PfBlockerNG
-
So basically I need to be looking at it this way, im the firewall what ever traffic I receive from the internet/WAN is considered inbound and whatever I send out it going to my internal LAN? Correct?
Yes! :) Wan = Inbound , Lan = Outbound
-
So basically I need to be looking at it this way, im the firewall what ever traffic I receive from the internet/WAN is considered inbound and whatever I send out it going to my internal LAN? Correct?
Yes! :) Wan = Inbound , Lan = Outbound
Thanks, this all is starting to fall into place now. Now that i have my inbound and outbound interfaces set correctly, the adblock lists aren't really as bad as i thought they were.
-
Converting MaxMind Country Databases for pfBlockerNG. This may take a few minutes…
I'm running this on a alix 2d13 on 2.2
Running the same hardware, "Converting …" takes a few minutes.
-
I finally upgraded to pfSense 2.2 and pfBlockerNG. Wow, wlot of stuff has been added!
Is there an instructions for pfBlockerNG that I can read up on? Much of what I see is like trying to read Latin and I don't want to mess anything up
-
I have earlier in this topic posted some setup screens captures for people to see the setup. If need help with something just ask here or message me I will help
-
I have submitted Pull Request #820 to fix the following issues:
1. Issue for Nano and Ramdisk Installations -
The /var and /tmp folders get wiped on Reboot. This will delete the /var/db/aliastables folder which on Reboot causes a 60 second timeout per pfBNG Alias (Which for some can timeout for 20mins). The new functionality will now Archive the Aliastables on any Alias updates.
Using the **<earlyshellcmd></earlyshellcmd>**functionality, it will restore the archived Aliastables on reboot to prevent this issue.
However, all of the other /var/db/pfblockerng files are also deleted. To restore those files, a "Force Update" is required or ultimately will get restored by the next CRON run. This however, will not affect the reboot process.
If you manually patched the download_file() function from 60 secs to 5 secs. You can revert that change as its not required with these new changes.
2. Improved the Alerts Tab to handle a Large firewall log file (as 2.2 has functionality to increase the size of the log file). These changes should result in a 50-75% improvement in loading/CPU usage. The Javascript functions were also improved to avoid it being called when the "Auto Resolve" checkbox was not enabled. This was spinning up 2-3 additional php-fpm processes. A timeout was also added to reduce the hostname lookup to 30seconds. If you refresh the Alerts Page shortly after it loads, it can seem to take a little longer, but this is due to the hostname lookups that are still in progress.
3. Made additional improvements to the IPv6 Regex functionality.
4. This will bump the pfBNG version to 1.05.
-
Good evening and thanks for the wonderfull package.
I'm trying to configure it properly and I have a certain question.
Lets say I use 2 lists
The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)
The second list has 150 IPs inside, and I have configured it to "Deny Both"
On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.
Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?
p.s sorry for my bad english, i'm not a native speaker.
-
Okay, here are a few dumb questions with more to follow after I get these answers.
I'd like to subscribe to a few lists. They can be free or paid for, as long as they are kept current and are fairly complete. I am aware of I-Blocklist. Are there any that are better?
Whatever I do, I need to be sure this won't affect my clients and thir ability to conduct normal business. The only country I block at this time is China, they are unmerciful in their attacks.
I'm interested to subscribing to several lists. For instance, a spammer list (hacked IPs, etc) that are known for sending email spam, a hacker list (hacked IPs used for attempting to hack other servers for whatever reasons), and any other lists that may protect my network.
I really appreciate your input. Depending on the answer(s), I'll have more questions.
Thank you for your time.
-
Hi
I had a Pfblocker using OSSIM ip list.
One valid peer vas included in the block list and starting to be blocked, after a few days, it was out of the list but still if I ping from behind any of firewall interfaces, my ping or telnet :25 does not get any answer.At firewall logs I see the source and destination ip with a green mark so it appear to pass, but all replies to 25 TCP port and icmp are timed out.
I updated to pfsense 2.2, installed PFblockerNG and delected old list from directory, I deleted all old pfblocker firewall rules but still I have not response.
If I ssh into the firewall and try to telnet to 25 from firewall it answer without problem, but not answer behind any other int.
What could be hapeninng?Im getting crazy guys
-
Use "Deny Outbound", pfSense will "Deny Inbound" on it's own because it is a Stateful Firewall. See this post from BBCan177: https://forum.pfsense.org/index.php?topic=86212.msg488949#msg488949.
For more information on a "Stateful Firewall" see: http://en.wikipedia.org/wiki/Stateful_firewall.
Good evening and thanks for the wonderfull package.
I'm trying to configure it properly and I have a certain question.
Lets say I use 2 lists
The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)
The second list has 150 IPs inside, and I have configured it to "Deny Both"
On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.
Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?
p.s sorry for my bad english, i'm not a native speaker.
-
Are you sure you are allowing port 25 to "pass"? Check your rules. This does not sound like a pfBlockerNG problem. If you see a green [>] in the firewall logs; the IP is passed, but you could be blocking the port going the other way. Unsolicited "icmp" packets will be blocked by pfSense unless you allow them in the rules. Just a thought.
Hi
I had a Pfblocker using OSSIM ip list.
One valid peer vas included in the block list and starting to be blocked, after a few days, it was out of the list but still if I ping from behind any of firewall interfaces, my ping or telnet :25 does not get any answer.At firewall logs I see the source and destination ip with a green mark so it appear to pass, but all replies to 25 TCP port and icmp are timed out.
I updated to pfsense 2.2, installed PFblockerNG and delected old list from directory, I deleted all old pfblocker firewall rules but still I have not response.
If I ssh into the firewall and try to telnet to 25 from firewall it answer without problem, but not answer behind any other int.
What could be hapeninng?Im getting crazy guys
-
Do I understand correctly that to block countries based only on reputation I should choose "Alias Deny" for the country list and tick "Enable Max" in the Reputation tab ? Is that all there is to it ?
-
Do I understand correctly that to block countries based only on reputation I should choose "Alias Deny" for the country list and tick "Enable Max" in the Reputation tab ? Is that all there is to it ?
Hi Azmo, if this is your first time setting up pfBNG, I would leave Reputation off, until you get the basics of it working. However, the settings in the "Reputation" tab have nothing to do with the Continent/Country Settings. You can set Continent/Country blocking using any "List Action" settings.
For "Reputation", the Country Settings use a separate database. I hope that's clear.
-
Thanks BB, I think I get it now. I've been running pfBlocker for a few years and am loving the upgrade to pfBlockerNG. It's just the Reputation stuff that's new to me. Thanks for your excellent work. Now we just need DNSBL …
-
Great.. Thanks azmo.. Make sure when you make "Reputation" changes… that you run a "Force Reload", this will reload each list with the new Reputation Settings.
-
Hi,
Is this package supposed to be available under packages?
I can not see it there ..running 2.1.5 -
pfBlockerNG is available beginning with 2.2 only
@MnM:
Is this package supposed to be available under packages?
I can not see it there ..running 2.1.5 -
Hello,
I have read that post, and while it states that "Deny Inbound" is blocked by default by pfSense, it explicitly states that open ports are not protected by that convention. So till I get how to "if you have "Open ports", you can add additional rules to protect those "Open ports"." I choose to have "Deny Both".
Use "Deny Outbound", pfSense will "Deny Inbound" on it's own because it is a Stateful Firewall. See this post from BBCan177: https://forum.pfsense.org/index.php?topic=86212.msg488949#msg488949.
For more information on a "Stateful Firewall" see: http://en.wikipedia.org/wiki/Stateful_firewall.
Good evening and thanks for the wonderfull package.
I'm trying to configure it properly and I have a certain question.
Lets say I use 2 lists
The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)
The second list has 150 IPs inside, and I have configured it to "Deny Both"
On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.
Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?
p.s sorry for my bad english, i'm not a native speaker.
-
Changing "CRON MIN Start Time" is reflected in Cron settings. But I can't change "CRON Base Hour Start Time". It's always *. Manually editing cron hour gets overwritten by pfB. What to do?
-
Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?
Hi st4t1c,
De-duplication works as follows ( using the tool grepcidr )
-
pfBNG will download any Country/Continent selections (No de-duplication as they are all unique already - However, de-dup will occur if you select a Country and then select it again in the TOP 20 Tab)
-
As each Alias/List is downloaded, it will compare each IPv4 Address to a masterfile. If the address exists or is already being blocked by a CIDR address, it will not be added. This will continue for each list downloaded.
-
When Cron runs, any list that need to be updated will have its IP addresses removed from the master database and a new de-duplication validation is done on all the new IPs in the recently downloaded file.
So an IP that might originally be listed in one List, might be listed in a different list after a Cron event.
I recommend that a "Force Reload" is run when users change Country Blocking, or add/remove Aliases/Lists. This will re-sync the whole Database and lists and make it more efficient.
If you want to have a list specific to a Firewall rule, you will need to use the "Alias Native" List Action, which does not use de-duplication or not enable de-duplication (Which I would not recommend)
-