain one in the first place… WTF!  :o >:(

      Yes exactly.. It should never be used. Some list also post 127.0.0.1… You have to remember that IBlock is used predominantly for their PeerBlock Software. This is why these lists are in range format. To use IBlock lists in pfSense, the ranges need to be converted to CIDR.

      For IBlock the only Format setting that will convert those lists is "GZ" not "GZ_2"

      I also see people using Lists from Sources (Like SigmaProjects and IBlock) that are a Copy of another List Provider. I recommend that people use the Original Provider so that they get accurate and the most up to date data.

      So for example - Spamhaus is the Original provider :
          http://www.spamhaus.org/drop/drop.txt

      Lists that are using a copy of the Spamhaus Data :
          https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=drop
          http://list.iblocklist.com/?list=zbdlwrqkabxbcppvrnos&fileformat=p2p&archiveformat=gz

      Same can be said for IBlock - DShield, Zeus, Palevo, CI Army, Bogon, Cruzit, Malcode.

      sigmaprojects also have Country Lists which are probably not as accurate as MaxMind and should also not be required.

      The IBlock Anti-Infringement list should also be used with care. This is not a typical blocklist. It should be used with the "Alias Native" Format. And only used to block certain ports (P2P - and not that I am recommending it either  :) )  "Alias Native" will avoid these lists from being De-Duplicated and also avoid these lists from being processed by the "Reputation Settings" if used.

      Block Lists need to be evaluated before arbitrarily enabling them.

      The pfBNG Log Browser has tabs where you can see the original list and the Final list that is being used by pfBNG.

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • B
        BBcan177 Moderator
        last edited by Feb 10, 2015, 9:15 PM

        @Topper727:

        Suggestion if not already done.  Put the block to block both for each list.

        And I get a lot of blocks from it. Go surf around some bad sites and watch the numbers grow.

        Hi Topper. You don't need to make an Alias with a Single list. You can stack lists in a Alias that are similar in function.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • B
          BBcan177 Moderator
          last edited by Feb 10, 2015, 9:18 PM

          @SixXxShooTeR:

          @Topper727:

          try
          .

          [ https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=spyware ]
          .

          Just added this list, it's only showing a Count of 1 tho.

          Count of 1, probably means that the List is empty or is all duplicates. Look at the pfblockerng.log and it will show more details about each download. I put a placeholder address of "1.1.1.1" in all empty lists.

          Also see my previous post about sigmaproject lists…

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • B
            BBcan177 Moderator
            last edited by Feb 10, 2015, 9:24 PM

            @irj972:

            @SixXxShooTeR:

            @Topper727:

            I made mistake when first setting that up. That is a paid subscription so it does nothing for me.  I do not pay for it.

            Click the thanks at top right of my message if I helped you

            I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?

            The iBlock list subscription is only 9.99 a year and that is what I'm using.

            If you have to ask…. ;) ...when I enquired last year it around $500 per year I recall. There isn't a 'consumer' level subscription like Snorts either as it was abused.

            The IDS list from Emerging Threats (for Snort/Suricata) is $425.00/yr.

            The ET IQRisk IP Rep subscription is $1400/yr.. Expensive, but if you are protecting a lot of devices, I would recommend as they post IPs that are not in any other 'free' lists. ET IQRisk is one of the best Lists available… They also have a Domain Blocklist which will be great for pfBNG v2.0 DNSBL.

            I think if ET dropped these prices, that they will see subscriptions increase...

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • B
              BBcan177 Moderator
              last edited by Feb 10, 2015, 9:34 PM Feb 10, 2015, 9:28 PM

              @Topper727:

              When you say 'block both' - do you mean block inbound and outbound?

              Yes, inbound and outbound.  Helps keep your browser from going to those IP's to begin with there for never waking the monsters in the cave.

              Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense. The only benefit is if you want to monitor what is being blocked and use this in a Analysis and Correlation software to find malicious behavior that could be attacking your Network.

              It will also fill your log with noise that might be better spent on the events that are important.. Like why is a device on your Network hitting a China or Russian Web Server when you don't visit any of those sites…

              Please protect your "Outbound" traffic first, as by Default pfSense is already blocking the "Inbound". Then if you have "Open ports", you can add additional rules to protect those "Open ports".

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by Feb 10, 2015, 9:36 PM

                @BBcan177:

                Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense.

                Can you put some huge bold red notice somewhere in the GUI? (Really hard to believe how many people keep missing basics…)

                1 Reply Last reply Reply Quote 0
                • C
                  Cino
                  last edited by Feb 10, 2015, 11:27 PM

                  @doktornotor:

                  @BBcan177:

                  Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense.

                  Can you put some huge bold red notice somewhere in the GUI? (Really hard to believe how many people keep missing basics…)

                  But it may not be seen in IE

                  1 Reply Last reply Reply Quote 0
                  • C
                    ch1ll1man
                    last edited by Feb 11, 2015, 12:09 AM

                    @marcelloc:

                    @wavetune:

                    What's the best advice on this for achieving that?  If I edit the rule PFBlockerNG just destroys it on the Update.

                    Did you tried alias only and then create a manual rule?

                    Thanks for the reply.  I did try this but the  problem we have is that PFBlocker then puts it's rules first.  If I change the order in PFBlocker we then end up with all of our permit rules first.

                    Here is the problem in a bit more detail with some examples, these are not the real rules but make it easier to see what is happening.

                    PFBlocker Block all Romania
                    Allow port 80 to host x.x.x.x
                    Allow port 443 to host x.x.x.x

                    So this would block Romania but allow the rest of the world into port 80 & 443

                    Now we find that we have some IP's in Romania that need to be allowed in so we do this;

                    PFBlocker Allow this RomaniaAllowedAliasList (PFBlocker allows all ports from those IP's)
                    PFBlocker Block all Romania
                    Allow port 80 to host x.x.x.x from anywhere
                    Allow port 443 to host x.x.x.x from anywhere

                    Looking at creating just an Alias list only with PFBlocker and a manual rule would give us this

                    PFBlocker Block all Romania
                    Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
                    Allow port 80 to host x.x.x.x from anywhere
                    Allow port 443 to host x.x.x.x from anywhere

                    OR

                    Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
                    Allow port 80 to host x.x.x.x from anywhere
                    Allow port 443 to host x.x.x.x from anywhere
                    PFBlocker Block all Romania

                    Cannot get the config to do this though;

                    Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
                    PFBlocker Block all Romania
                    Allow port 80 to host x.x.x.x from anywhere
                    Allow port 443 to host x.x.x.x from anywhere

                    Unless I'm missing something?

                    Thanks for you help

                    1 Reply Last reply Reply Quote 0
                    • B
                      BBcan177 Moderator
                      last edited by Feb 11, 2015, 3:30 AM Feb 11, 2015, 3:20 AM

                      @wavetune:

                      @marcelloc:

                      @wavetune:

                      What's the best advice on this for achieving that?  If I edit the rule PFBlockerNG just destroys it on the Update.

                      Did you tried alias only and then create a manual rule?

                      Here is the problem in a bit more detail with some examples, these are not the real rules but make it easier to see what is happening.

                      Hi wavetune,

                      I think you should be able to do that with rule option "4" but you won't be able to set the Ports on the First rule with "Autorules".

                      | pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match |

                      Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
                        PFBlocker Block all Romania
                        Allow port 80 to host x.x.x.x from anywhere
                        Allow port 443 to host x.x.x.x from anywhere

                      I think your only option is to create the 2nd rule "PFBlocker Block all Romania" as an "Alias Deny" rule. This way all the rules are aliases, and you can configure/customize them as you choose.

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • B
                        BBcan177 Moderator
                        last edited by Feb 11, 2015, 3:27 AM

                        I have posted Pull Request #818 to fix the following issues:

                        1.  Improved IPv6 Regex
                          2.  Suppress '0.0.0.0/32' from being added to any Alias/Lists.
                          3.  General Tab - Moved the "Keep" Checkbox to be just below the
                                "Enable pfBNG" checkbox.

                        This will bump pfBNG to version 1.04

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        1 Reply Last reply Reply Quote 0
                        • S
                          SixXxShooTeR
                          last edited by Feb 11, 2015, 9:18 AM Feb 11, 2015, 9:02 AM

                          Disabled a couple I-Block lists after reading what you wrote BB. I was getting too many outbound blocks with a couple of them that I didn't want. Any I-Block lists worth using?

                          It is a shame that ET's prices are so high.

                          I also started using some of the lists that you referenced on page 16 on this forum. Thanks for the fast responses btw! Your help is appreciated.

                          1 Reply Last reply Reply Quote 0
                          • T
                            Tropheus
                            last edited by Feb 11, 2015, 12:31 PM

                            Has anyone done a "How to setup example"  like there are with the old PFB

                            1 Reply Last reply Reply Quote 0
                            • T
                              turker
                              last edited by Feb 11, 2015, 2:42 PM

                              Code red theme footer error. (Only in alerts tab)

                              1 Reply Last reply Reply Quote 0
                              • H
                                hedberg
                                last edited by Feb 11, 2015, 6:23 PM

                                @BBcan177:

                                @mzarrugh:

                                Is it possible to use easy list

                                Not currently. That is a Domain Blocklist. pfBlockerNG is an IP Based Blocking solution. pfBNG v2.0 will have this functionality.

                                Sounds interesting with a domain blocklist. Could the functionality also be reversed, så it would be possible to create a domain whitelist in pfBNG 2.0?

                                Br,
                                Thomas

                                1 Reply Last reply Reply Quote 0
                                • B
                                  BBcan177 Moderator
                                  last edited by Feb 11, 2015, 11:25 PM

                                  @turker:

                                  Code red theme footer error. (Only in alerts tab)

                                  Thanks turker… I will take a look at that when I get a chance...

                                  "Experience is something you don't get until just after you need it."

                                  Website: http://pfBlockerNG.com
                                  Twitter: @BBcan177  #pfBlockerNG
                                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    BBcan177 Moderator
                                    last edited by Feb 11, 2015, 11:27 PM

                                    @hedberg:

                                    Sounds interesting with a domain blocklist. Could the functionality also be reversed, så it would be possible to create a domain whitelist in pfBNG 2.0?

                                    You could whitelist Domains that you didn't want to block (Suppression).. But a reverse, not sure how that would work with Unbound.

                                    "Experience is something you don't get until just after you need it."

                                    Website: http://pfBlockerNG.com
                                    Twitter: @BBcan177  #pfBlockerNG
                                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      BBcan177 Moderator
                                      last edited by Feb 11, 2015, 11:31 PM

                                      @Tropheus:

                                      Has anyone done a "How to setup example"  like there are with the old PFB

                                      I will try to write one up… What kind of things would you guys want to see in a Tutorial? The basics? or just for the new features?

                                      "Experience is something you don't get until just after you need it."

                                      Website: http://pfBlockerNG.com
                                      Twitter: @BBcan177  #pfBlockerNG
                                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                      1 Reply Last reply Reply Quote 0
                                      • W
                                        wcrowder
                                        last edited by Feb 12, 2015, 1:26 AM

                                        I think the how-to should be left up to the community. One of, or several of us could collaborate on that part.  DNSBL needs attention, ie. pfBlockedrNG 2.0, I miss the daily updates.  ::)

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          reggie14
                                          last edited by Feb 12, 2015, 3:07 AM Feb 12, 2015, 2:57 AM

                                          I'm noticing extremely high CPU usage on my pfSense box when I'm just sitting on my pfBlockerNG alerts page.  Its attributed to one or more processes named "php-fpm: pool lighty (php-fpm)"

                                          It seems like the longer I'm on the that page, the more of those processes I see, and the higher the CPU usage gets.

                                          For what its worth, I'm seeing a significant number of alerts from attempts to access lots of different IPs at: 61.145.124.x and 183.61.112.x on port 80.  These are originating from a Nexus 9 tablet.  I can't figure out how they belong to, other than some Chinese telecon and some appear to be alibaba.  Any ideas?  I'm trying to decide if I should be concerned…

                                          1 Reply Last reply Reply Quote 0
                                          343 out of 1196
                                          • First post
                                            343/1196
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.