Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNG

    Scheduled Pinned Locked Moved pfBlockerNG
    1.2k Posts 211 Posters 2.1m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      @ConfusedUser:

      I just gave it a quick try (without the check boxes, simply hard coded since my php knowledge is pretty much non-existent) and changed the following

      Thanks. I will take a look and see if I can incorporate that.

      Also it would be good if this one could be toggled as well:

      This is the code that skips 'Repeated Alerts' You can comment out the "continue" line to skip that process.

      
          409                         // Skip Repeated Alerts
          410                         if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip)
          411                                 continue;
      
      

      Anyway, one more thing I completely forgot: pfBlockerNG is absolutely great!!!

      Thanks!  :)

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • J
        jeffhammett
        last edited by

        @BBcan177:

        Hi jeffh,

        I would read this thread for my comments on 'Blocking the world, and allow a few Countries" and reverse that approach to Permit a select few Countries instead. pfSense is a stateful Firewall by design and is already Implicitly blocking on the Inbound.

        If you want to protect some open ports, you should look at creating an Alias rule to protect the individual Inbound Port(s). Otherwise, Blocking on the Inbound with no open ports is inspecting packets that are already going to be dropped by the Implicit Deny Rule.

        Thanks BBcan177, I'll read through this thread, but that definitely makes sense. Not sure why I didn't think of that approach from the get go.

        1 Reply Last reply Reply Quote 0
        • H
          ha11oga11o
          last edited by

          @BBcan177:

          Hello ha11oga11o,

          There is an issue as you have all "-" in the Widget Packet Counts.

          Please reset all files with the following steps from the General Tab:

          1. Uncheck "Keep Settings"
          2. Disable "pfBlockerNG"
          3. Click "Save"

          After it completes, reverse the steps above. Then run a "Force Update" The widget Packet Counts should start with "0's".

          NOTE -  Please don't select Countries in the 'TOP' alias, and then select the same Countries in the other Continent Tabs.

          Hello BBcan177,

          Many thnx that works fine for widget.

          But still cant see anything at Alerts tab :/

          Cheers :)

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            @ha11oga11o:

            Many thnx that works fine for widget.

            But still cant see anything at Alerts tab :/

            Find an IP that is in any of the pfBNG Alias Tables and ping it from a Device behind pfSense… That should trigger an Alert. Also make sure that logging in enabled in the Aliases.

            This command will give you some more stats from the Shell:
                pfctl -vvsTables

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              @jeffh:

              Thanks BBcan177, I'll read through this thread, but that definitely makes sense. Not sure why I didn't think of that approach from the get go.

              If you don't have open ports and you only want to have your devices talk to certain Countries, then you can create "Permit Outbound" rules. Keep in mind that their is a ton of Malicious IPs in NA Countries also.. Recommend using decent Blocklists to block known Malicious IPs.

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • H
                ha11oga11o
                last edited by

                @BBcan177:

                @ha11oga11o:

                Many thnx that works fine for widget.

                But still cant see anything at Alerts tab :/

                Find an IP that is in any of the pfBNG Alias Tables and ping it from a Device behind pfSense… That should trigger an Alert. Also make sure that logging in enabled in the Aliases.

                This command will give you some more stats from the Shell:
                    pfctl -vvsTables

                Something is really wrong with mine pfblockerNG. Again i have "-" on widget and this is shell output.

                http://pastebin.com/Gze9xyAd

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  ha11oga11o,

                  Does the pfblockerng.log show any errors/Issues?

                  Disable pfBlockerNG again as indicated in my post above. Then Reboot.
                  After the reboot, enable a few Aliases at a time and run a "Force Update" to see if those Aliases show "0's" in the widget… Rinse and Repeat with a few more Aliases. Then you can determine which alias is causing the issue.

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    Hi ConfusedUser,

                    Those changes that you made to capture the Country in the List column are not correct unfortunately. But I think you need to look at the "CC" column which will already tell you which Country it is anyways.  :)

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • H
                      ha11oga11o
                      last edited by

                      @BBcan177:

                      ha11oga11o,

                      Does the pfblockerng.log show any errors/Issues?

                      Disable pfBlockerNG again as indicated in my post above. Then Reboot.
                      After the reboot, enable a few Aliases at a time and run a "Force Update" to see if those Aliases show "0's" in the widget… Rinse and Repeat with a few more Aliases. Then you can determine which alias is causing the issue.

                      No errors at all,

                      i rebooted, enabled couple of lists all is working fine. Now i just need to enable one by one and update. I think that should solve problem to find which list is broken, or maybe i have way to much IPs on lists that they cannot fit to tables.

                      Many thnx for pinpointing me to right direction., Now its up-to me just to do my stuff and find broken one.

                      Cheers :)

                      1 Reply Last reply Reply Quote 0
                      • C
                        ConfusedUser
                        last edited by

                        @BBcan177:

                        Hi ConfusedUser,

                        Those changes that you made to capture the Country in the List column are not correct unfortunately. But I think you need to look at the "CC" column which will already tell you which Country it is anyways.  :)

                        Those changes were not made to change anything in the List or CC column.

                        $data = exec ("/sbin/pfctl -vv -sr", $results);
                        This is to prevent filtering by 'pfB_'

                        if (preg_match("/USER_RULE: (.*)"/",$result,$desc))
                        And this is to display the rule name correctly

                        So on my side it's working absolutely fine.

                        1 Reply Last reply Reply Quote 0
                        • P
                          pfluv
                          last edited by

                          Has anyone had an issue with settings reverting back after they are changed?

                          I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.

                          they seem to revert back to "deny both" on their own.

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            @pfluv:

                            Has anyone had an issue with settings reverting back after they are changed?

                            I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.

                            they seem to revert back to "deny both" on their own.

                            I have not seen that.. Are these boxes Sync'd via XML RPC Sync? When do you notice it reverting back?

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • BBcan177B
                              BBcan177 Moderator
                              last edited by

                              @ConfusedUser:

                              Those changes were not made to change anything in the List or CC column.

                              Hi ConfusedUser,

                              Sorry, I mis-read your post… I'd rather not mix it with the other non-pfBNG alerts. But you are welcome to patch that in your system. Would be nice to add the CC column to the base pfSense Code.

                              "Experience is something you don't get until just after you need it."

                              Website: http://pfBlockerNG.com
                              Twitter: @BBcan177  #pfBlockerNG
                              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                              1 Reply Last reply Reply Quote 0
                              • M
                                marcus556
                                last edited by

                                Any update on the ad blocker you spoke about in earlier posts? Thanks!

                                1 Reply Last reply Reply Quote 0
                                • BBcan177B
                                  BBcan177 Moderator
                                  last edited by

                                  @marcus556:

                                  Any update on the ad blocker you spoke about in earlier posts? Thanks!

                                  I have a few testers using the beta of pfBNG with DNSBL. Been really busy lately, so I haven't had much time to spend on it.  I will try to keep you guys informed on my progress.

                                  "Experience is something you don't get until just after you need it."

                                  Website: http://pfBlockerNG.com
                                  Twitter: @BBcan177  #pfBlockerNG
                                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    JasonJoel
                                    last edited by

                                    Ok, I'm about to ask a stupid question. Yes I searched first, but didn't find the answer - or was too stupid to understand it.

                                    Where is everyone getting the IP block lists to import into pfBNG? I know of a few, but it seems like everyone uses many of the same (based on the screenshots), so thought I would just ask if there is a list somewhere.

                                    Jason

                                    1 Reply Last reply Reply Quote 0
                                    • dennypageD
                                      dennypage
                                      last edited by

                                      Jason, I don't think that's a stupid question at all. The lists come from a days and days of research. :)

                                      There are a number of common lists that many folk use but the actual selection depends a lot upon how aggressive or conservative you want to be.  BBcan177 has put a great deal of research into lists, and I expect that he will share some recommendations with you. I consider him to be "middle of road" in approach, although he is pretty knowledgable on both ends of the spectrum.

                                      I am a bit conservative. Here is my list:

                                      http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
                                      http://rules.emergingthreats.net/blockrules/compromised-ips.txt
                                      http://feeds.dshield.org/top10-2.txt
                                      http://www.openbl.org/lists/base.txt.gz
                                      http://cinsscore.com/list/ci-badguys.txt
                                      http://www.spamhaus.org/drop/drop.txt
                                      http://www.spamhaus.org/drop/edrop.txt
                                      https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
                                      http://rules.emergingthreats.net/blockrules/compromised-ips.txt
                                      http://cinsscore.com/list/ci-badguys.txt
                                      https://feeds.dshield.org/block.txt
                                      http://www.openbl.org/lists/base.txt.gz
                                      http://www.spamhaus.org/drop/drop.txt
                                      http://www.spamhaus.org/drop/edrop.txt
                                      https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
                                      https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
                                      http://labs.snort.org/feeds/ip-filter.blf
                                      https://www.projecthoneypot.org/list_of_ips.php?t=d
                                      https://www.projecthoneypot.org/list_of_ips.php?t=s
                                      https://atlas.arbor.net/summary/attacks.csv
                                      https://atlas.arbor.net/summary/botnets.csv
                                      https://atlas.arbor.net/summary/fastflux.csv
                                      https://atlas.arbor.net/summary/phishing.csv
                                      http://atlas.arbor.net/summary/scans.csv
                                      https://reputation.alienvault.com/reputation.snort.gz
                                      https://www.badips.com/get/list/any/2
                                      https://www.autoshun.org/files/shunlist.csv
                                      https://www.dragonresearchgroup.org/insight/vncprobe.txt
                                      https://www.dragonresearchgroup.org/insight/sshpwauth.txt
                                      https://www.dragonresearchgroup.org/insight/http-report.txt
                                      http://www.reputationauthority.org/toptens.php

                                      Use at your own risk. Others will have their own recommendations. I recommend that you do a bit of research before choosing lists.

                                      FWIW, if I were to pick one and only one, Emerging Threats would be my current choice.

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pf3000
                                        last edited by

                                        I had these bookmarked:
                                        http://forum.pfsense.org/index.php?topic=42543.180
                                        https://forum.pfsense.org/index.php/topic,64674.0.html
                                        https://forum.pfsense.org/index.php?topic=73353.msg402927#msg402927
                                        I use pfsense for personal use and I prefer minimal block lists because I don't want to invest time dealing with false positives.

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          doktornotor Banned
                                          last edited by

                                          @JasonJoel:

                                          Ok, I'm about to ask a stupid question. Yes I searched first, but didn't find the answer - or was too stupid to understand it.
                                          Where is everyone getting the IP block lists to import into pfBNG? I know of a few, but it seems like everyone uses many of the same (based on the screenshots), so thought I would just ask if there is a list somewhere.

                                          This was provided by BBcan17, stick the under /usr/local/www and run once via your browser. (All the lists are disabled by default.)

                                          pfBlockerNG_import.php

                                          
                                          /*
                                                  pfBlockerNG_import.php
                                          
                                                  pfBlockerNG
                                                  Copyright (C) 2014 BBcan177@gmail.com
                                                  All rights reserved.
                                          
                                                  Redistribution and use in source and binary forms, with or without
                                                  modification, are permitted provided that the following conditions are met:
                                          
                                                  1\. Redistributions of source code must retain the above copyright notice,
                                                           this list of conditions and the following disclaimer.
                                          
                                                  2\. Redistributions in binary form must reproduce the above copyright
                                                           notice, this list of conditions and the following disclaimer in the
                                                           documentation and/or other materials provided with the distribution.
                                          
                                                  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
                                                  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
                                                  AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
                                                  AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
                                                  OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
                                                  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
                                                  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
                                                  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
                                                  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
                                                  POSSIBILITY OF SUCH DAMAGE.
                                          
                                          */
                                          
                                          require_once("config.inc");
                                          require_once("util.inc");
                                          require_once("functions.inc");
                                          require_once("pkg-utils.inc");
                                          require_once("pfsense-utils.inc");
                                          require_once("globals.inc");
                                          require_once("services.inc");
                                          
                                          print "```
                                          ";
                                          $pfblist_new = array ( array ( 	"none" => "", 
                                          				"aliasname" => "IBlock",
                                          				"description" => "pfBlockerNG IBlock",
                                          				"infolists" => "",
                                          				"row" => array (array ("format"	=> "gz",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz",
                                          							"header"=> "IBlock_BT_Hijack"),
                                          						array ("format" => "gz",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz",
                                          							"header"=> "IBlock_BT_FS"),
                                          						array ("format" => "gz",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz",
                                          							"header"=> "IBlock_BT_Web"),
                                          						array ("format" => "gz",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz",
                                          							"header"=> "IBlock_BT_Spy"),
                                          						array ("format" => "gz",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz",
                                          							"header"=> "IBlock_Badpeer"),
                                          						array ("format" => "gz",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz",
                                          							"header"=> "IBlock_Ads"),
                                          						array ("format" => "gz",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz",
                                          							"header"=> "IBlock_Proxy")),
                                          				"action"=> "Disabled",
                                          				"cron"	=> "04hours",
                                          				"dow"	=> "1",
                                           				"aliaslog" => "enabled",
                                          				"custom"=> "",
                                          				"custom_update" => "disabled"),
                                          
                                          		     array (	"none" => "",
                                          				"aliasname" => "PRI1",
                                          				"description" => "pfBlockerNG PRI1",
                                          				"infolists" => "",
                                          				"row" => array (array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://rules.emergingthreats.net/blockrules/compromised-ips.txt",
                                          							"header"=> "ET_Comp"),
                                          						array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
                                          							"header"=> "ET_Block"),
                                          						array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://www.spamhaus.org/drop/drop.txt",
                                          							"header"=> "Spamhaus_drop"),
                                          						array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://www.spamhaus.org/drop/edrop.txt",
                                          							"header"=> "Spamhaus_edrop"),
                                          						array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://cinsscore.com/list/ci-badguys.txt",
                                          							"header"=> "CIArmy"),
                                          						array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist",
                                          							"header"=> "Abuse_Zeus"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist",
                                          							"header"=> "Abuse_Spyeye"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist",
                                          							"header"=> "Abuse_Palevo"),
                                          						array ("format"	=> "html",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv",
                                          							"header"=> "Abuse_SSLBL"),
                                          						array ("format"	=> "block",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://feeds.dshield.org/block.txt",
                                          							"header"=> "dShield_Block"),
                                          						array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://labs.snort.org/feeds/ip-filter.blf",
                                          							"header"=> "Snort_BL"),
                                          						array ("format"	=> "html",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://osint.bambenekconsulting.com/feeds/goz-iplist.txt",
                                          							"header"=> "BBC_Goz")),
                                          				"action"=> "Disabled",
                                          				"cron"	=> "01hour",
                                          				"dow"   => "1",
                                          				"aliaslog" => "enabled",
                                          				"custom"=> "",
                                          				"custom_update" => "disabled"),
                                          
                                          		     array (    "none" => "",
                                          				"aliasname" => "PRI2",
                                          				"description" => "pfBlockerNG PRI2",
                                          				"infolists" => "",
                                          				"row" => array (array ("format"	=> "gz_2",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://reputation.alienvault.com/reputation.snort.gz",
                                          							"header"=> "Alienvault"),
                                          						array ("format"	=> "html",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://atlas.arbor.net/summary/attacks.csv",
                                          							"header"=> "Atlas_Attacks"),
                                          						array ("format"	=> "html",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://atlas.arbor.net/summary/botnets.csv",
                                          							"header"=> "Atlas_Botnets"),
                                          						array ("format"	=> "html",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://atlas.arbor.net/summary/fastflux.csv",
                                          							"header"=> "Atlas_Fastflux"),
                                          						array ("format"	=> "html",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://atlas.arbor.net/summary/phishing.csv",
                                          							"header"=> "Atlas_Phishing"),
                                          						array ("format"	=> "html",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://atlas.arbor.net/summary/scans.csv",
                                          							"header"=> "Atlas_Scans"),
                                          						array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://www.cyber-ta.org/releases/malware/SOURCES/Attacker.Cumulative.Summary",
                                          							"header"=> "SRI_Attackers"),
                                          						array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://www.cyber-ta.org/releases/malware/SOURCES/CandC.Cumulative.Summary",
                                          							"header"=> "SRI_CC"),
                                          						array ("format"	=> "html",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1",
                                          							"header"=> "HoneyPot")),
                                          				"action"=> "Disabled",
                                          				"cron"  => "04hours",
                                          				"dow"   => "1",
                                          				"aliaslog" => "enabled",
                                          				"custom"=> "",
                                          				"custom_update" => "disabled"),
                                          
                                          		     array (    "none" => "",
                                          				"aliasname" => "PRI3",
                                          				"description" => "pfBlockerNG PRI3",
                                          				"infolists" => "",
                                          				"row" => array (array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://www.malwaredomainlist.com/hostslist/ip.txt",
                                          							"header"=> "MDL"),
                                          						array ("format"	=> "txt",
                                          							"state"	=> "Disabled",
                                          							"url"	=> "http://www.nothink.org/blacklist/blacklist_malware_http.txt",
                                          							"header"=> "Nothink_BL"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.nothink.org/blacklist/blacklist_ssh_week.txt",
                                          							"header"=> "Nothink_SSH"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.nothink.org/blacklist/blacklist_malware_dns.txt",
                                          							"header"=> "Nothink_Malware"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://danger.rulez.sk/projects/bruteforceblocker/blist.php",
                                          							"header"=> "DangerRulez"),
                                          						array ("format" => "html",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://www.autoshun.org/files/shunlist.csv",
                                          							"header"=> "Shunlist"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.infiltrated.net/blacklisted",
                                          							"header"=> "Infiltrated"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://www.dragonresearchgroup.org/insight/sshpwauth.txt",
                                          							"header"=> "DRG_SSH"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://www.dragonresearchgroup.org/insight/vncprobe.txt",
                                          							"header"=> "DRG_VNC"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://www.dragonresearchgroup.org/insight/http-report.txt",
                                          							"header"=> "DRG_HTTP"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist",
                                          							"header"=> "Feodo_Block"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://feodotracker.abuse.ch/blocklist/?download=badips",
                                          							"header"=> "Feodo_Bad"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.reputationauthority.org/toptens.php",
                                          							"header"=> "WatchGuard"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://vmx.yourcmc.ru/BAD_HOSTS.IP4",
                                          							"header"=> "VMX"),
                                          						array ("format" => "html",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.geopsy.org/blacklist.html",
                                          							"header"=> "Geopsy"),
                                          						array ("format" => "html",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://www.maxmind.com/en/anonymous_proxies",
                                          							"header"=> "Maxmind"),
                                          						array ("format" => "html",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.botscout.com/last_caught_cache.htm",
                                          							"header"=> "BotScout"),	
                                          						array ("format" => "html",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://www.juniper.net/security/auto/spam",
                                          							"header"=> "Juniper"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://blocklist.greensnow.co/greensnow.txt",
                                          							"header"=> "Greensnow"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://lists.blocklist.de/lists/all.txt",
                                          							"header"=> "BlocklistDE"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt",
                                          							"header"=> "SFS_Toxic")),
                                          				"action"=> "Disabled",
                                          				"cron"  => "04hours",
                                          				"dow"   => "1",
                                          				"aliaslog" => "enabled",
                                          				"custom"=> "",
                                          				"custom_update" => "disabled"),
                                          
                                          		     array (    "none" => "",
                                          				"aliasname" => "SEC1",
                                          				"description" => "pfBlockerNG SEC1",
                                          				"infolists" => "",
                                          				"row" => array (array ("format" => "html",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.malwaregroup.com/ipaddresses/malicious",
                                          							"header"=> "MalwareGroup"),
                                          						array ("format" => "gz_2",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://www.openbl.org/lists/base_90days.txt.gz",
                                          							"header"=> "OpenBL"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://malc0de.com/bl/IP_Blacklist.txt",
                                          							"header"=> "Malcode"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://www.badips.com/get/list/any/2",
                                          							"header"=> "BadIPs")),
                                          				"action"=> "Disabled",
                                          				"cron"  => "04hours",
                                          				"dow"   => "1",
                                          				"aliaslog" => "enabled",
                                          				"custom"=> "",
                                          				"custom_update" => "disabled"),
                                          
                                          		     array (    "none" => "",
                                          				"aliasname" => "TOR",
                                          				"description" => "pfBlockerNG TOR",
                                          				"infolists" => "",
                                          				"row" => array (array ("format" => "gz",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz",
                                          							"header"=> "IBlock_Tor"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv",
                                          							"header"=> "Blut_Tor"),
                                          						array ("format" => "html",
                                          							"state"	=> "Disabled",
                                          							"url"   => "https://rules.emergingthreats.net/open/suricata/rules/tor.rules",
                                          							"header"=> "ET_Tor")),
                                          				"action"=> "Disabled",
                                          				"cron"  => "04hours",
                                          				"dow"   => "1",
                                          				"aliaslog" => "enabled",
                                          				"custom"=> "",
                                          				"custom_update" => "disabled"),
                                          
                                          		     array (    "none" => "",
                                          				"aliasname" => "MAIL",
                                                                          "description" => "pfBlockerNG MAIL",
                                                                          "infolists" => "",
                                                                          "row" => array (array ("format"	=> "txt",
                                          														"state"	=> "Disabled",
                                                                                                  "url"	=> "https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt",
                                                                                                  "header"=> "VirBL"),
                                          						array ("format" => "zip",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.stopforumspam.com/downloads/bannedips.zip",
                                          							"header"=> "SFS_All"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://antispam.imp.ch/spamlist",
                                          							"header"=> "Improware"),
                                          						array ("format" => "html",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://toastedspam.com/denylist.cgi",
                                          							"header"=> "ToastedSpam"),
                                          						array ("format" => "html",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://rss.uribl.com/reports/7d/dns_a.html",
                                          							"header"=> "URIBL"),
                                          						array ("format" => "txt",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text",
                                          							"header"=> "SpamCop"),
                                          						array ("format" => "gz_2",
                                          							"state"	=> "Disabled",
                                          							"url"   => "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz",
                                          							"header" => "Nix_Spam")),
                                          				"action"=> "Disabled",
                                          				"cron"  => "08hours",
                                          				"dow"   => "1",
                                          				"aliaslog" => "enabled",
                                          				"custom"=> "",
                                          				"custom_update" => "disabled")
                                          		);
                                          
                                          print "Checking for Existing pfBlockerNG Alias/Lists\n";
                                          
                                          // Check for Existing pfBlockerNG Allias/Lists
                                          if (is_array($config['installedpackages']['pfblockernglistsv4']['config'])) {
                                          	print "Found existing Alias/Lists. Merging Existing Alias/Lists with Imported Version\n\n"; 
                                          	$pfblist = $config['installedpackages']['pfblockernglistsv4']['config'];
                                          	$pfbfinal = array_merge($pfblist, $pfblist_new);
                                          	$config['installedpackages']['pfblockernglistsv4']['config'] = $pfbfinal;
                                          } else {
                                          	print "No existing Alias/Lists found. Importing new Version.\n\n";
                                          	$config['installedpackages']['pfblockernglistsv4']['config'] = $pfblist_new;
                                          }
                                          
                                          print  "pfBlockerNG Alias List Import Completed.";
                                          write_config();
                                          
                                          ?>
                                          
                                          

                                          Note: Make a configuration backup beforehand. If it makes your box explode, I don't care, you have been warned in advance. For forced import overwriting your current lists, comment out the code on lines 375-383.

                                          1 Reply Last reply Reply Quote 0
                                          • superweaselS
                                            superweasel
                                            last edited by

                                            doktornotor and BBcan17 thanks for the php code!

                                            As a follow on, here is one way to implement the php update (I'm sure there are other ways  :)  ):
                                            1. Select Diagnostics>Edit File
                                            2. Enter```
                                            /usr/local/www/pfBlockerNG_import.php

                                            3\. Click **Load**
                                            4\. Paste the php code that doktornotor posted, into the editing field:```
                                            /*
                                                    pfBlockerNG_import.php
                                            
                                                    pfBlockerNG
                                                    Copyright (C) 2014 BBcan177@gmail.com
                                                    All rights reserved.
                                            
                                                    Redistribution and use in source and binary forms, with or without
                                                    modification, are permitted provided that the following conditions are met:
                                            
                                                    1\. Redistributions of source code must retain the above copyright notice,
                                                             this list of conditions and the following disclaimer.
                                            
                                                    2\. Redistributions in binary form must reproduce the above copyright
                                                             notice, this list of conditions and the following disclaimer in the
                                                             documentation and/or other materials provided with the distribution.
                                            
                                                    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
                                                    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
                                                    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
                                                    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
                                                    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
                                                    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
                                                    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
                                                    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
                                                    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
                                                    POSSIBILITY OF SUCH DAMAGE.
                                            
                                            */
                                            
                                            require_once("config.inc");
                                            require_once("util.inc");
                                            require_once("functions.inc");
                                            require_once("pkg-utils.inc");
                                            require_once("pfsense-utils.inc");
                                            require_once("globals.inc");
                                            require_once("services.inc");
                                            
                                            print "";
                                            $pfblist_new = array ( array (    "none" => "", 
                                                        "aliasname" => "IBlock",
                                                        "description" => "pfBlockerNG IBlock",
                                                        "infolists" => "",
                                                        "row" => array (array ("format"   => "gz",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz",
                                                                 "header"=> "IBlock_BT_Hijack"),
                                                              array ("format" => "gz",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz",
                                                                 "header"=> "IBlock_BT_FS"),
                                                              array ("format" => "gz",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz",
                                                                 "header"=> "IBlock_BT_Web"),
                                                              array ("format" => "gz",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz",
                                                                 "header"=> "IBlock_BT_Spy"),
                                                              array ("format" => "gz",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz",
                                                                 "header"=> "IBlock_Badpeer"),
                                                              array ("format" => "gz",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz",
                                                                 "header"=> "IBlock_Ads"),
                                                              array ("format" => "gz",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz",
                                                                 "header"=> "IBlock_Proxy")),
                                                        "action"=> "Disabled",
                                                        "cron"   => "04hours",
                                                        "dow"   => "1",
                                                         "aliaslog" => "enabled",
                                                        "custom"=> "",
                                                        "custom_update" => "disabled"),
                                            
                                                       array (   "none" => "",
                                                        "aliasname" => "PRI1",
                                                        "description" => "pfBlockerNG PRI1",
                                                        "infolists" => "",
                                                        "row" => array (array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://rules.emergingthreats.net/blockrules/compromised-ips.txt",
                                                                 "header"=> "ET_Comp"),
                                                              array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
                                                                 "header"=> "ET_Block"),
                                                              array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.spamhaus.org/drop/drop.txt",
                                                                 "header"=> "Spamhaus_drop"),
                                                              array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.spamhaus.org/drop/edrop.txt",
                                                                 "header"=> "Spamhaus_edrop"),
                                                              array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://cinsscore.com/list/ci-badguys.txt",
                                                                 "header"=> "CIArmy"),
                                                              array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist",
                                                                 "header"=> "Abuse_Zeus"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist",
                                                                 "header"=> "Abuse_Spyeye"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist",
                                                                 "header"=> "Abuse_Palevo"),
                                                              array ("format"   => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv",
                                                                 "header"=> "Abuse_SSLBL"),
                                                              array ("format"   => "block",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://feeds.dshield.org/block.txt",
                                                                 "header"=> "dShield_Block"),
                                                              array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://labs.snort.org/feeds/ip-filter.blf",
                                                                 "header"=> "Snort_BL"),
                                                              array ("format"   => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://osint.bambenekconsulting.com/feeds/goz-iplist.txt",
                                                                 "header"=> "BBC_Goz")),
                                                        "action"=> "Disabled",
                                                        "cron"   => "01hour",
                                                        "dow"   => "1",
                                                        "aliaslog" => "enabled",
                                                        "custom"=> "",
                                                        "custom_update" => "disabled"),
                                            
                                                       array (    "none" => "",
                                                        "aliasname" => "PRI2",
                                                        "description" => "pfBlockerNG PRI2",
                                                        "infolists" => "",
                                                        "row" => array (array ("format"   => "gz_2",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://reputation.alienvault.com/reputation.snort.gz",
                                                                 "header"=> "Alienvault"),
                                                              array ("format"   => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://atlas.arbor.net/summary/attacks.csv",
                                                                 "header"=> "Atlas_Attacks"),
                                                              array ("format"   => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://atlas.arbor.net/summary/botnets.csv",
                                                                 "header"=> "Atlas_Botnets"),
                                                              array ("format"   => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://atlas.arbor.net/summary/fastflux.csv",
                                                                 "header"=> "Atlas_Fastflux"),
                                                              array ("format"   => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://atlas.arbor.net/summary/phishing.csv",
                                                                 "header"=> "Atlas_Phishing"),
                                                              array ("format"   => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://atlas.arbor.net/summary/scans.csv",
                                                                 "header"=> "Atlas_Scans"),
                                                              array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.cyber-ta.org/releases/malware/SOURCES/Attacker.Cumulative.Summary",
                                                                 "header"=> "SRI_Attackers"),
                                                              array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.cyber-ta.org/releases/malware/SOURCES/CandC.Cumulative.Summary",
                                                                 "header"=> "SRI_CC"),
                                                              array ("format"   => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1",
                                                                 "header"=> "HoneyPot")),
                                                        "action"=> "Disabled",
                                                        "cron"  => "04hours",
                                                        "dow"   => "1",
                                                        "aliaslog" => "enabled",
                                                        "custom"=> "",
                                                        "custom_update" => "disabled"),
                                            
                                                       array (    "none" => "",
                                                        "aliasname" => "PRI3",
                                                        "description" => "pfBlockerNG PRI3",
                                                        "infolists" => "",
                                                        "row" => array (array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.malwaredomainlist.com/hostslist/ip.txt",
                                                                 "header"=> "MDL"),
                                                              array ("format"   => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.nothink.org/blacklist/blacklist_malware_http.txt",
                                                                 "header"=> "Nothink_BL"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.nothink.org/blacklist/blacklist_ssh_week.txt",
                                                                 "header"=> "Nothink_SSH"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.nothink.org/blacklist/blacklist_malware_dns.txt",
                                                                 "header"=> "Nothink_Malware"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://danger.rulez.sk/projects/bruteforceblocker/blist.php",
                                                                 "header"=> "DangerRulez"),
                                                              array ("format" => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://www.autoshun.org/files/shunlist.csv",
                                                                 "header"=> "Shunlist"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.infiltrated.net/blacklisted",
                                                                 "header"=> "Infiltrated"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://www.dragonresearchgroup.org/insight/sshpwauth.txt",
                                                                 "header"=> "DRG_SSH"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://www.dragonresearchgroup.org/insight/vncprobe.txt",
                                                                 "header"=> "DRG_VNC"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://www.dragonresearchgroup.org/insight/http-report.txt",
                                                                 "header"=> "DRG_HTTP"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist",
                                                                 "header"=> "Feodo_Block"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://feodotracker.abuse.ch/blocklist/?download=badips",
                                                                 "header"=> "Feodo_Bad"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.reputationauthority.org/toptens.php",
                                                                 "header"=> "WatchGuard"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://vmx.yourcmc.ru/BAD_HOSTS.IP4",
                                                                 "header"=> "VMX"),
                                                              array ("format" => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.geopsy.org/blacklist.html",
                                                                 "header"=> "Geopsy"),
                                                              array ("format" => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://www.maxmind.com/en/anonymous_proxies",
                                                                 "header"=> "Maxmind"),
                                                              array ("format" => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.botscout.com/last_caught_cache.htm",
                                                                 "header"=> "BotScout"),   
                                                              array ("format" => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://www.juniper.net/security/auto/spam",
                                                                 "header"=> "Juniper"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://blocklist.greensnow.co/greensnow.txt",
                                                                 "header"=> "Greensnow"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://lists.blocklist.de/lists/all.txt",
                                                                 "header"=> "BlocklistDE"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt",
                                                                 "header"=> "SFS_Toxic")),
                                                        "action"=> "Disabled",
                                                        "cron"  => "04hours",
                                                        "dow"   => "1",
                                                        "aliaslog" => "enabled",
                                                        "custom"=> "",
                                                        "custom_update" => "disabled"),
                                            
                                                       array (    "none" => "",
                                                        "aliasname" => "SEC1",
                                                        "description" => "pfBlockerNG SEC1",
                                                        "infolists" => "",
                                                        "row" => array (array ("format" => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.malwaregroup.com/ipaddresses/malicious",
                                                                 "header"=> "MalwareGroup"),
                                                              array ("format" => "gz_2",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://www.openbl.org/lists/base_90days.txt.gz",
                                                                 "header"=> "OpenBL"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://malc0de.com/bl/IP_Blacklist.txt",
                                                                 "header"=> "Malcode"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://www.badips.com/get/list/any/2",
                                                                 "header"=> "BadIPs")),
                                                        "action"=> "Disabled",
                                                        "cron"  => "04hours",
                                                        "dow"   => "1",
                                                        "aliaslog" => "enabled",
                                                        "custom"=> "",
                                                        "custom_update" => "disabled"),
                                            
                                                       array (    "none" => "",
                                                        "aliasname" => "TOR",
                                                        "description" => "pfBlockerNG TOR",
                                                        "infolists" => "",
                                                        "row" => array (array ("format" => "gz",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz",
                                                                 "header"=> "IBlock_Tor"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv",
                                                                 "header"=> "Blut_Tor"),
                                                              array ("format" => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "https://rules.emergingthreats.net/open/suricata/rules/tor.rules",
                                                                 "header"=> "ET_Tor")),
                                                        "action"=> "Disabled",
                                                        "cron"  => "04hours",
                                                        "dow"   => "1",
                                                        "aliaslog" => "enabled",
                                                        "custom"=> "",
                                                        "custom_update" => "disabled"),
                                            
                                                       array (    "none" => "",
                                                        "aliasname" => "MAIL",
                                                                            "description" => "pfBlockerNG MAIL",
                                                                            "infolists" => "",
                                                                            "row" => array (array ("format"   => "txt",
                                                                                      "state"   => "Disabled",
                                                                                                    "url"   => "https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt",
                                                                                                    "header"=> "VirBL"),
                                                              array ("format" => "zip",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.stopforumspam.com/downloads/bannedips.zip",
                                                                 "header"=> "SFS_All"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://antispam.imp.ch/spamlist",
                                                                 "header"=> "Improware"),
                                                              array ("format" => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://toastedspam.com/denylist.cgi",
                                                                 "header"=> "ToastedSpam"),
                                                              array ("format" => "html",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://rss.uribl.com/reports/7d/dns_a.html",
                                                                 "header"=> "URIBL"),
                                                              array ("format" => "txt",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text",
                                                                 "header"=> "SpamCop"),
                                                              array ("format" => "gz_2",
                                                                 "state"   => "Disabled",
                                                                 "url"   => "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz",
                                                                 "header" => "Nix_Spam")),
                                                        "action"=> "Disabled",
                                                        "cron"  => "08hours",
                                                        "dow"   => "1",
                                                        "aliaslog" => "enabled",
                                                        "custom"=> "",
                                                        "custom_update" => "disabled")
                                                  );
                                            
                                            print "Checking for Existing pfBlockerNG Alias/Lists\n";
                                            
                                            // Check for Existing pfBlockerNG Allias/Lists
                                            if (is_array($config['installedpackages']['pfblockernglistsv4']['config'])) {
                                               print "Found existing Alias/Lists. Merging Existing Alias/Lists with Imported Version\n\n"; 
                                               $pfblist = $config['installedpackages']['pfblockernglistsv4']['config'];
                                               $pfbfinal = array_merge($pfblist, $pfblist_new);
                                               $config['installedpackages']['pfblockernglistsv4']['config'] = $pfbfinal;
                                            } else {
                                               print "No existing Alias/Lists found. Importing new Version.\n\n";
                                               $config['installedpackages']['pfblockernglistsv4']['config'] = $pfblist_new;
                                            }
                                            
                                            print  "pfBlockerNG Alias List Import Completed.";
                                            write_config();
                                            
                                            ?>;
                                            

                                            5. Click Save
                                            6. ssh into the pfSense console
                                            7. Type 8 to get to the shell
                                            8. Paste```
                                            php -f /usr/local/www/pfBlockerNG_import.php

                                            9\. Press **Return**
                                            10\. Once the update is complete, the shell will return **pfBlockerNG Alias List Import Completed.[2.2.1-RELEASE]**
                                            11\. Exit pfSense console
                                            12\. Select **Firewall>pfBlockerNG>IPv4** to see the changes

                                            pfSense rig: pfSense SG-4860/120GB SSD
                                            WAN: CenturyLink Gigabit Fiber

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.