PfBlockerNG

Topper727

Just did the update to 1.08 and got

[ There were error(s) loading the rules: /tmp/rules.debug:23: cannot load /var/db/aliastables/pfB_Africa_v4.txt: No such file or directory - The line in question reads [23]: table persist file /var/db/aliastables/pfB_Africa_v4.txt]

BBcan177

@Topper727:

Just did the update to 1.08 and got

Did you try a "Force Reload"

meruem

Is it possible to select which internal IP addresses pfBlockerNG gets applied to? I want to be able to say use a blocklist for a specific internal device and all other devices will not be blocked by the blocklist

BBcan177

Hi meruem,

You can define the alias using an "Alias" list action (ie "Alias Deny"). This will allow you to create manually defined firewall rules with your specific requirements.

meruem

@BBcan177:

Hi meruem,

You can define the alias using an "Alias" list action (ie "Alias Deny"). This will allow you to create manually defined firewall rules with your specific requirements.

I see that pfBlockerNG added the IPv4 alias (which contains the large blocklist) I created to the firewall rules (action: block). I'm not sure how to only apply that firewall rule to a specific internal ip address(s) though. I tried editing the rule added by pfBlockerNG, and set the destination to a single internal IP address, but the rule is still being applied to all internal devices on my network

BBcan177

When you create the Alias, Set the "List Action" to "Alias Deny"… This way it will not create any Auto Rules. You can then create a new manual Firewall rule with your custom settings and then associate the Alias in the Rule.

meruem

BBcan177,

That worked perfect, Thanks.

In addition to the WAN incoming blocking, I created a firewall rule for LAN outgoing blocking. Firewall => Rules => LAN => Block => My Internal IP's Alias (Source) => External IP's Blocklist Alias (Destination) to complete the "no contact whatsoever with the blocklist IP's" thing I was going for

Also, I had to go to Diagnostics => States => Reset States. Because I found out, through testing, any established states before firewall changes do not adhere to the new firewall rules until the state has been removed from pfsense (either naturally or manually). I recommend this step to anyone doing the same thing as me, to complete the process

This is powerful and flexible. Now my blocklist(s) are not globally encompassing my entire network, and I do not have to tightly couple blocklists with client side software programs

BitechBob

Maybe somebody can give me some direction to a correcting an error.  Whenever I attempt to open pfBlockerNG > Alters tab it stalls and eventually displays a blank white page.  Going back to the default home page (index.php) an alert is displaying "pfSense has detected a crash report or programming bug. Click here for more information.". Opening the crash report page displays the following

–-- Start contents of Crash Report ---
Crash report begins.  Anonymous machine information:
amd64
10.1-RELEASE-p9
FreeBSD 10.1-RELEASE-p9 #0 57b23e7(releng/10.1)-dirty: Tue Apr 14 12:48:16 CDT 2015    root@factory22-amd64-builder.pfmechanics.com:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.10
Crash report details:
PHP Errors:
[07-May-2015 20:28:51 America/New_York] PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to allocate 72 bytes) in /etc/inc/util.inc on line 728
[07-May-2015 20:31:03 America/New_York] PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to allocate 72 bytes) in /etc/inc/util.inc on line 728
–- End contents of Crash Report ---

I have been sending the crash reports and thought that an update would correct the problem.

Hardware: pfSense C2758 recently purchased from the pfSense store
pfSense version 2.2.2-RELEASE (amd64)
pfBlockerNG version 1.08

Thank you in advance!!

BBcan177

Hi BitechBob,

Can you edit the file  /usr/local/www/pfblockerng/pfblockerng_alerts.php

and comment out line #703

$pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local);

There will be a fix for this soon… This is only an issue for systems that have a large CIDR range in a VIP address so this only needs to be edited in this scenario. You might notice that the Src/Dst Columns will not show the "!" and "+" icons on the Local IPs if alerts include any of these VIP addresses.

If you need any further help, send me a PM.

Thanks!

wiz561

OK, I have a stupid question.  I have to whitelist an IP of an FTP server in India.  I have pretty much everything blocked except for traffic in the US and Canada, mostly inbound only.  For the 'Top 20' tab, I have deny both.  For some reason, this server's IP is on the top 20 spammer country list.

I have setup a whitelist in the ipv4 tab and have it pointing to a txt file on my pfsense box.  In this setup, I have "Permit Both" for the "List Action".

So now my question.  By doing this, am I allow this IP to bypass all the other rules on my firewall, or does pfsenseng permit this IP first and then flow it through the other rules?  So, for example, if I allow this IP, will netbios traffic from this IP still get blocked because I have a firewall rule that blocks netbios inbound?

BitechBob

Thank you for the quick reply!!  I performed the edit but then for the same process I now receive

Parse error: syntax error, unexpected '}' in /usr/local/www/pfblockerng/pfblockerng_alerts.php on line 704

It's no big deal and I can live with it until the next release.

Again THANK YOU!

BBcan177

Hi wiz561,

I have posted in this thread about blocking the world, and allowing a few Countries.. You should reverse this approach to Permit a few instead.. You can read this thread for more details on that.

pfSense is a stateful firewall by design. So if you do not have any Open ports, its already implicitly deny on the Inbound. So any rule on the Inbound is a waste of processing time etc…

If you have a few open ports, you should consider creating an "Alias Deny" Rule for just those ports on the Inbound instead of blocking all other ports that are already going to be blocked by the implicit deny rule.

For a 'Whitelist', its best to make it an "Alias Permit" and only allow a certain port and the specific IPs you want to allow inbound in the Firewall Rule.

The way you have it now, with a "Permit Both" will bypass all of the other rules and is not safe.

BBcan177

@BitechBob:

Thank you for the quick reply!!  I performed the edit but then for the same process I now receive

Parse error: syntax error, unexpected '}' in /usr/local/www/pfblockerng/pfblockerng_alerts.php on line 704

It's no big deal and I can live with it until the next release.

Again THANK YOU!

Sorry about that… try this:  You need to add the part    $dd = 1;  along with commenting the previous line above.

elseif ($list['type'] == "single" || $list['type'] == "network")
		$dd = 1;
                //$pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local);
}

BitechBob

@BBcan177:

@BitechBob:

Thank you for the quick reply!!  I performed the edit but then for the same process I now receive

Parse error: syntax error, unexpected '}' in /usr/local/www/pfblockerng/pfblockerng_alerts.php on line 704

It's no big deal and I can live with it until the next release.

Again THANK YOU!

Sorry about that… try this:  You need to add the part    $dd = 1;  along with commenting the previous line above.

elseif ($list['type'] == "single" || $list['type'] == "network")
		$dd = 1;
                //$pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local);
}

Still getting error

Parse error: syntax error, unexpected '}' in /usr/local/www/pfblockerng/pfblockerng_alerts.php on line 704

No rush I can hold off until the next release.

wiz561

@BBcan177:

The way you have it now, with a "Permit Both" will bypass all of the other rules and is not safe.

Thanks for the information.  I went back and modified what I did so I could undo it, exclude the country for now, and will have to figure out how to properly do it.  I tried to create an alias and go that route, but it wasn't working properly for me.

I'll dig through the thread and see if I can find the proper way to create whitelists.  Thanks for the response and the information about it!

Mr. Jingles

Hi Sir BB  ;D ( :-* )

Weird, this suddenly happening the last few days:

[ pfB_IBlock IBlock_BT_Web ] Download FAIL 
 [ pfB_IBlock IBlock_BT_Web ] Found: 1483 Line(s), Restoring previous List from Master 

 [ pfB_IBlock IBlock_Badpeer ] Download FAIL [ 05/09/15 0:04:32 ]
 [ pfB_IBlock IBlock_Badpeer ] Found: 48551 Line(s), Restoring previous List from Master 

 [ pfB_IBlock IBlock_Proxy ] Download FAIL 
 [ pfB_IBlock IBlock_Proxy ] Found: 5754 Line(s), Restoring previous List from Master 

Many more of them like this, but I didn't want to polute  :P

The error log says:

===[ Suppression Stats ]========================================

List                 Pre        RFC1918    Suppress   Masterfile
----------------------------------------------------------------
grepcidr: Not a valid pattern: dfiles.eu
ET_Comp              157        157        157        156198    
grepcidr: Not a valid pattern: dfiles.eu
ET_Block             213        213        213        156198    
grepcidr: Not a valid pattern: dfiles.eu
Spamhaus_drop        62         62         62         156198    
grepcidr: Not a valid pattern: dfiles.eu

Many more of those too.

I've attached the full logs.

*Rename to .zip, as this efficiency-preventing, and hence the most valuable asset we have - time - wasting, forum software doesn't allow me to upload a *.zip

Would you have any clue, Mr. YesBBCan?

Thank you  ;D

BB_pack.jpg

doktornotor

Would be much better to post the content of the failing lists or link to them. As for the Spyeye thing, Http/1.1 Service Unavailable is definitely not pfBNG issue.

BBcan177

Hi Mr. J.

Did I ever say that i really hate IBlock… I think every so often they have an issue with some of their mirrors and there is some malformed data in one of those lists. The mirrors that I use don't seem to have this issue. What would really help is getting a copy of the original downloaded files.

The files are in  /var/db/pfblockerng/original

What i would need are the IBlock .gz and .orig files for these fails lists. Also a copy of the

/var/db/pfblockerng/masterfile

If you can send those to my email which is listed in the 'General' tab, I could take a look at it. Or put it in a dropbox or similar cloud storage and pm me the link.

After you copy those files, Try to run a "Force Reload" and see if that clears it. If not, Disable pfBlockerNG and Disable "Keep Settings" and run a "Force Update".... If it still doesn't clear it, disable the 'State' of those IBlock Lists and try the above process again without those Lists.

BBcan177

@doktornotor:

Would be much better to post the content of the failing lists or link to them. As for the Spyeye thing, Http/1.1 Service Unavailable is definitely not pfBNG issue.

Yes Abuse Spyeye seems to be down… Should disable the 'State' for now....

There also seems to be an issue with a few SSL sites (Juniper and dShield). When using https, the fetch command is getting some ssl errors which seem to be related to OpenSSL in pfSense.

pfcode

HI, Guys

I'm noob to pfSense and pfBlokerNG, I have set up all the country block rules (e.g pfb_Europe_v4) in the floating rules tab,  the rule order is pfSense Pass/match+pfbPass/Match+pfbBlock/Reject, I then set up a floating rule on the TOP of all other rules,  to permits one of the LAN IPs to access WAN without being blocked by the country rules or blocked by SNORT:

Action: Pass
Quick: Ticked
Interface: LAN
Direction: any
TCP/IP version: IPv4
Protocol: any
Source:  Type: Single hosts or alias
              Address:  AndroidMediaBox,  which is a IP alias, 192.168.1.xxx
Destination:  Wan net

but I can still see bunch of source ip (192.168.1.xxx, AndroidMediaBox) appeared at pfBlockNG Alerts tab as well as at the System logs/Firewall tab,  that were blocked by the country rule (pfb_Europe_v4),  Proto: UDP, CC: CH

I'm sure I'm doing something wrong, but can't figure it out,  so need some helps to fix the issue. Thanks.