Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNG

    Scheduled Pinned Locked Moved pfBlockerNG
    1.2k Posts 210 Posters 1.9m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      postduif
      last edited by

      How often do you update the enabled lists? I'm using pfSense for my home router/firewall with the following lists :

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        @postduif:

        How often do you update the enabled lists?

        Hi postduif,

        In the pfblockerng.log (This can be viewed in the Log Browser), after the downloads are completed, you will see a section called :

        "==[ [b]Last Updated List Summary ]=="

        This will show you the last updated timestamp of the Threat Sources. You can change the lists to update once per hour and follow the log file for a few days to see the Update Frequency of each list and adjust accordingly.

        I would recommend atleast a once a day for most, some are updated more frequently (1-4hrs).

        Also the first step in any Cron event is to check the timestamp of the remote server and see if its the same as the previous download, then the download is skipped for that particular list. Also note the blocklist.de has several other lists available (you show only the ssh list).

        I have also indicated in several posts in this thread to be more concerned about the "Outbound" traffic.

        Typically for "Home" use, you most likely do not have any open ports. As pfSense is a Stateful Firewall by design, it is blocking all unsolicited traffic on the inbound WAN. But if a device on the LAN makes a request to any of these Malicious IPs, it will go thru and not protect your devices as you have not configured any "OUTBOUND" rules. If you do have open WAN ports, then you can add specific Alias Type Rules to protect those individual ports on the "Inbound" WAN.

        Hope this helps!

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • S
          sparks305
          last edited by

          So i just finished reading this entire 36 page thread prior to posting any questions when installing/setting up, as I definitely do not consider myself an "engineer." I wanted to thank everyone involved (not just limited to testing) and most notably BBcan177 for his time and effort contributed.

          1 Reply Last reply Reply Quote 0
          • P
            postduif
            last edited by

            @BBcan177:

            @postduif:

            How often do you update the enabled lists?

            Hi postduif,

            In the pfblockerng.log (This can be viewed in the Log Browser), after the downloads are completed, you will see a section called :

            "==[ [b]Last Updated List Summary ]=="

            This will show you the last updated timestamp of the Threat Sources. You can change the lists to update once per hour and follow the log file for a few days to see the Update Frequency of each list and adjust accordingly.

            I would recommend atleast a once a day for most, some are updated more frequently (1-4hrs).

            Also the first step in any Cron event is to check the timestamp of the remote server and see if its the same as the previous download, then the download is skipped for that particular list. Also note the blocklist.de has several other lists available (you show only the ssh list).

            I have also indicated in several posts in this thread to be more concerned about the "Outbound" traffic.

            Typically for "Home" use, you most likely do not have any open ports. As pfSense is a Stateful Firewall by design, it is blocking all unsolicited traffic on the inbound WAN. But if a device on the LAN makes a request to any of these Malicious IPs, it will go thru and not protect your devices as you have not configured any "OUTBOUND" rules. If you do have open WAN ports, then you can add specific Alias Type Rules to protect those individual ports on the "Inbound" WAN.

            Hope this helps!

            Really helps for understanding pfblockerng, thanks.
            The only inbound services i'm using are ssh (on port 6622 which forwards to an internal server on port 22, but is only allowed from a specific source IP) and Openvpn on port 1194.
            What's your advice, only use deny_outbound on my lists? Or deny_both?

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              If you are restricting those two ports for SSH and OpenVPN to a select few IPs, then it doesn't protect you to have pfBNG "Inbound" rules as the "Implicit Deny" on the WAN is already dropping all unsolicited traffic.

              If you want to see the activity "noise" that is being implicitly blocked on the WAN, you can use "Deny Both" but it will slightly impact performance. FreeBSD "pf" is quite capable to process the IPs and lookup the Alias Tables, however its not offering any protection to your network as stated above.

              You will see less activity in the Widget/Alert Logs without the "Deny Inbound" rules but that is a good thing. You should really be looking at what is being blocked. So if a LAN device is showing blocked activity to a Malicious IP, you should be investigating why?

              By un-neccessarily using the "Deny Both" rules, you are cluttering your alerts log and you can miss the real malicious activity that you should be looking out for.

              You don't just want to turn it on, and forget about it.

              If for example you have a single port (or a few ports) open on the WAN, you are better off in creating an "Alias Deny" rule(s), and creating a manual Firewall rule just for the Inbound port(s). This way it reduces un-necessary processing of the Inbound packets.

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • ghostshellG
                ghostshell
                last edited by

                @Supermule:

                Via the private repository but it will be available soon as a pfsense package.

                Be patient :)

                How can I get access to this private repo?

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  @ghostshell:

                  @Supermule:

                  Via the private repository but it will be available soon as a pfsense package.

                  Be patient :)

                  How can I get access to this private repo?

                  The Package has already been released… Its in the pfSense Package Repo.

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • S
                    Slab
                    last edited by

                    Hi folks,

                    I have a question re. utilizing a pfBlockerNG alias. Specifically, this text:

                    
                    When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description and use the 'Exact' spelling of
                    the Alias (no trailing Whitespace)  Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if using
                    Auto Rule Creation.
                    
                    

                    I am assuming that I don't have to change anything with respect to the alias created by pfBlockerNG itself, but when creating a rule that utilizes the alias must the rule description field contain only the alias name (with the lower case 'B' substituted in the pfb_ prefix) or can it include additional text after the alias name? The "in the beginning of rule description" wording implies (to me) that other text can follow …but the "no trailing Whitespace" implies no other text should follow. I currently have additional text in the rule description field, and the dashboard widget shows green for the alias, but I just want to be sure.

                    Thanks (and awesome package by the way!) ...

                    1 Reply Last reply Reply Quote 0
                    • BBcan177B
                      BBcan177 Moderator
                      last edited by

                      @Slab:

                      I currently have additional text in the rule description field, and the dashboard widget shows green for the alias, but I just want to be sure.

                      Hi Slab,

                      The Green arrow indicator, will show that there is a Rule associated with the pfBlockerNG Alias. If you add extra text to the Manual Rule Description, the Packet Count for this Manual Alias Rule in the widget might not work.

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • S
                        seqteq
                        last edited by

                        Hi, I updated from pfsense 2.2 to 2.2.1 and my pfBlockerng config got wiped. The package was uninstalled and reinstalled according to the logs

                        all I had was 1 alias of 1 country, type native

                        any ideas before I update the other 13 firewalls?

                        Thank you for your time

                        Mar 19 09:49:28 php: rc.bootup: Attempting to reinstall all packages
                        Mar 19 09:49:28 php: rc.bootup: List of packages to reinstall: OpenVPN Client Export Utility, pfBlocker
                        Mar 19 09:49:28 php: rc.bootup: Uninstalling package OpenVPN Client Export Utility
                        Mar 19 09:49:40 php: rc.bootup: Finished uninstalling package OpenVPN Client Export Utility
                        Mar 19 09:49:40 php: rc.bootup: Reinstalling package OpenVPN Client Export Utility
                        Mar 19 09:49:40 php: rc.bootup: Beginning package installation for OpenVPN Client Export Utility .
                        Mar 19 09:49:57 php: rc.bootup: Successfully installed package: OpenVPN Client Export Utility.
                        Mar 19 09:49:57 php: rc.bootup: Finished installing package OpenVPN Client Export Utility
                        Mar 19 09:49:57 php: rc.bootup: Uninstalling package pfBlocker
                        Mar 19 09:49:57 php: rc.bootup: Finished uninstalling package pfBlocker
                        Mar 19 09:49:57 php: rc.bootup: Reinstalling package pfBlocker
                        Mar 19 09:49:58 php: rc.bootup: Finished installing package pfBlocker
                        Mar 19 09:49:58 php: rc.bootup: Finished reinstalling all packages.

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          Hi Seqteq,

                          There is a checkbox in the General Tab called "Keep Settings" that needs to be enabled. On all new installations it has been defaulted to "On".

                          Its strange that your posted log has "pfBlocker" when it should be "pfBlockerNG"

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • D
                            doktornotor Banned
                            last edited by

                            @seqteq:

                            Hi, I updated from pfsense 2.2 to 2.2.1 and my pfBlockerng config got wiped. The package was uninstalled and reinstalled according to the logs

                            pfBlocker package does not exist any more. No configuration from there will be carried over to pfBlockerNG. Restart from scratch.

                            1 Reply Last reply Reply Quote 0
                            • S
                              seqteq
                              last edited by

                              @BBcan177:

                              Hi Seqteq,

                              There is a checkbox in the General Tab called "Keep Settings" that needs to be enabled. On all new installations it has been defaulted to "On".

                              Its strange that your posted log has "pfBlocker" when it should be "pfBlockerNG"

                              Ah, thanks I'll check that tomorrow.
                              Just noticed the ng was missing in the log. I was definitely using ng in 2.2 and ng is definitely what got installed after the 2.2.1 update. iDunno. I adopted 2.2 for this appliance early, before the ng release, but that got replaced like the day after ng dropped.

                              1 Reply Last reply Reply Quote 0
                              • D
                                doktornotor Banned
                                last edited by

                                There's no way the package would reinstall in 1 second. Probably you have too many boxes to keep track of what actually was there.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  stanthewizard
                                  last edited by

                                  Hello

                                  Got Something strange with PpBlockerNG on alerts tab

                                  Fatal error: Call to undefined function subnetv6_expand() in /etc/inc/util.inc on line 714

                                  Any idea what is going wrong ?

                                  Thanks

                                  1 Reply Last reply Reply Quote 0
                                  • BBcan177B
                                    BBcan177 Moderator
                                    last edited by

                                    pfBlockerNG v1.06  has been Merged by the Devs.

                                    Changelog:

                                    • Previously when deleting all IPs in the pfBlockerNGSuppress Alias, it would not
                                      clear the widget Suppression Counter. This version fixes that issue as reported by user "Panz".

                                    • Merged recent changes in pfSense diag_dns.php into pfblockerng_diag_dns.php to keep code base current.

                                    • Change Release to "Stable" from previous "Beta" Status.

                                    Notes -

                                    The issue reported by "stanthewizard" above is partially due to a missing function in pfSense (subnetv6_expand). I expect that I will need to submit a new Pull Request to fix this issue. I provided him a workaround to fix his issue for now.

                                    "Experience is something you don't get until just after you need it."

                                    Website: http://pfBlockerNG.com
                                    Twitter: @BBcan177  #pfBlockerNG
                                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      stanthewizard
                                      last edited by

                                      And I thank you for that again

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        seqteq
                                        last edited by

                                        @doktornotor:

                                        There's no way the package would reinstall in 1 second. Probably you have too many boxes to keep track of what actually was there.

                                        That was it, it's been a busy year.

                                        1 Reply Last reply Reply Quote 0
                                        • V
                                          varazir
                                          last edited by

                                          Hi, Thanks for a great pkg.

                                          I'm having problem with port forwards and UPnP & NAT-PMP.

                                          I use this settings for pfBlockerNG:
                                          Marked all lists
                                          Top 20 and Asia is blocked, both rest blocked inbound.
                                          I have added custom lists from Bluetack ads/proxy/spyware and from Squidblacklist ads. All deny both
                                          Set rule order pfSense pass/match | pfB_pass/match | pfB_block/reject

                                          TIA

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            doktornotor Banned
                                            last edited by

                                            @varazir:

                                            I'm having problem with port forwards and UPnP & NAT-PMP.

                                            You need to describe what is your problem…

                                            @varazir:

                                            I use this settings for pfBlockerNG:
                                            Marked all lists
                                            Top 20 and Asia is blocked, both rest blocked inbound.

                                            What all lists? The country lists? So you blocked whole world inbound, or what? I don't understand your description at all. Plus, block is default on WAN. Are you actually running any service locally that you need to limit access to?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.