Pfblocker not blocking?
-
I can see 180.210.224.0/19 on the CN_v4 list. (This is what it resolves to here, no idea about you.)
Is your goal to basically block *.cn for browsing? You can do that will a whole LOT less overhead and whole LOT more reliably by a wildcard DNS override.
-
No i would block trafic from china and the blocklist…to test it i try to surf chinese site but it's not the best way to test if it's working :-[
-
ok after some other test it's working! Thanks doktornotor!
but for:
sometime in pfblockerNG->allert in the deny table i can see some entries that i can find also in the suricata log (ssh scans for example)…so if the ip is in the blocklist should not get to suricata.is this ok?
-
so if the ip is in the blocklist should not get to suricata.
Please, start a separate thread about Suricata in the proper forum section. (My assumption is that it's working exactly the other way round, snort/suricata gets hit before the pf rules, plus it's not inline in addition. At least that's what the maintainer suggests: https://forum.pfsense.org/index.php?topic=89463.msg495180#msg495180 – But then again, not using any of this IDS stuff here.)
-
sorry i supose that pf rules are the first and than suricata so if suricata make an alltert somthing is going wrong to pfblocker (suricata is working without problem).
Tank you again. -
Please read the link that was posted by doktornotor (link to Bmeeks, maintainer of Snort/Suricata) as it explains the exact process correctly. The IDS is acting on a "Copy" of all packets.
If you have pfBlockerNG with a List like "ET Compromised" please do not also enable the "ET Compromised" Category in the IDS. As you are duplicating your efforts.
-
Please read the link that was posted by doktornotor (link to Bmeeks, maintainer of Snort/Suricata) as it explains the exact process correctly. The IDS is acting on a "Copy" of all packets.
If you have pfBlockerNG with a List like "ET Compromised" please do not also enable the "ET Compromised" Category in the IDS. As you are duplicating your efforts.
Yes i disable it..the triggered rule is "ET SCAN Potential SSH Scan" ;)
thanks BBcan177 for pfblockerNG!
-
I have PFBlockerNG enabled and I have russia, china and hong kong blocked.
However my emails software is still saying it's blocking chinese IPs that are trying to brute force password hack me.
I can also still browse chinese websites even though I have in and out blocked.
-
To simply test if the firewall is blocking a country:
Example for china ;D
Google -> "china proxy list" -> ping one of the list
if you cant't ping it and you see the entry in the alert tab of pfblocker it's working…For the website be sure that it's hosted in china. (or use a CDN?)
-
I have PFBlockerNG enabled and I have russia, china and hong kong blocked.
However my emails software is still saying it's blocking chinese IPs that are trying to brute force password hack me.
I can also still browse chinese websites even though I have in and out blocked.
Hi wheemer,
Do you have any "Firewall Pass Rules" above the Block/Reject Rules that would allow those IPs thru? Floating Rules are processed first (top to bottom), then the Interface Firewall Rules (top to bottom) and typically on the First Rule Match thats found.
