Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNG

    Scheduled Pinned Locked Moved pfBlockerNG
    1.2k Posts 210 Posters 1.8m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Topper727
      last edited by

      I have earlier in this topic posted some setup screens captures for people to see the setup. If need help with something just ask here or message me I will help

      Dell 2950 g3 server
      Intel(R) Xeon(R) CPU E5430 @ 2.66GHz
      Current: 2000 MHz, Max: 2667 MHz
      8 CPUs: 2 package(s) x 4 core(s)
      8152 MiB and 600meg 10k drive
      Pfsense 2.4 .. Hoping to get the phpvirtualbox going again.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        I have submitted Pull Request #820 to fix the following issues:

        1. Issue for Nano and Ramdisk Installations -

        The /var and /tmp folders get wiped on Reboot. This will delete the /var/db/aliastables folder which on Reboot causes a 60 second timeout per pfBNG Alias (Which for some can timeout for 20mins). The new functionality will now Archive the Aliastables on any Alias updates.

        Using the **<earlyshellcmd></earlyshellcmd>**functionality, it will restore the archived Aliastables on reboot to prevent this issue.

        However, all of the other /var/db/pfblockerng files are also deleted. To restore those files, a "Force Update" is required or ultimately will get restored by the next CRON run. This however, will not affect the reboot process.

        If you manually patched the download_file() function from 60 secs to 5 secs. You can revert that change as its not required with these new changes.

        2. Improved the Alerts Tab to handle a Large firewall log file (as 2.2 has functionality to increase the size of the log file). These changes should result in a 50-75% improvement in loading/CPU usage. The Javascript functions were also improved to avoid it being called when the "Auto Resolve" checkbox was not enabled. This was spinning up 2-3 additional php-fpm processes. A timeout was also added to reduce the hostname lookup to 30seconds. If you refresh the Alerts Page shortly after it loads, it can seem to take a little longer, but this is due to the hostname lookups that are still in progress.

        3. Made additional improvements to the IPv6 Regex functionality.

        4. This will bump the pfBNG version to 1.05.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • S
          st4t1c
          last edited by

          Good evening and thanks for the wonderfull package.

          I'm trying to configure it properly and I have a certain question.

          Lets say I use 2 lists

          The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)

          The second list has 150 IPs inside, and I have configured it to "Deny Both"

          On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.

          Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?

          p.s sorry for my bad english, i'm not a native speaker.

          1 Reply Last reply Reply Quote 0
          • B
            Bummer
            last edited by

            Okay, here are a few dumb questions with more to follow after I get these answers.

            I'd like to subscribe to a few lists. They can be free or paid for, as long as they are kept current and are fairly complete. I am aware of I-Blocklist. Are there any that are better?

            Whatever I do, I need to be sure this won't affect my clients and thir ability to conduct normal business. The only country I block at this time is China, they are unmerciful in their attacks.

            I'm interested to subscribing to several lists. For instance, a spammer list (hacked IPs, etc) that are known for sending email spam, a hacker list (hacked IPs used for attempting to hack other servers for whatever reasons), and any other lists that may protect my network.

            I really appreciate your input. Depending on the answer(s), I'll have more questions.

            Thank you for your time.

            1 Reply Last reply Reply Quote 0
            • K
              kaneda
              last edited by

              Hi
              I had a Pfblocker using OSSIM ip list.
              One valid peer vas included in the block list and starting to be blocked, after a few days, it was out of the list but still if I ping from behind any of firewall interfaces, my ping or telnet :25 does not get any answer.

              At firewall logs I see the source and destination ip with a green mark so it appear to pass, but all replies to 25 TCP port and icmp are timed out.

              I updated to pfsense 2.2, installed PFblockerNG and delected old list from directory, I deleted all old pfblocker firewall rules but still I have not response.

              If I ssh into the firewall and try to telnet to 25 from firewall it answer without problem, but not answer behind any other int.
              What could be hapeninng?

              Im getting crazy guys

              1 Reply Last reply Reply Quote 0
              • W
                wcrowder
                last edited by

                Use "Deny Outbound", pfSense will "Deny Inbound" on it's own because it is a Stateful Firewall. See this post from BBCan177: https://forum.pfsense.org/index.php?topic=86212.msg488949#msg488949.

                For more information on a "Stateful Firewall" see: http://en.wikipedia.org/wiki/Stateful_firewall.

                @st4t1c:

                Good evening and thanks for the wonderfull package.

                I'm trying to configure it properly and I have a certain question.

                Lets say I use 2 lists

                The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)

                The second list has 150 IPs inside, and I have configured it to "Deny Both"

                On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.

                Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?

                p.s sorry for my bad english, i'm not a native speaker.

                1 Reply Last reply Reply Quote 0
                • W
                  wcrowder
                  last edited by

                  Are you sure you are allowing port 25 to "pass"? Check your rules. This does not sound like a pfBlockerNG problem. If you see a green [>] in the firewall logs; the IP is passed, but you could be blocking the port going the other way. Unsolicited "icmp" packets will be blocked by pfSense unless you allow them in the rules. Just a thought.

                  @kaneda:

                  Hi
                  I had a Pfblocker using OSSIM ip list.
                  One valid peer vas included in the block list and starting to be blocked, after a few days, it was out of the list but still if I ping from behind any of firewall interfaces, my ping or telnet :25 does not get any answer.

                  At firewall logs I see the source and destination ip with a green mark so it appear to pass, but all replies to 25 TCP port and icmp are timed out.

                  I updated to pfsense 2.2, installed PFblockerNG and delected old list from directory, I deleted all old pfblocker firewall rules but still I have not response.

                  If I ssh into the firewall and try to telnet to 25 from firewall it answer without problem, but not answer behind any other int.
                  What could be hapeninng?

                  Im getting crazy guys

                  1 Reply Last reply Reply Quote 0
                  • A
                    azmo
                    last edited by

                    Do I understand correctly that to block countries based only on reputation I should choose "Alias Deny" for the country list and tick "Enable Max" in the Reputation tab ? Is that all there is to it ?

                    1 Reply Last reply Reply Quote 0
                    • BBcan177B
                      BBcan177 Moderator
                      last edited by

                      @azmo:

                      Do I understand correctly that to block countries based only on reputation I should choose "Alias Deny" for the country list and tick "Enable Max" in the Reputation tab ? Is that all there is to it ?

                      Hi Azmo, if this is your first time setting up pfBNG, I would leave Reputation off, until you get the basics of it working. However, the settings in the "Reputation" tab have nothing to do with the Continent/Country Settings. You can set Continent/Country blocking using any "List Action" settings.

                      For "Reputation", the Country Settings use a separate database. I hope that's clear.

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • A
                        azmo
                        last edited by

                        Thanks BB, I think I get it now. I've been running pfBlocker for a few years and am loving the upgrade to pfBlockerNG. It's just the Reputation stuff that's new to me. Thanks for your excellent work. Now we just need DNSBL …

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          Great.. Thanks azmo.. Make sure when you make "Reputation" changes… that you run a "Force Reload", this will reload each list with the new Reputation Settings.

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • M
                            MnM
                            last edited by

                            Hi,

                            Is this package supposed to be available under packages?
                            I can not see it there ..running 2.1.5

                            1 Reply Last reply Reply Quote 0
                            • dennypageD
                              dennypage
                              last edited by

                              pfBlockerNG is available beginning with 2.2 only

                              @MnM:

                              Is this package supposed to be available under packages?
                              I can not see it there ..running 2.1.5

                              1 Reply Last reply Reply Quote 0
                              • S
                                st4t1c
                                last edited by

                                Hello,

                                I have read that post, and while it states that "Deny Inbound" is blocked by default by pfSense, it explicitly states that open ports are not protected by that convention. So till I get how to "if you have "Open ports", you can add additional rules to protect those "Open ports"." I choose to have "Deny Both".

                                @wcrowder:

                                Use "Deny Outbound", pfSense will "Deny Inbound" on it's own because it is a Stateful Firewall. See this post from BBCan177: https://forum.pfsense.org/index.php?topic=86212.msg488949#msg488949.

                                For more information on a "Stateful Firewall" see: http://en.wikipedia.org/wiki/Stateful_firewall.

                                @st4t1c:

                                Good evening and thanks for the wonderfull package.

                                I'm trying to configure it properly and I have a certain question.

                                Lets say I use 2 lists

                                The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)

                                The second list has 150 IPs inside, and I have configured it to "Deny Both"

                                On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.

                                Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?

                                p.s sorry for my bad english, i'm not a native speaker.

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pf3000
                                  last edited by

                                  Changing "CRON MIN Start Time" is reflected in Cron settings. But I can't change "CRON Base Hour Start Time". It's always *. Manually editing cron hour gets overwritten by pfB. What to do?

                                  1 Reply Last reply Reply Quote 0
                                  • BBcan177B
                                    BBcan177 Moderator
                                    last edited by

                                    @st4t1c:

                                    Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?

                                    Hi st4t1c,

                                    De-duplication works as follows ( using the tool grepcidr )

                                    1. pfBNG will download any Country/Continent selections (No de-duplication as they are all unique already - However, de-dup will occur if you select a Country and then select it again in the TOP 20 Tab)

                                    2. As each Alias/List is downloaded, it will compare each IPv4 Address to a masterfile. If the address exists or is already being blocked by a CIDR address, it will not be added. This will continue for each list downloaded.

                                    3. When Cron runs, any list that need to be updated will have its IP addresses removed from the master database and a new de-duplication validation is done on all the new IPs in the recently downloaded file.

                                    So an IP that might originally be listed in one List, might be listed in a different list after a Cron event.

                                    I recommend that a "Force Reload" is run when users change Country Blocking, or add/remove Aliases/Lists. This will re-sync the whole Database and lists and make it more efficient.

                                    If you want to have a list specific to a Firewall rule, you will need to use the "Alias Native" List Action, which does not use de-duplication or not enable de-duplication (Which I would not recommend)

                                    "Experience is something you don't get until just after you need it."

                                    Website: http://pfBlockerNG.com
                                    Twitter: @BBcan177  #pfBlockerNG
                                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      phil.davis
                                      last edited by

                                      Changing "CRON MIN Start Time" is reflected in Cron settings. But I can't change "CRON Base Hour Start Time". It's always *. Manually editing cron hour gets overwritten by pfB. What to do?

                                      The code in pfblockerng.php that handles:

                                      if ($argv[1] == 'cron')
                                      

                                      does the various calculations based on the hour setting already, and works out starting from that hour what are the hours to run the 1,2,3,4,6,8,12 hourly scheduled stuff.
                                      From what I can see, we want the cron job itself to run every hour, and check what it needs to do. Some hours there might be nothing to do because there is nothing in some 1,2,3 hourly schedule…

                                      The hour setting seems to just be the hour when the user wants all the schedules to "come together" - i.e. if you put "4" then at 4am all the 1,2,3,4,6,8,12 hourly schedules will go off together and then it rolls around hour by hour from there.

                                      I suspect that the existing code is actually working as designed???

                                      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                      1 Reply Last reply Reply Quote 0
                                      • BBcan177B
                                        BBcan177 Moderator
                                        last edited by

                                        @phil.davis:

                                        The hour setting seems to just be the hour when the user wants all the schedules to "come together" - i.e. if you put "4" then at 4am all the 1,2,3,4,6,8,12 hourly schedules will go off together and then it rolls around hour by hour from there.

                                        Thanks Phil… Yes you are correct... The Cron event will always be called each hour and the code will check to see if the user changed the Base Start Hour and adjust accordingly.

                                        So pf3000, the Cron event will not show the Base Hour. It will always be "*"

                                        I will revert that commit!  :)

                                        So for example :

                                        Base Hour of ( 0 )  with a 4hr Freq. will download @  0,4,8,12,16,20
                                        Base Hour of ( 1 )  with a 4hr Freq. will download @  1,5,9,13,17,21

                                        I recommend that people change the Base Min and Base Hour settings so that the List providers are getting hit at various times to avoid a surge with everyone at the same Cron settings.

                                        "Experience is something you don't get until just after you need it."

                                        Website: http://pfBlockerNG.com
                                        Twitter: @BBcan177  #pfBlockerNG
                                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          pf3000
                                          last edited by

                                          Hi BBcan177… Great, it works now okay
                                          At the moment it's 1hr Frequency. When I was tinkering what I really wanted to achieve was - I would like for it to be 4 or X hours. Something like "*/12" (?)

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            phil.davis
                                            last edited by

                                            Looking at this hour-frequency scheduling, I also noticed that nothing will happen at the zero hour. For example, if you put "4" as the CRON base hour, then the 2-hourly schedule list calculated in the code becomes:
                                            "4","6","8","10","12","14","16","18","20","22","24","2"
                                            but hours returned by PHP date() function are in the range 0 to 23.
                                            So when it runs at like 00:15 it will not match hour "24" and so the expected 0 schedule will not run.
                                            If you put CRON base hour "0" it is OK - the "0" gets put straight in as the first element in the list, it is only if you use a non-zero base hour that also wraps some schedules through the zero hour.

                                            Proposed fix here: https://github.com/phil-davis/pfsense-packages/commit/c5b497d4ea370e8f076bd95af5259d547894f2fa

                                            Review it, test it, and feel free to include it yourself in the next bugfix version.

                                            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.