PfBlockerNG
-
I just gave it a quick try (without the check boxes, simply hard coded since my php knowledge is pretty much non-existent) and changed the following
Thanks. I will take a look and see if I can incorporate that.
Also it would be good if this one could be toggled as well:
This is the code that skips 'Repeated Alerts' You can comment out the "continue" line to skip that process.
409 // Skip Repeated Alerts 410 if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) 411 continue;Anyway, one more thing I completely forgot: pfBlockerNG is absolutely great!!!
Thanks! :)
-
Hi jeffh,
I would read this thread for my comments on 'Blocking the world, and allow a few Countries" and reverse that approach to Permit a select few Countries instead. pfSense is a stateful Firewall by design and is already Implicitly blocking on the Inbound.
If you want to protect some open ports, you should look at creating an Alias rule to protect the individual Inbound Port(s). Otherwise, Blocking on the Inbound with no open ports is inspecting packets that are already going to be dropped by the Implicit Deny Rule.
Thanks BBcan177, I'll read through this thread, but that definitely makes sense. Not sure why I didn't think of that approach from the get go.
-
Hello ha11oga11o,
There is an issue as you have all "-" in the Widget Packet Counts.
Please reset all files with the following steps from the General Tab:
- Uncheck "Keep Settings"
- Disable "pfBlockerNG"
- Click "Save"
After it completes, reverse the steps above. Then run a "Force Update" The widget Packet Counts should start with "0's".
NOTE - Please don't select Countries in the 'TOP' alias, and then select the same Countries in the other Continent Tabs.
Hello BBcan177,
Many thnx that works fine for widget.
But still cant see anything at Alerts tab :/
Cheers :)
-
Many thnx that works fine for widget.
But still cant see anything at Alerts tab :/
Find an IP that is in any of the pfBNG Alias Tables and ping it from a Device behind pfSense… That should trigger an Alert. Also make sure that logging in enabled in the Aliases.
This command will give you some more stats from the Shell:
pfctl -vvsTables -
Thanks BBcan177, I'll read through this thread, but that definitely makes sense. Not sure why I didn't think of that approach from the get go.
If you don't have open ports and you only want to have your devices talk to certain Countries, then you can create "Permit Outbound" rules. Keep in mind that their is a ton of Malicious IPs in NA Countries also.. Recommend using decent Blocklists to block known Malicious IPs.
-
Many thnx that works fine for widget.
But still cant see anything at Alerts tab :/
Find an IP that is in any of the pfBNG Alias Tables and ping it from a Device behind pfSense… That should trigger an Alert. Also make sure that logging in enabled in the Aliases.
This command will give you some more stats from the Shell:
pfctl -vvsTablesSomething is really wrong with mine pfblockerNG. Again i have "-" on widget and this is shell output.
http://pastebin.com/Gze9xyAd
-
ha11oga11o,
Does the pfblockerng.log show any errors/Issues?
Disable pfBlockerNG again as indicated in my post above. Then Reboot.
After the reboot, enable a few Aliases at a time and run a "Force Update" to see if those Aliases show "0's" in the widget… Rinse and Repeat with a few more Aliases. Then you can determine which alias is causing the issue. -
Hi ConfusedUser,
Those changes that you made to capture the Country in the List column are not correct unfortunately. But I think you need to look at the "CC" column which will already tell you which Country it is anyways. :)
-
ha11oga11o,
Does the pfblockerng.log show any errors/Issues?
Disable pfBlockerNG again as indicated in my post above. Then Reboot.
After the reboot, enable a few Aliases at a time and run a "Force Update" to see if those Aliases show "0's" in the widget… Rinse and Repeat with a few more Aliases. Then you can determine which alias is causing the issue.No errors at all,
i rebooted, enabled couple of lists all is working fine. Now i just need to enable one by one and update. I think that should solve problem to find which list is broken, or maybe i have way to much IPs on lists that they cannot fit to tables.
Many thnx for pinpointing me to right direction., Now its up-to me just to do my stuff and find broken one.
Cheers :)
-
Hi ConfusedUser,
Those changes that you made to capture the Country in the List column are not correct unfortunately. But I think you need to look at the "CC" column which will already tell you which Country it is anyways. :)
Those changes were not made to change anything in the List or CC column.
$data = exec ("/sbin/pfctl -vv -sr", $results);
This is to prevent filtering by 'pfB_'if (preg_match("/USER_RULE: (.*)"/",$result,$desc))
And this is to display the rule name correctlySo on my side it's working absolutely fine.
-
Has anyone had an issue with settings reverting back after they are changed?
I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.
they seem to revert back to "deny both" on their own.
-
Has anyone had an issue with settings reverting back after they are changed?
I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.
they seem to revert back to "deny both" on their own.
I have not seen that.. Are these boxes Sync'd via XML RPC Sync? When do you notice it reverting back?
-
Those changes were not made to change anything in the List or CC column.
Hi ConfusedUser,
Sorry, I mis-read your post… I'd rather not mix it with the other non-pfBNG alerts. But you are welcome to patch that in your system. Would be nice to add the CC column to the base pfSense Code.
-
Any update on the ad blocker you spoke about in earlier posts? Thanks!
-
Any update on the ad blocker you spoke about in earlier posts? Thanks!
I have a few testers using the beta of pfBNG with DNSBL. Been really busy lately, so I haven't had much time to spend on it. I will try to keep you guys informed on my progress.
-
Ok, I'm about to ask a stupid question. Yes I searched first, but didn't find the answer - or was too stupid to understand it.
Where is everyone getting the IP block lists to import into pfBNG? I know of a few, but it seems like everyone uses many of the same (based on the screenshots), so thought I would just ask if there is a list somewhere.
Jason
-
Jason, I don't think that's a stupid question at all. The lists come from a days and days of research. :)
There are a number of common lists that many folk use but the actual selection depends a lot upon how aggressive or conservative you want to be. BBcan177 has put a great deal of research into lists, and I expect that he will share some recommendations with you. I consider him to be "middle of road" in approach, although he is pretty knowledgable on both ends of the spectrum.
I am a bit conservative. Here is my list:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://feeds.dshield.org/top10-2.txt
http://www.openbl.org/lists/base.txt.gz
http://cinsscore.com/list/ci-badguys.txt
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://cinsscore.com/list/ci-badguys.txt
https://feeds.dshield.org/block.txt
http://www.openbl.org/lists/base.txt.gz
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
http://labs.snort.org/feeds/ip-filter.blf
https://www.projecthoneypot.org/list_of_ips.php?t=d
https://www.projecthoneypot.org/list_of_ips.php?t=s
https://atlas.arbor.net/summary/attacks.csv
https://atlas.arbor.net/summary/botnets.csv
https://atlas.arbor.net/summary/fastflux.csv
https://atlas.arbor.net/summary/phishing.csv
http://atlas.arbor.net/summary/scans.csv
https://reputation.alienvault.com/reputation.snort.gz
https://www.badips.com/get/list/any/2
https://www.autoshun.org/files/shunlist.csv
https://www.dragonresearchgroup.org/insight/vncprobe.txt
https://www.dragonresearchgroup.org/insight/sshpwauth.txt
https://www.dragonresearchgroup.org/insight/http-report.txt
http://www.reputationauthority.org/toptens.phpUse at your own risk. Others will have their own recommendations. I recommend that you do a bit of research before choosing lists.
FWIW, if I were to pick one and only one, Emerging Threats would be my current choice.
-
I had these bookmarked:
http://forum.pfsense.org/index.php?topic=42543.180
https://forum.pfsense.org/index.php/topic,64674.0.html
https://forum.pfsense.org/index.php?topic=73353.msg402927#msg402927
I use pfsense for personal use and I prefer minimal block lists because I don't want to invest time dealing with false positives. -
Ok, I'm about to ask a stupid question. Yes I searched first, but didn't find the answer - or was too stupid to understand it.
Where is everyone getting the IP block lists to import into pfBNG? I know of a few, but it seems like everyone uses many of the same (based on the screenshots), so thought I would just ask if there is a list somewhere.This was provided by BBcan17, stick the under /usr/local/www and run once via your browser. (All the lists are disabled by default.)
pfBlockerNG_import.php
/* pfBlockerNG_import.php pfBlockerNG Copyright (C) 2014 BBcan177@gmail.com All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require_once("config.inc"); require_once("util.inc"); require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("pfsense-utils.inc"); require_once("globals.inc"); require_once("services.inc"); print "``` "; $pfblist_new = array ( array ( "none" => "", "aliasname" => "IBlock", "description" => "pfBlockerNG IBlock", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Hijack"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_FS"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Web"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Spy"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Badpeer"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Ads"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Proxy")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI1", "description" => "pfBlockerNG PRI1", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/blockrules/compromised-ips.txt", "header"=> "ET_Comp"), array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "header"=> "ET_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/drop.txt", "header"=> "Spamhaus_drop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/edrop.txt", "header"=> "Spamhaus_edrop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://cinsscore.com/list/ci-badguys.txt", "header"=> "CIArmy"), array ("format" => "txt", "state" => "Disabled", "url" => "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Zeus"), array ("format" => "txt", "state" => "Disabled", "url" => "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Spyeye"), array ("format" => "txt", "state" => "Disabled", "url" => "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist", "header"=> "Abuse_Palevo"), array ("format" => "html", "state" => "Disabled", "url" => "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv", "header"=> "Abuse_SSLBL"), array ("format" => "block", "state" => "Disabled", "url" => "https://feeds.dshield.org/block.txt", "header"=> "dShield_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://labs.snort.org/feeds/ip-filter.blf", "header"=> "Snort_BL"), array ("format" => "html", "state" => "Disabled", "url" => "http://osint.bambenekconsulting.com/feeds/goz-iplist.txt", "header"=> "BBC_Goz")), "action"=> "Disabled", "cron" => "01hour", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI2", "description" => "pfBlockerNG PRI2", "infolists" => "", "row" => array (array ("format" => "gz_2", "state" => "Disabled", "url" => "https://reputation.alienvault.com/reputation.snort.gz", "header"=> "Alienvault"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/attacks.csv", "header"=> "Atlas_Attacks"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/botnets.csv", "header"=> "Atlas_Botnets"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/fastflux.csv", "header"=> "Atlas_Fastflux"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/phishing.csv", "header"=> "Atlas_Phishing"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/scans.csv", "header"=> "Atlas_Scans"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/Attacker.Cumulative.Summary", "header"=> "SRI_Attackers"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/CandC.Cumulative.Summary", "header"=> "SRI_CC"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1", "header"=> "HoneyPot")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI3", "description" => "pfBlockerNG PRI3", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "http://www.malwaredomainlist.com/hostslist/ip.txt", "header"=> "MDL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_http.txt", "header"=> "Nothink_BL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_ssh_week.txt", "header"=> "Nothink_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_dns.txt", "header"=> "Nothink_Malware"), array ("format" => "txt", "state" => "Disabled", "url" => "https://danger.rulez.sk/projects/bruteforceblocker/blist.php", "header"=> "DangerRulez"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.autoshun.org/files/shunlist.csv", "header"=> "Shunlist"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.infiltrated.net/blacklisted", "header"=> "Infiltrated"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/sshpwauth.txt", "header"=> "DRG_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/vncprobe.txt", "header"=> "DRG_VNC"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/http-report.txt", "header"=> "DRG_HTTP"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist", "header"=> "Feodo_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=badips", "header"=> "Feodo_Bad"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.reputationauthority.org/toptens.php", "header"=> "WatchGuard"), array ("format" => "txt", "state" => "Disabled", "url" => "https://vmx.yourcmc.ru/BAD_HOSTS.IP4", "header"=> "VMX"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.geopsy.org/blacklist.html", "header"=> "Geopsy"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.maxmind.com/en/anonymous_proxies", "header"=> "Maxmind"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.botscout.com/last_caught_cache.htm", "header"=> "BotScout"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.juniper.net/security/auto/spam", "header"=> "Juniper"), array ("format" => "txt", "state" => "Disabled", "url" => "http://blocklist.greensnow.co/greensnow.txt", "header"=> "Greensnow"), array ("format" => "txt", "state" => "Disabled", "url" => "https://lists.blocklist.de/lists/all.txt", "header"=> "BlocklistDE"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt", "header"=> "SFS_Toxic")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "SEC1", "description" => "pfBlockerNG SEC1", "infolists" => "", "row" => array (array ("format" => "html", "state" => "Disabled", "url" => "http://www.malwaregroup.com/ipaddresses/malicious", "header"=> "MalwareGroup"), array ("format" => "gz_2", "state" => "Disabled", "url" => "https://www.openbl.org/lists/base_90days.txt.gz", "header"=> "OpenBL"), array ("format" => "txt", "state" => "Disabled", "url" => "https://malc0de.com/bl/IP_Blacklist.txt", "header"=> "Malcode"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.badips.com/get/list/any/2", "header"=> "BadIPs")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "TOR", "description" => "pfBlockerNG TOR", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Tor"), array ("format" => "txt", "state" => "Disabled", "url" => "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv", "header"=> "Blut_Tor"), array ("format" => "html", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/open/suricata/rules/tor.rules", "header"=> "ET_Tor")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "MAIL", "description" => "pfBlockerNG MAIL", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt", "header"=> "VirBL"), array ("format" => "zip", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/bannedips.zip", "header"=> "SFS_All"), array ("format" => "txt", "state" => "Disabled", "url" => "http://antispam.imp.ch/spamlist", "header"=> "Improware"), array ("format" => "html", "state" => "Disabled", "url" => "http://toastedspam.com/denylist.cgi", "header"=> "ToastedSpam"), array ("format" => "html", "state" => "Disabled", "url" => "http://rss.uribl.com/reports/7d/dns_a.html", "header"=> "URIBL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text", "header"=> "SpamCop"), array ("format" => "gz_2", "state" => "Disabled", "url" => "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz", "header" => "Nix_Spam")), "action"=> "Disabled", "cron" => "08hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled") ); print "Checking for Existing pfBlockerNG Alias/Lists\n"; // Check for Existing pfBlockerNG Allias/Lists if (is_array($config['installedpackages']['pfblockernglistsv4']['config'])) { print "Found existing Alias/Lists. Merging Existing Alias/Lists with Imported Version\n\n"; $pfblist = $config['installedpackages']['pfblockernglistsv4']['config']; $pfbfinal = array_merge($pfblist, $pfblist_new); $config['installedpackages']['pfblockernglistsv4']['config'] = $pfbfinal; } else { print "No existing Alias/Lists found. Importing new Version.\n\n"; $config['installedpackages']['pfblockernglistsv4']['config'] = $pfblist_new; } print "pfBlockerNG Alias List Import Completed."; write_config(); ?>Note: Make a configuration backup beforehand. If it makes your box explode, I don't care, you have been warned in advance. For forced import overwriting your current lists, comment out the code on lines 375-383.
-
doktornotor and BBcan17 thanks for the php code!
As a follow on, here is one way to implement the php update (I'm sure there are other ways :) ):
1. Select Diagnostics>Edit File
2. Enter```
/usr/local/www/pfBlockerNG_import.php3\. Click **Load** 4\. Paste the php code that doktornotor posted, into the editing field:``` /* pfBlockerNG_import.php pfBlockerNG Copyright (C) 2014 BBcan177@gmail.com All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require_once("config.inc"); require_once("util.inc"); require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("pfsense-utils.inc"); require_once("globals.inc"); require_once("services.inc"); print ""; $pfblist_new = array ( array ( "none" => "", "aliasname" => "IBlock", "description" => "pfBlockerNG IBlock", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Hijack"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_FS"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Web"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Spy"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Badpeer"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Ads"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Proxy")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI1", "description" => "pfBlockerNG PRI1", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/blockrules/compromised-ips.txt", "header"=> "ET_Comp"), array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "header"=> "ET_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/drop.txt", "header"=> "Spamhaus_drop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/edrop.txt", "header"=> "Spamhaus_edrop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://cinsscore.com/list/ci-badguys.txt", "header"=> "CIArmy"), array ("format" => "txt", "state" => "Disabled", "url" => "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Zeus"), array ("format" => "txt", "state" => "Disabled", "url" => "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Spyeye"), array ("format" => "txt", "state" => "Disabled", "url" => "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist", "header"=> "Abuse_Palevo"), array ("format" => "html", "state" => "Disabled", "url" => "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv", "header"=> "Abuse_SSLBL"), array ("format" => "block", "state" => "Disabled", "url" => "https://feeds.dshield.org/block.txt", "header"=> "dShield_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://labs.snort.org/feeds/ip-filter.blf", "header"=> "Snort_BL"), array ("format" => "html", "state" => "Disabled", "url" => "http://osint.bambenekconsulting.com/feeds/goz-iplist.txt", "header"=> "BBC_Goz")), "action"=> "Disabled", "cron" => "01hour", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI2", "description" => "pfBlockerNG PRI2", "infolists" => "", "row" => array (array ("format" => "gz_2", "state" => "Disabled", "url" => "https://reputation.alienvault.com/reputation.snort.gz", "header"=> "Alienvault"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/attacks.csv", "header"=> "Atlas_Attacks"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/botnets.csv", "header"=> "Atlas_Botnets"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/fastflux.csv", "header"=> "Atlas_Fastflux"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/phishing.csv", "header"=> "Atlas_Phishing"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/scans.csv", "header"=> "Atlas_Scans"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/Attacker.Cumulative.Summary", "header"=> "SRI_Attackers"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/CandC.Cumulative.Summary", "header"=> "SRI_CC"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1", "header"=> "HoneyPot")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI3", "description" => "pfBlockerNG PRI3", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "http://www.malwaredomainlist.com/hostslist/ip.txt", "header"=> "MDL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_http.txt", "header"=> "Nothink_BL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_ssh_week.txt", "header"=> "Nothink_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_dns.txt", "header"=> "Nothink_Malware"), array ("format" => "txt", "state" => "Disabled", "url" => "https://danger.rulez.sk/projects/bruteforceblocker/blist.php", "header"=> "DangerRulez"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.autoshun.org/files/shunlist.csv", "header"=> "Shunlist"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.infiltrated.net/blacklisted", "header"=> "Infiltrated"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/sshpwauth.txt", "header"=> "DRG_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/vncprobe.txt", "header"=> "DRG_VNC"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/http-report.txt", "header"=> "DRG_HTTP"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist", "header"=> "Feodo_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=badips", "header"=> "Feodo_Bad"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.reputationauthority.org/toptens.php", "header"=> "WatchGuard"), array ("format" => "txt", "state" => "Disabled", "url" => "https://vmx.yourcmc.ru/BAD_HOSTS.IP4", "header"=> "VMX"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.geopsy.org/blacklist.html", "header"=> "Geopsy"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.maxmind.com/en/anonymous_proxies", "header"=> "Maxmind"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.botscout.com/last_caught_cache.htm", "header"=> "BotScout"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.juniper.net/security/auto/spam", "header"=> "Juniper"), array ("format" => "txt", "state" => "Disabled", "url" => "http://blocklist.greensnow.co/greensnow.txt", "header"=> "Greensnow"), array ("format" => "txt", "state" => "Disabled", "url" => "https://lists.blocklist.de/lists/all.txt", "header"=> "BlocklistDE"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt", "header"=> "SFS_Toxic")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "SEC1", "description" => "pfBlockerNG SEC1", "infolists" => "", "row" => array (array ("format" => "html", "state" => "Disabled", "url" => "http://www.malwaregroup.com/ipaddresses/malicious", "header"=> "MalwareGroup"), array ("format" => "gz_2", "state" => "Disabled", "url" => "https://www.openbl.org/lists/base_90days.txt.gz", "header"=> "OpenBL"), array ("format" => "txt", "state" => "Disabled", "url" => "https://malc0de.com/bl/IP_Blacklist.txt", "header"=> "Malcode"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.badips.com/get/list/any/2", "header"=> "BadIPs")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "TOR", "description" => "pfBlockerNG TOR", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Tor"), array ("format" => "txt", "state" => "Disabled", "url" => "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv", "header"=> "Blut_Tor"), array ("format" => "html", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/open/suricata/rules/tor.rules", "header"=> "ET_Tor")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "MAIL", "description" => "pfBlockerNG MAIL", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt", "header"=> "VirBL"), array ("format" => "zip", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/bannedips.zip", "header"=> "SFS_All"), array ("format" => "txt", "state" => "Disabled", "url" => "http://antispam.imp.ch/spamlist", "header"=> "Improware"), array ("format" => "html", "state" => "Disabled", "url" => "http://toastedspam.com/denylist.cgi", "header"=> "ToastedSpam"), array ("format" => "html", "state" => "Disabled", "url" => "http://rss.uribl.com/reports/7d/dns_a.html", "header"=> "URIBL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text", "header"=> "SpamCop"), array ("format" => "gz_2", "state" => "Disabled", "url" => "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz", "header" => "Nix_Spam")), "action"=> "Disabled", "cron" => "08hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled") ); print "Checking for Existing pfBlockerNG Alias/Lists\n"; // Check for Existing pfBlockerNG Allias/Lists if (is_array($config['installedpackages']['pfblockernglistsv4']['config'])) { print "Found existing Alias/Lists. Merging Existing Alias/Lists with Imported Version\n\n"; $pfblist = $config['installedpackages']['pfblockernglistsv4']['config']; $pfbfinal = array_merge($pfblist, $pfblist_new); $config['installedpackages']['pfblockernglistsv4']['config'] = $pfbfinal; } else { print "No existing Alias/Lists found. Importing new Version.\n\n"; $config['installedpackages']['pfblockernglistsv4']['config'] = $pfblist_new; } print "pfBlockerNG Alias List Import Completed."; write_config(); ?>;5. Click Save
6. ssh into the pfSense console
7. Type 8 to get to the shell
8. Paste```
php -f /usr/local/www/pfBlockerNG_import.php9\. Press **Return** 10\. Once the update is complete, the shell will return **pfBlockerNG Alias List Import Completed.[2.2.1-RELEASE]** 11\. Exit pfSense console 12\. Select **Firewall>pfBlockerNG>IPv4** to see the changes
