PfBlockerNG
-
Hello BBcan177,
If pfblockerng integrate with mailreport in the future? For example, I add "botnet" alias and set action to deny outbound. When infiltrated computers traffic is outbound, and send mail trigger by mailreport(Report Logs).
But I can only use firewall log (raw) filter in report Logs,so i can't filter by botnet alias
Or I can use other methods?
Thanks!
Hi ntct,
You can try the following :
View the Firewall or pfBNG Alerts log and find the Rule Number associated with the Alias. If you don't see the rule number in the Firewall logs, you can edit the log settings to display the Rule column.
In mail reports, when you select "Filter Logs (Raw), enter the "filter" as - Example rule number 90 :
90,
This will search the log for those characters. Please note that any Firewall rule changes can alter the Rule Number.
Hope this helps.
-
Hello
Issue
Fatal error: Call to undefined function subnetv6_expand() in /etc/inc/util.inc on line 714Fix in this thread works
-
Hi stanthewizard,
Are you using the latest version of pfBNG? If not, please upgrade as that issue has been fixed.
-
This is the latest updated this morning
-
Do you have any Virtual IPs? And are you using IPv6?
Could you post a screenshot of the VIP addresses and masks?
-
192.168.0.1/24 (vhid 1) LAN carp LANVirIPv4
192.168.1.200/24 (vhid 2) WAN carp WANVirIPv4
fd28:8ccb:1874:a09e::1/64 (vhid 3) LAN carp LANVirIPv6https://www.dropbox.com/s/pso662buzfjvfnw/carp%20ipv4.jpg?dl=0
https://www.dropbox.com/s/xqxk04u5133w0jo/carp%20ipv6.jpg?dl=0
::)
-
Hi stanthewizard,
I took a look at the code for the Alerts tab in Github and it does not contain my patch for this issue… I must have not added those changes to the previous Pull Request. I will get that fixed in the next PR.
You mentioned that you did a work around? If its still not working for you, let me know and I will get you a patch for it. (send me a PM if you can't wait for the next version) :)
-
I can wait no issue
I'm using the workaround you gave me :P
PS: still the footer is out of line
-
In response to a pm I received about:
@azurata:I was waiting the pfBlockerNG new version to do adblock using the unbound, but until it's released I add a VIRTUAL IP to the Lan interface, made a script to convert http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext to unbound advanced rules to redirect to the VIRTUAL IP and setup a nginx to listen to both 80 and 443 on the VIRTUAL IP and respond to all with "204 No Content". For my surprise is working better that I was expecting.
made a tutorial, Simple adblock using unbound and nginx
-
Just did the update to 1.08 and got
[ There were error(s) loading the rules: /tmp/rules.debug:23: cannot load /var/db/aliastables/pfB_Africa_v4.txt: No such file or directory - The line in question reads [23]: table persist file /var/db/aliastables/pfB_Africa_v4.txt]
-
-
Is it possible to select which internal IP addresses pfBlockerNG gets applied to? I want to be able to say use a blocklist for a specific internal device and all other devices will not be blocked by the blocklist
-
Hi meruem,
You can define the alias using an "Alias" list action (ie "Alias Deny"). This will allow you to create manually defined firewall rules with your specific requirements.
-
Hi meruem,
You can define the alias using an "Alias" list action (ie "Alias Deny"). This will allow you to create manually defined firewall rules with your specific requirements.
I see that pfBlockerNG added the IPv4 alias (which contains the large blocklist) I created to the firewall rules (action: block). I'm not sure how to only apply that firewall rule to a specific internal ip address(s) though. I tried editing the rule added by pfBlockerNG, and set the destination to a single internal IP address, but the rule is still being applied to all internal devices on my network
-
When you create the Alias, Set the "List Action" to "Alias Deny"… This way it will not create any Auto Rules. You can then create a new manual Firewall rule with your custom settings and then associate the Alias in the Rule.
-
BBcan177,
That worked perfect, Thanks.
In addition to the WAN incoming blocking, I created a firewall rule for LAN outgoing blocking. Firewall => Rules => LAN => Block => My Internal IP's Alias (Source) => External IP's Blocklist Alias (Destination) to complete the "no contact whatsoever with the blocklist IP's" thing I was going for
Also, I had to go to Diagnostics => States => Reset States. Because I found out, through testing, any established states before firewall changes do not adhere to the new firewall rules until the state has been removed from pfsense (either naturally or manually). I recommend this step to anyone doing the same thing as me, to complete the process
This is powerful and flexible. Now my blocklist(s) are not globally encompassing my entire network, and I do not have to tightly couple blocklists with client side software programs
-
Maybe somebody can give me some direction to a correcting an error. Whenever I attempt to open pfBlockerNG > Alters tab it stalls and eventually displays a blank white page. Going back to the default home page (index.php) an alert is displaying "pfSense has detected a crash report or programming bug. Click here for more information.". Opening the crash report page displays the following
–-- Start contents of Crash Report ---
Crash report begins. Anonymous machine information:
amd64
10.1-RELEASE-p9
FreeBSD 10.1-RELEASE-p9 #0 57b23e7(releng/10.1)-dirty: Tue Apr 14 12:48:16 CDT 2015 root@factory22-amd64-builder.pfmechanics.com:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.10
Crash report details:
PHP Errors:
[07-May-2015 20:28:51 America/New_York] PHP Fatal error: Allowed memory size of 268435456 bytes exhausted (tried to allocate 72 bytes) in /etc/inc/util.inc on line 728
[07-May-2015 20:31:03 America/New_York] PHP Fatal error: Allowed memory size of 268435456 bytes exhausted (tried to allocate 72 bytes) in /etc/inc/util.inc on line 728
–- End contents of Crash Report ---I have been sending the crash reports and thought that an update would correct the problem.
Hardware: pfSense C2758 recently purchased from the pfSense store
pfSense version 2.2.2-RELEASE (amd64)
pfBlockerNG version 1.08Thank you in advance!!
-
Hi BitechBob,
Can you edit the file /usr/local/www/pfblockerng/pfblockerng_alerts.php
and comment out line #703
$pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local);There will be a fix for this soon… This is only an issue for systems that have a large CIDR range in a VIP address so this only needs to be edited in this scenario. You might notice that the Src/Dst Columns will not show the "!" and "+" icons on the Local IPs if alerts include any of these VIP addresses.
If you need any further help, send me a PM.
Thanks!
-
OK, I have a stupid question. I have to whitelist an IP of an FTP server in India. I have pretty much everything blocked except for traffic in the US and Canada, mostly inbound only. For the 'Top 20' tab, I have deny both. For some reason, this server's IP is on the top 20 spammer country list.
I have setup a whitelist in the ipv4 tab and have it pointing to a txt file on my pfsense box. In this setup, I have "Permit Both" for the "List Action".
So now my question. By doing this, am I allow this IP to bypass all the other rules on my firewall, or does pfsenseng permit this IP first and then flow it through the other rules? So, for example, if I allow this IP, will netbios traffic from this IP still get blocked because I have a firewall rule that blocks netbios inbound?
-
Thank you for the quick reply!! I performed the edit but then for the same process I now receive
Parse error: syntax error, unexpected '}' in /usr/local/www/pfblockerng/pfblockerng_alerts.php on line 704
It's no big deal and I can live with it until the next release.
Again THANK YOU!
