PfBlockerNG
-
Suggestion if not already done. Put the block to block both for each list.
And I get a lot of blocks from it. Go surf around some bad sites and watch the numbers grow.
Hi Topper. You don't need to make an Alias with a Single list. You can stack lists in a Alias that are similar in function.
-
try
.[ https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=spyware ]
.Just added this list, it's only showing a Count of 1 tho.
Count of 1, probably means that the List is empty or is all duplicates. Look at the pfblockerng.log and it will show more details about each download. I put a placeholder address of "1.1.1.1" in all empty lists.
Also see my previous post about sigmaproject lists…
-
@irj972:
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
If you have to ask…. ;) ...when I enquired last year it around $500 per year I recall. There isn't a 'consumer' level subscription like Snorts either as it was abused.
The IDS list from Emerging Threats (for Snort/Suricata) is $425.00/yr.
The ET IQRisk IP Rep subscription is $1400/yr.. Expensive, but if you are protecting a lot of devices, I would recommend as they post IPs that are not in any other 'free' lists. ET IQRisk is one of the best Lists available… They also have a Domain Blocklist which will be great for pfBNG v2.0 DNSBL.
I think if ET dropped these prices, that they will see subscriptions increase...
-
When you say 'block both' - do you mean block inbound and outbound?
Yes, inbound and outbound. Helps keep your browser from going to those IP's to begin with there for never waking the monsters in the cave.
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense. The only benefit is if you want to monitor what is being blocked and use this in a Analysis and Correlation software to find malicious behavior that could be attacking your Network.
It will also fill your log with noise that might be better spent on the events that are important.. Like why is a device on your Network hitting a China or Russian Web Server when you don't visit any of those sites…
Please protect your "Outbound" traffic first, as by Default pfSense is already blocking the "Inbound". Then if you have "Open ports", you can add additional rules to protect those "Open ports".
-
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense.
Can you put some huge bold red notice somewhere in the GUI? (Really hard to believe how many people keep missing basics…)
-
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense.
Can you put some huge bold red notice somewhere in the GUI? (Really hard to believe how many people keep missing basics…)
But it may not be seen in IE
-
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
Thanks for the reply. I did try this but the problem we have is that PFBlocker then puts it's rules first. If I change the order in PFBlocker we then end up with all of our permit rules first.
Here is the problem in a bit more detail with some examples, these are not the real rules but make it easier to see what is happening.
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x
Allow port 443 to host x.x.x.xSo this would block Romania but allow the rest of the world into port 80 & 443
Now we find that we have some IP's in Romania that need to be allowed in so we do this;
PFBlocker Allow this RomaniaAllowedAliasList (PFBlocker allows all ports from those IP's)
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereLooking at creating just an Alias list only with PFBlocker and a manual rule would give us this
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereOR
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhere
PFBlocker Block all RomaniaCannot get the config to do this though;
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereUnless I'm missing something?
Thanks for you help
-
@wavetune:
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
Here is the problem in a bit more detail with some examples, these are not the real rules but make it easier to see what is happening.
Hi wavetune,
I think you should be able to do that with rule option "4" but you won't be able to set the Ports on the First rule with "Autorules".
| pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match |
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereI think your only option is to create the 2nd rule "PFBlocker Block all Romania" as an "Alias Deny" rule. This way all the rules are aliases, and you can configure/customize them as you choose.
-
I have posted Pull Request #818 to fix the following issues:
1. Improved IPv6 Regex
2. Suppress '0.0.0.0/32' from being added to any Alias/Lists.
3. General Tab - Moved the "Keep" Checkbox to be just below the
"Enable pfBNG" checkbox.This will bump pfBNG to version 1.04
-
Disabled a couple I-Block lists after reading what you wrote BB. I was getting too many outbound blocks with a couple of them that I didn't want. Any I-Block lists worth using?
It is a shame that ET's prices are so high.
I also started using some of the lists that you referenced on page 16 on this forum. Thanks for the fast responses btw! Your help is appreciated.
-
Has anyone done a "How to setup example" like there are with the old PFB
-
-
Is it possible to use easy list
Not currently. That is a Domain Blocklist. pfBlockerNG is an IP Based Blocking solution. pfBNG v2.0 will have this functionality.
Sounds interesting with a domain blocklist. Could the functionality also be reversed, så it would be possible to create a domain whitelist in pfBNG 2.0?
Br,
Thomas -
Code red theme footer error. (Only in alerts tab)
Thanks turker… I will take a look at that when I get a chance...
-
Sounds interesting with a domain blocklist. Could the functionality also be reversed, så it would be possible to create a domain whitelist in pfBNG 2.0?
You could whitelist Domains that you didn't want to block (Suppression).. But a reverse, not sure how that would work with Unbound.
-
Has anyone done a "How to setup example" like there are with the old PFB
I will try to write one up… What kind of things would you guys want to see in a Tutorial? The basics? or just for the new features?
-
I think the how-to should be left up to the community. One of, or several of us could collaborate on that part. DNSBL needs attention, ie. pfBlockedrNG 2.0, I miss the daily updates. ::)
-
I'm noticing extremely high CPU usage on my pfSense box when I'm just sitting on my pfBlockerNG alerts page. Its attributed to one or more processes named "php-fpm: pool lighty (php-fpm)"
It seems like the longer I'm on the that page, the more of those processes I see, and the higher the CPU usage gets.
For what its worth, I'm seeing a significant number of alerts from attempts to access lots of different IPs at: 61.145.124.x and 183.61.112.x on port 80. These are originating from a Nexus 9 tablet. I can't figure out how they belong to, other than some Chinese telecon and some appear to be alibaba. Any ideas? I'm trying to decide if I should be concerned…
-
Hi reggie.
I haven't noticed any significant Load from the Alerts Tab myself? Do you leave it running with Auto-Refresh and Auto-Resolve running? Which Browser are you using?
Are those Alerts coming from a Country Block? You can click any of the "!" to pull more detail about those IPs. There are several different sites listed in that Lookup page.
-
BBcan177 -
I'm using Chrome, without auto-refresh or auto-resolve running. As far as I can tell, the high CPU usage continues indefinitely after the initial load for the Alerts page, and there's no sign that Chrome is attempting to update that page.
The problem is significantly exacerbated if I increase the number of alerts that are configured to appear. Try bumping up the number to the last 300 deny alerts and see what happens. My pfsense box came to a crawl until I closed the browser window that had the alerts page open.
As for the IP addresses, I tried looking at the resources pfblocker identifies, but couldn't find anything particularly useful there. I did, however, just track down the source of the traffic on my end- it's where the Go Weather app on Android goes to pull down weather data.
Update 1: BTW, separate note, does the "Enable Suppression" option work yet? I want to allow the traffic I'm seeing. I think I could just add it to the firewall suppression list via an easy rule, but pfblockerng seems to be able to manage its own suppression list. The main config page says I should see "+" icons in the alerts tab, but I still don't see them after enabling that option.
Update 2: Re-reading the config page, it sounds like I can't suppress country blocks. Hmmm… I guess I should just manually create firewall rules to pass this traffic before pfblockerng blocks it. Or is pfblockerng just going to put itself ahead of that rule?