• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PfBlockerNG

pfBlockerNG
210
1.2k
1.8m
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    BBcan177 Moderator
    last edited by Apr 19, 2015, 3:42 PM

    @n3by:

    Hi,

    Thank you for answer.

    I did as suggested ….

    EDIT:

    It was my fault sorry:

    I succeed to solve it;
    It was the proxy guard from real pfSense router 2.1.5 that filtered direct IP access, I am testing 2.2.2 in VirtualBox.

    Best Regards.

    Thanks n3by for reporting back…  I also see some other lists have failed... Disable "Abuse Palevo" as that list has been discontinued. Also some of the lists are being blocked by Snort from what I can tell from the log you sent.

    "Experience is something you don't get until just after you need it."

    Website: http://pfBlockerNG.com
    Twitter: @BBcan177  #pfBlockerNG
    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

    1 Reply Last reply Reply Quote 0
    • B
      BBcan177 Moderator
      last edited by Apr 19, 2015, 3:47 PM

      @doktornotor:

      Yes. Because when the updated firewall rules are broken, they fail to load. Flush your pfBNG configuration by unchecking the Keep configuration box, reinstall the package and start from scratch, enabling only ONE list at a time, until you figure this out.

      Just for clarity, when you disable "Keep" and Disable pfBNG and click "Save" it will only clear the previously downloaded files and leave all of the Configuration Settings intact.

      Its not necessary to re-install. If you re-install with "keep" unchecked, it will wipe all of the configuration settings and set the package back to a "Fresh" install state.

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • N
        n3by
        last edited by Apr 19, 2015, 4:04 PM

        Hi,

        is this list usable at you ( I set is as txt but still no downloading; I Hope I disabled all restriction this time  :-[ ) ?

        http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt

        from:
        http://osint.bambenekconsulting.com/feeds/

        1 Reply Last reply Reply Quote 0
        • M
          Mr. Jingles
          last edited by Apr 19, 2015, 5:58 PM

          Changing to http worked, BB; Juniper updated  :-*

          Weird that Firefox does not complain about it, but pfBlockerNG does(?)

          6 and a half billion people know that they are stupid, agressive, lower life forms.

          1 Reply Last reply Reply Quote 0
          • B
            BBcan177 Moderator
            last edited by Apr 19, 2015, 6:20 PM

            @Mr.:

            Changing to http worked, BB; Juniper updated  :-*

            Weird that Firefox does not complain about it, but pfBlockerNG does(?)

            The difference is that the browser handles the Certs a little different then the "fetch" shell FreeBSD command. Here is a link… Maybe one of the pfSense Devs will chime in on this issue?

            http://smyck.net/2014/01/22/freebsd-authentication-error/

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • M
              Mr. Jingles
              last edited by Apr 20, 2015, 10:06 AM

              Some weird stuff  ???

              Problem 1:

              • The pfb_PASS rule is an automatic rule in floating;

              • I added to that pfb_NGSuppress right below it (still don't understand why this has to be done manually, btw).

              • After a Cron update, that second rule is gone, and there is a second pfb_Pass rule. Observed this for a couple of days.

              Problem 2:

              • I try to whitelist an IP/block in pfb_PASS (top of the rules list in floating)

              • I tell it to log hits (so I can see it works) but it doesn't log anything in System/Firewall logs, AND:

              • The IP/block is still blocked, but now by pfb_PRI2, although deduplication is active.

              Question 1:

              • How do I whitelist sitenames? Archive.org is kept blocked. I can't add it to pfb_PASS since this is IP only, and NGSuppress is too. Do I need a different pass alias in floating for this?

              Thanks BB  :-*

              6 and a half billion people know that they are stupid, agressive, lower life forms.

              1 Reply Last reply Reply Quote 0
              • M
                Mr. Jingles
                last edited by Apr 20, 2015, 10:07 AM

                @BBcan177:

                @Mr.:

                Changing to http worked, BB; Juniper updated  :-*

                Weird that Firefox does not complain about it, but pfBlockerNG does(?)

                The difference is that the browser handles the Certs a little different then the "fetch" shell FreeBSD command. Here is a link… Maybe one of the pfSense Devs will chime in on this issue?

                http://smyck.net/2014/01/22/freebsd-authentication-error/

                Thanks BB. That links says it'll be fixed by updating OpenSSL. Such a thing is 'core maintenance', not a bug that needs to be fixed, no(?)

                6 and a half billion people know that they are stupid, agressive, lower life forms.

                1 Reply Last reply Reply Quote 0
                • B
                  BBcan177 Moderator
                  last edited by Apr 20, 2015, 6:24 PM Apr 20, 2015, 6:13 PM

                  @Mr.:

                  Some weird stuff  ???

                  Hey Mr. J.

                  You are mixing some things up here  :)

                  The pfBlockerNGSuppress alias does not need to be referenced to any Firewall Rules.

                  Suppression -

                  Suppression process occurs when Lists are downloaded from the Threat Sources.

                  When a List is downloaded, if the list contains 1.2.3.4/32 and the Suppress Alias has 1.2.3.4/32, then this IP is suppressed from the Blocklist.

                  If a list has 1.2.3.4/32 and the Suppress Alias has 1.2.3.0/24, then this IP is suppressed from the Blocklist.

                  If a list has 1.2.3.4/24 and the Suppress Alias has 1.2.3.4/32, then the Single 1.2.3.4/32 is suppressed, and all of the other IPs in this Range are added to the Blocklist.

                  When you click on the "+" icon in the Alerts tab, it will add the IP to the Suppress Alias, and also removes the IP from the Aliastable. However, the Suppressed IP is still in the Blocklist, and will be removed from the List at the Next Cron Update for the particular List. This will prevent these Suppressed IPs from being blocked.

                  Whitelisting -

                  When you whitelist, you are creating a new pfBNG alias and typically set it for "Permit Outbound". You can enter the Whitelisted IPs in the custom Box in the alias.

                  The best method is to suppress the IP above. But if you have a Block occuring from a CIDR under a /24, you can't suppress that (ie /20 etc…) To overcome that, you need to allow the IP "Permit Outbound" which will create a state in the pfSense State table that allows the return of that IP without being Blocked by the pfBNG Block/Reject rules. In the Alerts Tab, you can see the List that Blocked the IP, if no IP is shown below the List, then the Block occurred by a /32 Blocklist entry. If its blocked by a CIDR, it will show the IP and CIDR below the List. You then can decide if its a /24 to use Suppression, or use the Whitelist for other CIDR ranges.

                  Other questions -

                  The Permit Rules need to be above the Block/Reject rules. Ensure that in the Alias, you set "Logging" or enable Global logging in the General Tab which will enable Logging for all Aliases globally.

                  When you add a manual Rule, it can't have "pfB_" in the description, these will be removed by the Cron task each hour. To create "Alias" type rules, you need to enter the Description starting with "pfb_" (Lowercase)… This is explained in detail in the Alias "List Action" Section.

                  You cannot Use Domain names with pfBlockerNG currently. You will need to convert the domain into an IP and add that to a Custom list. In v2.0 I will also have Domain Name Blocking (DNSBL).

                  You can use a service like Hurricane Electric to collect IPs for Domain names that are changing more frequently and collect the list with the "html" format.

                  http://bgp.he.net/search?search%5Bsearch%5D=twitter&commit=Search
                      http://bgp.he.net/search?search%5Bsearch%5D=facebook&commit=Search
                      http://bgp.he.net/search?search%5Bsearch%5D=spotify&commit=Search
                      http://bgp.he.net/search?search%5Bsearch%5D=dropbox&commit=Search

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • B
                    BBcan177 Moderator
                    last edited by Apr 20, 2015, 6:15 PM

                    @Mr.:

                    @BBcan177:

                    @Mr.:

                    Changing to http worked, BB; Juniper updated  :-*

                    Weird that Firefox does not complain about it, but pfBlockerNG does(?)

                    The difference is that the browser handles the Certs a little different then the "fetch" shell FreeBSD command. Here is a link… Maybe one of the pfSense Devs will chime in on this issue?

                    http://smyck.net/2014/01/22/freebsd-authentication-error/

                    Thanks BB. That links says it'll be fixed by updating OpenSSL. Such a thing is 'core maintenance', not a bug that needs to be fixed, no(?)

                    yes that what I was saying… The fetch command uses OpenSSL as part of pfSense. So that issue is a core pfSense issue and not from pfBlockerNG.

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • M
                      mzarrugh
                      last edited by Apr 21, 2015, 11:58 AM

                      Is there a comprehensive guide that covers the main features of the current version? I want to use it mainly to block ads

                      1 Reply Last reply Reply Quote 0
                      • P
                        pf3000
                        last edited by Apr 23, 2015, 2:19 PM

                        @BBcan177:

                        You can use a service like Hurricane Electric to collect IPs for Domain names that are changing more frequently and collect the list with the "html" format.

                        http://bgp.he.net/search?search%5Bsearch%5D=twitter&commit=Search
                            http://bgp.he.net/search?search%5Bsearch%5D=facebook&commit=Search
                            http://bgp.he.net/search?search%5Bsearch%5D=spotify&commit=Search
                            http://bgp.he.net/search?search%5Bsearch%5D=dropbox&commit=Search

                        Fantastic… these hidden features/hacks that should be in a pfBNG FAQ or OP or something.

                        1 Reply Last reply Reply Quote 0
                        • A
                          azurata
                          last edited by Apr 23, 2015, 9:59 PM

                          I was waiting the pfBlockerNG new version to do adblock using the unbound, but until it's released I add a VIRTUAL IP to the Lan interface, made a script to convert http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext to unbound advanced rules to redirect to the VIRTUAL IP and setup a nginx to listen to both 80 and 443 on the VIRTUAL IP and respond to all with "204 No Content". For my surprise is working better that I was expecting.

                          1 Reply Last reply Reply Quote 0
                          • M
                            marcus556
                            last edited by Apr 24, 2015, 1:31 AM

                            Is there anyway to EXclude an ip from the pfblocker?  I have a PS4 and when I have the top 20 countries selected it affects game play online and when i disable it doesn't block some of the ads. So is there anyway to exclude an IP address?

                            1 Reply Last reply Reply Quote 0
                            • B
                              BBcan177 Moderator
                              last edited by Apr 24, 2015, 3:36 AM

                              @marcus556:

                              Is there anyway to EXclude an ip from the pfblocker?  I have a PS4 and when I have the top 20 countries selected it affects game play online and when i disable it doesn't block some of the ads. So is there anyway to exclude an IP address?

                              There is a post about this five posts before this one!  And also in several places in this thread… Either Suppress the IP (/32 or /24 Ranges only) or Create a Permit Outbound Alias with the IP listed in the Custom Input Entry. Ensure the Permit Rule is before the Block/Reject Rules.

                              "Experience is something you don't get until just after you need it."

                              Website: http://pfBlockerNG.com
                              Twitter: @BBcan177  #pfBlockerNG
                              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                              1 Reply Last reply Reply Quote 0
                              • M
                                marcus556
                                last edited by Apr 24, 2015, 4:04 AM

                                @BBcan177:

                                @marcus556:

                                Is there anyway to EXclude an ip from the pfblocker?  I have a PS4 and when I have the top 20 countries selected it affects game play online and when i disable it doesn't block some of the ads. So is there anyway to exclude an IP address?

                                There is a post about this five posts before this one!  And also in several places in this thread… Either Suppress the IP (/32 or /24 Ranges only) or Create a Permit Outbound Alias with the IP listed in the Custom Input Entry. Ensure the Permit Rule is before the Block/Reject Rules.

                                Woah… sorry to push a button there. I actually tried setting it up with the permit rules before the block/reject but then it wouldnt block anything.  Just thought there might be an easier solution.... Ill try the suppressing... thanks!

                                1 Reply Last reply Reply Quote 0
                                • B
                                  BBcan177 Moderator
                                  last edited by Apr 24, 2015, 4:34 AM

                                  If it's a Top20 Block, then you have to use the "Permit Outbound" method, as suppression will only work on /32 or /24 ranges. In the alias enter just the IP range required and set it to "permit outbound". It shouldn't interfere with other block/reject rules.

                                  "Experience is something you don't get until just after you need it."

                                  Website: http://pfBlockerNG.com
                                  Twitter: @BBcan177  #pfBlockerNG
                                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    ntct
                                    last edited by Apr 25, 2015, 7:07 AM Apr 25, 2015, 7:04 AM

                                    Hello BBcan177,

                                    If pfblockerng integrate with mailreport in the future? For example, I add "botnet" alias and set action to deny outbound. When infiltrated computers traffic is outbound, and send mail trigger by mailreport(Report Logs).

                                    But I can only use firewall log (raw) filter in report Logs,so i can't filter by botnet alias

                                    Or I can use other methods?

                                    Thanks!

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      killmasta93
                                      last edited by Apr 25, 2015, 6:55 PM

                                      Does pfBlockerNG support 2.1.5? or should i just stick to pfBlocker?

                                      Thanks

                                      Tutorials:

                                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned
                                        last edited by Apr 25, 2015, 6:58 PM

                                        It does not unless you use an unofficiel package repository :)

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          bodam
                                          last edited by Apr 25, 2015, 8:01 PM Apr 25, 2015, 7:01 PM

                                          NEVERMIND:  I was able to get this resolved from help on IRC.  It looks like, despite running the php cleanup script, I had some original pfBlocker aliases still around.  Deleting them fixed the problem.

                                          I'm a bit new to pfsense and not a network guy.  I implemented PFBlockerNG and, overall it seems to be working well.  The problem is that I am getting the errors shown in the attachment.  I used the php script earlier to set the lists up.  Not sure how to resolve these.  Any suggestions would be appreciated.

                                          Selection_331.png
                                          Selection_331.png_thumb

                                          1 Reply Last reply Reply Quote 0
                                          644 out of 1196
                                          • First post
                                            644/1196
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.