PfBlockerNG
-
I have earlier in this topic posted some setup screens captures for people to see the setup. If need help with something just ask here or message me I will help
-
I have submitted Pull Request #820 to fix the following issues:
1. Issue for Nano and Ramdisk Installations -
The /var and /tmp folders get wiped on Reboot. This will delete the /var/db/aliastables folder which on Reboot causes a 60 second timeout per pfBNG Alias (Which for some can timeout for 20mins). The new functionality will now Archive the Aliastables on any Alias updates.
Using the **<earlyshellcmd></earlyshellcmd>**functionality, it will restore the archived Aliastables on reboot to prevent this issue.
However, all of the other /var/db/pfblockerng files are also deleted. To restore those files, a "Force Update" is required or ultimately will get restored by the next CRON run. This however, will not affect the reboot process.
If you manually patched the download_file() function from 60 secs to 5 secs. You can revert that change as its not required with these new changes.
2. Improved the Alerts Tab to handle a Large firewall log file (as 2.2 has functionality to increase the size of the log file). These changes should result in a 50-75% improvement in loading/CPU usage. The Javascript functions were also improved to avoid it being called when the "Auto Resolve" checkbox was not enabled. This was spinning up 2-3 additional php-fpm processes. A timeout was also added to reduce the hostname lookup to 30seconds. If you refresh the Alerts Page shortly after it loads, it can seem to take a little longer, but this is due to the hostname lookups that are still in progress.
3. Made additional improvements to the IPv6 Regex functionality.
4. This will bump the pfBNG version to 1.05.
-
Good evening and thanks for the wonderfull package.
I'm trying to configure it properly and I have a certain question.
Lets say I use 2 lists
The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)
The second list has 150 IPs inside, and I have configured it to "Deny Both"
On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.
Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?
p.s sorry for my bad english, i'm not a native speaker.
-
Okay, here are a few dumb questions with more to follow after I get these answers.
I'd like to subscribe to a few lists. They can be free or paid for, as long as they are kept current and are fairly complete. I am aware of I-Blocklist. Are there any that are better?
Whatever I do, I need to be sure this won't affect my clients and thir ability to conduct normal business. The only country I block at this time is China, they are unmerciful in their attacks.
I'm interested to subscribing to several lists. For instance, a spammer list (hacked IPs, etc) that are known for sending email spam, a hacker list (hacked IPs used for attempting to hack other servers for whatever reasons), and any other lists that may protect my network.
I really appreciate your input. Depending on the answer(s), I'll have more questions.
Thank you for your time.
-
Hi
I had a Pfblocker using OSSIM ip list.
One valid peer vas included in the block list and starting to be blocked, after a few days, it was out of the list but still if I ping from behind any of firewall interfaces, my ping or telnet :25 does not get any answer.At firewall logs I see the source and destination ip with a green mark so it appear to pass, but all replies to 25 TCP port and icmp are timed out.
I updated to pfsense 2.2, installed PFblockerNG and delected old list from directory, I deleted all old pfblocker firewall rules but still I have not response.
If I ssh into the firewall and try to telnet to 25 from firewall it answer without problem, but not answer behind any other int.
What could be hapeninng?Im getting crazy guys
-
Use "Deny Outbound", pfSense will "Deny Inbound" on it's own because it is a Stateful Firewall. See this post from BBCan177: https://forum.pfsense.org/index.php?topic=86212.msg488949#msg488949.
For more information on a "Stateful Firewall" see: http://en.wikipedia.org/wiki/Stateful_firewall.
Good evening and thanks for the wonderfull package.
I'm trying to configure it properly and I have a certain question.
Lets say I use 2 lists
The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)
The second list has 150 IPs inside, and I have configured it to "Deny Both"
On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.
Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?
p.s sorry for my bad english, i'm not a native speaker.
-
Are you sure you are allowing port 25 to "pass"? Check your rules. This does not sound like a pfBlockerNG problem. If you see a green [>] in the firewall logs; the IP is passed, but you could be blocking the port going the other way. Unsolicited "icmp" packets will be blocked by pfSense unless you allow them in the rules. Just a thought.
Hi
I had a Pfblocker using OSSIM ip list.
One valid peer vas included in the block list and starting to be blocked, after a few days, it was out of the list but still if I ping from behind any of firewall interfaces, my ping or telnet :25 does not get any answer.At firewall logs I see the source and destination ip with a green mark so it appear to pass, but all replies to 25 TCP port and icmp are timed out.
I updated to pfsense 2.2, installed PFblockerNG and delected old list from directory, I deleted all old pfblocker firewall rules but still I have not response.
If I ssh into the firewall and try to telnet to 25 from firewall it answer without problem, but not answer behind any other int.
What could be hapeninng?Im getting crazy guys
-
Do I understand correctly that to block countries based only on reputation I should choose "Alias Deny" for the country list and tick "Enable Max" in the Reputation tab ? Is that all there is to it ?
-
Do I understand correctly that to block countries based only on reputation I should choose "Alias Deny" for the country list and tick "Enable Max" in the Reputation tab ? Is that all there is to it ?
Hi Azmo, if this is your first time setting up pfBNG, I would leave Reputation off, until you get the basics of it working. However, the settings in the "Reputation" tab have nothing to do with the Continent/Country Settings. You can set Continent/Country blocking using any "List Action" settings.
For "Reputation", the Country Settings use a separate database. I hope that's clear.
-
Thanks BB, I think I get it now. I've been running pfBlocker for a few years and am loving the upgrade to pfBlockerNG. It's just the Reputation stuff that's new to me. Thanks for your excellent work. Now we just need DNSBL …
-
Great.. Thanks azmo.. Make sure when you make "Reputation" changes… that you run a "Force Reload", this will reload each list with the new Reputation Settings.
-
Hi,
Is this package supposed to be available under packages?
I can not see it there ..running 2.1.5 -
pfBlockerNG is available beginning with 2.2 only
@MnM:
Is this package supposed to be available under packages?
I can not see it there ..running 2.1.5 -
Hello,
I have read that post, and while it states that "Deny Inbound" is blocked by default by pfSense, it explicitly states that open ports are not protected by that convention. So till I get how to "if you have "Open ports", you can add additional rules to protect those "Open ports"." I choose to have "Deny Both".
Use "Deny Outbound", pfSense will "Deny Inbound" on it's own because it is a Stateful Firewall. See this post from BBCan177: https://forum.pfsense.org/index.php?topic=86212.msg488949#msg488949.
For more information on a "Stateful Firewall" see: http://en.wikipedia.org/wiki/Stateful_firewall.
Good evening and thanks for the wonderfull package.
I'm trying to configure it properly and I have a certain question.
Lets say I use 2 lists
The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)
The second list has 150 IPs inside, and I have configured it to "Deny Both"
On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.
Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?
p.s sorry for my bad english, i'm not a native speaker.
-
Changing "CRON MIN Start Time" is reflected in Cron settings. But I can't change "CRON Base Hour Start Time". It's always *. Manually editing cron hour gets overwritten by pfB. What to do?
-
Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?
Hi st4t1c,
De-duplication works as follows ( using the tool grepcidr )
-
pfBNG will download any Country/Continent selections (No de-duplication as they are all unique already - However, de-dup will occur if you select a Country and then select it again in the TOP 20 Tab)
-
As each Alias/List is downloaded, it will compare each IPv4 Address to a masterfile. If the address exists or is already being blocked by a CIDR address, it will not be added. This will continue for each list downloaded.
-
When Cron runs, any list that need to be updated will have its IP addresses removed from the master database and a new de-duplication validation is done on all the new IPs in the recently downloaded file.
So an IP that might originally be listed in one List, might be listed in a different list after a Cron event.
I recommend that a "Force Reload" is run when users change Country Blocking, or add/remove Aliases/Lists. This will re-sync the whole Database and lists and make it more efficient.
If you want to have a list specific to a Firewall rule, you will need to use the "Alias Native" List Action, which does not use de-duplication or not enable de-duplication (Which I would not recommend)
-
-
Changing "CRON MIN Start Time" is reflected in Cron settings. But I can't change "CRON Base Hour Start Time". It's always *. Manually editing cron hour gets overwritten by pfB. What to do?
The code in pfblockerng.php that handles:
if ($argv[1] == 'cron')does the various calculations based on the hour setting already, and works out starting from that hour what are the hours to run the 1,2,3,4,6,8,12 hourly scheduled stuff.
From what I can see, we want the cron job itself to run every hour, and check what it needs to do. Some hours there might be nothing to do because there is nothing in some 1,2,3 hourly schedule…The hour setting seems to just be the hour when the user wants all the schedules to "come together" - i.e. if you put "4" then at 4am all the 1,2,3,4,6,8,12 hourly schedules will go off together and then it rolls around hour by hour from there.
I suspect that the existing code is actually working as designed???
-
The hour setting seems to just be the hour when the user wants all the schedules to "come together" - i.e. if you put "4" then at 4am all the 1,2,3,4,6,8,12 hourly schedules will go off together and then it rolls around hour by hour from there.
Thanks Phil… Yes you are correct... The Cron event will always be called each hour and the code will check to see if the user changed the Base Start Hour and adjust accordingly.
So pf3000, the Cron event will not show the Base Hour. It will always be "*"
I will revert that commit! :)
So for example :
Base Hour of ( 0 ) with a 4hr Freq. will download @ 0,4,8,12,16,20
Base Hour of ( 1 ) with a 4hr Freq. will download @ 1,5,9,13,17,21I recommend that people change the Base Min and Base Hour settings so that the List providers are getting hit at various times to avoid a surge with everyone at the same Cron settings.
-
Hi BBcan177…
Great, it works nowokay
At the moment it's 1hr Frequency. When I was tinkering what I really wanted to achieve was - I would like for it to be 4 or X hours. Something like "*/12" (?) -
Looking at this hour-frequency scheduling, I also noticed that nothing will happen at the zero hour. For example, if you put "4" as the CRON base hour, then the 2-hourly schedule list calculated in the code becomes:
"4","6","8","10","12","14","16","18","20","22","24","2"
but hours returned by PHP date() function are in the range 0 to 23.
So when it runs at like 00:15 it will not match hour "24" and so the expected 0 schedule will not run.
If you put CRON base hour "0" it is OK - the "0" gets put straight in as the first element in the list, it is only if you use a non-zero base hour that also wraps some schedules through the zero hour.Proposed fix here: https://github.com/phil-davis/pfsense-packages/commit/c5b497d4ea370e8f076bd95af5259d547894f2fa
Review it, test it, and feel free to include it yourself in the next bugfix version.
