Is PFBlockerNG a solution in need of a problem?
-
@jim1000:
The original question is still over there as post #1. To date, nobody has answered it although a lot of people have written replies …. some extremely hostile.
Still moaning? Still no fucking info posted despite endless requests? And still surprised you don't get answers?
-
@jim1000:
The original question is still over there as post #1. To date, nobody has answered it although a lot of people have written replies …. some extremely hostile.
Still moaning? Still no fucking info posted despite endless requests? And still surprised you don't get answers?
No, but you are kind of a joke to me now. Absolutely no credibility of any kind. Thanks for proving my point, as described above.
-
To answer your question PFBlocker and Snort is just another level of security that you can place on top of PFsense.
Pfsense as is, is a excellent firewall by itself and will keep the bad guys out for most people.
What you need to know is that if you open any port to the outside world, people will get in and try to exploit that port to find weakness in your installation. Even if you do not have any port opens some will probe your firewall to determine what you have (type of equipment or devices coming out of your IP address) and catalog it for others to use (like the search engine shodan.io and others).
Once I know what firewall or services you use, or what device hides behind it, I can use that information to see if there are any weaknesses I can exploit. If you are a home user and have no ports open than PFsense by itself is great and sufficient. However if you want more then there is more.
The benefit that PfBlockerNG and Snort provides is a way to block these other attempts to infiltrate your system or lean more about what is happening to your network. These services (PFblockerNG, Snort, Squid, Suricata, etc) makes your firewall more robust and resilient to attacks and provides you with information of who is trying what, to get in or out of your system. Remember that what is coming out of your system is just as important as what is trying to come in. These are tools for advanced users but can be used by anyone.
PFblockerNG in particular allows you to block badguys that have already been identified as trying different attacks on systems (blacklists). I use about 25 such list in my configuration (not a home installation) and block on average about 50,000 attempts a day. You can also block individuals coming in from specific countries. As you have seen from recent news some countries regularly try to get into computers for different reasons. If you have no reason to expect visitors from a specific country you can block the entire country. I am not a fan of blocking complete countries but some do. Keep in mind that advance hackers hide their origin so blocking for example China does not guarantee that it is not coming from China. Most good hackers will have bounced and hidden their IPs several times before they hit your system. Keep in mind that you may not think that you have anything they may want but remember some only want to use your resources to attack others. So even if you think that you have nothing to protect, you do have something of value for somebody out there.
IDS/IPS such as Snort and Suricata are another level above PFBlockerNG. They monitor and also block attempts to access your systems. Just because there are no ports open does not mean you are not being scanned. These tools identify who is scanning you and what they are trying to do. Armed with this information an advanced user can formulate responses to these type of attacks or scans. Snort has rules that your can use that basically looks for specific attacks seen by others and if this type of attack occurs blocks and drops the connection. IDS/IPS are not for everyone but are excellent tools to help lock down your system. My snort blocks thousands of such attempts to infiltrate our systems every day.
So bottom line, All of these tools and many others are designed to help keep badguys out of your system. The best defense is having many layers of different security to make it very difficult for badguys to get in, keeping in mind that nothing is completely secure.
My recommendation to you is start with PFSense which is excellent, and as you get more sophisticated and want additional security then add PFBlockerNG and some blacklist and if you have the time and want go further then consider Snort, Suricata and Squid if you need them. These tools however are not out of the box solutions and require continual tuning and active monitoring to be effective. Out of the box and without tuning they will cause havock since they will block most everything coming in or going out of your system so web sites, music, TV, etc.. may no longer work.
Educate yourself on what these different tools do and see if you really want or need them. If you want some more information read up on these tools and use some monitoring tools such as ntopng or wireshark to see what is really happening and decide if you really want or need the added complexity or security. For many these added tools become their hobby and passion.
There are a lot of tools out there, none are perfect or covers everything that is why everyone has their own approach and tool set they use.
-
To answer your question PFBlocker and Snort is just another level of security that you can place on top of PFsense.
…
Once I know what firewall or services you use, or what device hides behind it, I can use that information to see if there are any weaknesses I can exploit. If you are a home user and have no ports open than PFsense by itself is great and sufficient. However if you want more then there is more.
....Keep in mind that you may not think that you have anything they may want but remember some only want to use your resources to attack others. So even if you think that you have nothing to protect, you do have something of value for somebody out there.
IDS/IPS such as Snort and Suricata are another level above PFBlockerNG. They monitor and also block attempts to access your systems. Just because there are no ports open does not mean you are not being scanned. These tools identify who is scanning you and what they are trying to do. Armed with this information an advanced user can formulate responses to these type of attacks or scans. Snort has rules that your can use that basically looks for specific attacks seen by others and if this type of attack occurs blocks and drops the connection. IDS/IPS are not for everyone but are excellent tools to help lock down your system. My snort blocks thousands of such attempts to infiltrate our systems every day.
So bottom line, All of these tools and many others are designed to help keep badguys out of your system. The best defense is having many layers of different security to make it very difficult for badguys to get in, keeping in mind that nothing is completely secure.
My recommendation to you is start with PFSense which is excellent, and as you get more sophisticated and want additional security then add PFBlockerNG and some blacklist and if you have the time and want go further then consider Snort, Suricata and Squid if you need them. These tools however are not out of the box solutions and require continual tuning and active monitoring to be effective. Out of the box and without tuning they will cause havock since they will block most everything coming in or going out of your system so web sites, music, TV, etc.. may no longer work.
Educate yourself on what these different tools do and see if you really want or need them. If you want some more information read up on these tools and use some monitoring tools such as ntopng or wireshark to see what is really happening and decide if you really want or need the added complexity or security. For many these added tools become their hobby and passion.
There are a lot of tools out there, none are perfect or covers everything that is why everyone has their own approach and tool set they use.
Thank you for your reply. It covered a lot of territory and provides insights from an experienced user in a way a newbie like me can easily grasp. BTW, I'm not a networking newbie, just new with PFSense.
https://forum.pfsense.org/index.php?topic=95098.msg528769#msg528769
This is the post in the other thread that describes my equipment. It's small but has open ports. (Please be possibly the first to actually read it)
Besides building the router for a hobby, I was shocked to find out about how common and prevalent scanning was. Finding out about zmap was an eye opener. Anyone in the world now can rather easily be capable of quickly finding a vulnerability anywhere on the internet at any time- at least theoretically. In practice, it will probably be a few more years before it actually gets THAT easy.
I do on line banking. My entire life is accessible to a clever person. So is yours and so are all who read this. My home PCs are protected with a myriad of software items, including sandboxie, zemana anti keylogger, and inernet security software, plus regular scans by malwayebytes. Plus CCleaner washes regularly. It may sound like a lot, but really is not if you are organized. In fact, most is completely transparent. My wife doesn't notice or complain, and she would whine like anyone would if I made any part of it inconvenient.
PFSense, PFBlockerNG and snort are hobby and next level. As I mentioned to someone else here a week or so ago when I asked some different general questions, I do not want to be surprised in a bad way when, someday, we all find out that NAT and SPI were good in their day, but then xxxx came out and decimated the home network. Wireshark may explain what's just happened. Nothing can predict what might happen.
Like all crooks, they will go after the easy targets first. Even a storm door will make a home invader go next door where the door looks a little easier to get through. You only have to outrun the slowest person to not get caught by the bear. I want to be a lot better and plan for the unknown, rather than argue about keeping safe from yesterday's threats. Especially when the people making them are a lot smarter than most of us. (and I'm pretty smart).
About PFBlockerNG; I'm still getting my feet wet. At this time I have country blocking inbound and maybe 10 lists also inbound. I'm still trying to wrap my head around blocking theory. What to block and why - then the best way to go about it. Hence my original post where I asked this same question.
Reading about how others use PFBlockerNG and why they use it that way would be beneficial.
I also got snort running and found a suppression list that made it work a little better. It's just observing now. Next week, I plan to remove the imported suppression list and try to enter the false positives as they arrive on my own. There seems to be a debate about rule removal vs suppression lists. I need to look more into that as I don't understand the issue yet.
My PC / router is powerful enough to handle what I throw at it. I want to fight today's threats using today's tech, not kludge together a junk PC that consumes hundreds of watts of electricity and makes lots of noise with whatever I have left over from 10 years ago to fight off attackers with gigabit tech and brains much bigger than mine.
Thanks.
Examples of actual use from actual users would be much appreciated.
-
Hi jim1000,
Say for example that you know x.x.x.x IP is a known malicious C&C server… You want to block access to that IP. You can create a manual firewall rule on the WAN interface to block that specific IP from gaining access.
However, when you have hundreds/thousands or more IPs to block, you don't want to do this manually, so you can create a pfSense container called an "Alias". Aliases can be created for "IPs", "Ports", or "URLS"... So you can manually create a new alias called "badguys" for example, and manually enter all of the Bad IPs and add this alias to the Block Firewall Rules instead of a single IP as suggested in the first paragraph above.
But this alias that you created is static.. This is where pfBlockerNG comes in, it will download lists from whatever Threat Sources you configure, and download lists at a specified frequency, create Aliases and create Firewall rules automatically. It will also manage the IPs in the Aliases, and add/remove IPs accordingly.
See the first page of this thread:
https://forum.pfsense.org/index.php?topic=86212.0
cjbujold wrote a great post about how to use these packages and create layers of security…
To decide what to block, that is up to you and the network considerations. No one knows that unless you actually post some details about your network...
If you have no Open WAN ports, then you don't need to add any rules to block inbound as pfSense is already blocking implicity on the Inbound. If you do have open ports on the WAN, i suggest you use the "Adv Inbound Settings" feature in pfBNG, and create a pfSense Ports/Destination Alias and rules will be created on the WAN to block only on those specific ports. This is more efficient and effective, as pfSense packet fence doesn't need to process all packets and instead is optimized just to deal with the Open ports and the Destination Lan ips of those packets only.
Most forget that Outbound is just as important.. Its best to block any packets going outbound to any of the known malicious IPs..
With country blocking, you can block/permit traffic from countries if this fits the design/needs of your network... What you don't want to do is block all countries except for permitting a few. This is not efficient as just designing it to permit just the few that you want.
FreeBSD packet fence, it very efficient at handling large Lists of IPs. but there are some performance gains to keep the lists to a more efficient size to what you are trying to achieve.
In my opinion, its best to block the known malicious IPs at the firewall level and then only use the IDS to perform a deep inspection of the packets for other signs of maliciousness... So if you are blocking IPs with pfBlockerNG, it makes sense to not use the rule categories in Snort/ET that are IP based. (ET Comp, ET Block, dShield etc) as you are duplicating efforts.
There are some good threads in the IDS forum where you can get more advice... You can also run the IDS in "Non-Blocking" mode for a week or two to weed out the False positives, and then turn on Blocking mode... None of these packages are turn it on, and forget about it... :)
-
@jim1000:
I'm a new PFSense user, coming from DD-WRT. I got OpenVPN working well and some port forwarding for a few media devices. Now it's time for the advanced firewall stuff.
Just installed PFBlockerNG. I set all countries except US to deny inbound both IPv4 and IPv6. I found 8 lists (links) on this site to put in IPv4 blocking. They were from a post from the amazing person who wrote PFBlockerNG. They're supposed to be malicious sites. I set to deny inbound and outbound.
This level of firewall is new to me.
Did I do the right stuff to get started? Was it overkill or should I do more? Is there a repository of lists I should look at? Are there more lists I should add? Should I load and configure snort in addition, or is this enough?
My PC is newly build. It uses a fanless supermicro MB with a J1900 processor, twin intel internet ports, 8GB RAM, 120GB SSD in a mini-itx M350 case. This is for reference in case power considerations are a factor. Internet is 25/5 but will go to 50/10 or a little more later. GB speeds not likely. It's a home router with light demands. My old router is now a wireless access point.
Thanks.
BBcan177 and others,
First, THANK YOU for your reply. I will study it.
Since nobody wants to look at the original post - which describes my network and also was the post that touched off all the animosity referred to above - IT IS QUOTED ABOVE.
This describes my network. As I said it's small. However, I want protection as if it were guarding the crown jewels and could be accessed from anywhere at any time without proper protections. And I plan to invest the time and effort to reach my goal.
just in case you need more … it's a typical home network with about 30 ip addresses in use, never concurrently. It has a couple of wireless access points. A NAS. However, to my estimation, none of this is really relevant. I'm thinking broadly for future unknowable threats, not in terms of protecting a mail server and / or a web server today. I'm considering the next threat nobody can imagine, not the one that happened last month.
I would also like to read about brief examples of how others use it daily. I am most interested in getting to the point where I understand it and feel it is an element in protecting me from both known and unknown threats.
Thanks, much.
-
@jim1000:
The final person who offered several replies freely mentioned he had NO experience with PFBlockerNG, then went on to offer lots of opinions about it and how it should be configured (remember, he has no experience with it by his own admission.) All went on to offer advice about how I should be doing lots of other things to configure my firewall, most of which appeared to have nothing to do with PFBlockerNG. None appeared to actually understand country blocking or the use of the 'malware lists,' as I describe them, as all offered scolding assumptions about how they think they might work, and then how their fantasy interpretation should be ignored in favor of an answer pulled out of thin air.
I was happily reading one of my favorite forums - this one - when I came along your very first thread and next this thread. I felt like logging in and adding my thoughts for your enlightenment.
I've noticed you started by pissing off/insulting doktornotor, who returned the favor to you. Now you are insulting the great Bmeeks in the above quote. I'm only waiting for you to start insulting BB too, and then I will start a petition, crowd funding if need be, to babip you.
Seriously, usually I stay out of flames, but I can't help being rather irritated by you insulting all the great great people that have tried to help you.
Are you sure you don't belong in the Wallmart All-In-One-Great-Security Appliance-Now-For-Sale-29 USD-only target audience?
This is an extremely helpful FreeBSD spirit community with nice people: don't insult them, they by no means deserve that (that's what Linux and Windows forums are for ;D ).
Happy learning all you need to learn.
'M'out.
-
@Mr.:
@jim1000:
The final person who offered several replies freely mentioned he had NO experience with PFBlockerNG, then went on to offer lots of opinions about it and how it should be configured (remember, he has no experience with it by his own admission.) All went on to offer advice about how I should be doing lots of other things to configure my firewall, most of which appeared to have nothing to do with PFBlockerNG. None appeared to actually understand country blocking or the use of the 'malware lists,' as I describe them, as all offered scolding assumptions about how they think they might work, and then how their fantasy interpretation should be ignored in favor of an answer pulled out of thin air.
I was happily reading one of my favorite forums - this one - when I came along your very first thread and next this thread. I felt like logging in and adding my thoughts for your enlightenment.
I've noticed you started by pissing off/insulting doktornotor, who returned the favor to you. Now you are insulting the great Bmeeks in the above quote. I'm only waiting for you to start insulting BB too, and then I will start a petition, crowd funding if need be, to babip you.
Seriously, usually I stay out of flames, but I can't help being rather irritated by you insulting all the great great people that have tried to help you.
Are you sure you don't belong in the Wallmart All-In-One-Great-Security Appliance-Now-For-Sale-29 USD-only target audience?
This is an extremely helpful FreeBSD spirit community with nice people: don't insult them, they by no means deserve that (that's what Linux and Windows forums are for ;D ).
Happy learning all you need to learn.
'M'out.
Hi Mr Jingles.
Thanks, again, for proving my point. I like how the original fellow suckered others into starting a flame way, that you just happily joined into without a single regard for facts. Just noise and light.
I learned a long time ago to push back at bullies and others with 1) issues that they need to push others around, or 2) sucker people such as you into doing it for them, then laugh about it and feel good because of the power they feel they have over others … such as yourself.
As I said, it's unfortunate how people like the OP can trick others into circling the wagons on his behalf. I bet you feel insulted and defensive because I actually stood up for myself and pushed back. Every office has one or two. They're glib, social and sociable, highly likable to most, manipulative, good at looking like a victim to get people protective of them, good at starting pity parties on their behalf, and excel at using others as a focal point in a destructive way to control the group. The best way to anger one is to throw a monkey-wrench in their plan to manipulate. They love destroying people, or, more to the point, getting others to do it for them. It's what gets them out of bed in the morning. This is the infection I walked into.
Wake up, please.
This will be my last post on this subject or here. (Cue the trolls for a loud cheer. You won. PFSense lost.) While there are some very good techies here I would like to read more from, it's too much of an ordeal to have to put up with the flotsam. Besides, it looks like standing up to them got me blacklisted. Anyone who replies thoughtfully now will be fodder for trolls in retribution.
Thanks to all who were good to correspond with before the OP decided to hijack the entire forum have some fun with you and egg you on. Your replies got me started and I'm moving along nicely.
I had hoped to learn and then pay it back in here with other newbies, but the trolls won't allow it and the moderators won't police them. They will feel victorious by this post. So will those here who are subordinate to the trolls.
I'm learning more and more about PFSense daily. It's a good product in spite of the troll element here. I may continue to use it or I may move on to a different software router after I learn the basics of software router operations in general by using PFSense. I'm only thankful it was free. There's no way on earth I would spend money on something that was so indirectly influenced so heavily by the troll element here.
-
@jim1000:
Thanks, again, for proving my point. I like how the original fellow suckered others into starting a flame way, that you just happily joined into without a single regard for facts. Just noise and light.
I learned a long time ago to push back at bullies and others with 1) issues that they need to push others around, or 2) sucker people such as you into doing it for them, then laugh about it and feel good because of the power they feel they have over others … such as yourself.
As I said, it's unfortunate how people like the OP can trick others into circling the wagons on his behalf. I bet you feel insulted and defensive because I actually stood up for myself and pushed back. Every office has one or two. They're glib, social and sociable, highly likable to most, manipulative, good at looking like a victim to get people protective of them, good at starting pity parties on their behalf, and excel at using others as a focal point in a destructive way to control the group. The best way to anger one is to throw a monkey-wrench in their plan to manipulate. They love destroying people, or, more to the point, getting others to do it for them. It's what gets them out of bed in the morning. This is the infection I walked into.
I suckered noone into anything. You behave like an idiot – come here, asking for help and when asked for relevant information, you "stood up for yourself" with stubborn refusal to provide that info, and instead started this incessant moaning/bitching/crybaby fest and insulting people left and right. Then you felt the need to expand your useless moaning to this useless thread, because the original one wasn't enough. And then decided it'd be a wonderful idea to hijack other people's threads for your complaints as well – such as this one.
Noone's interested here in your psychological discourse nor this off-topic shit. Go see a shrink if you want to have similar chat. This is technical forum dealing with pfSense.
@jim1000:
Wake up, please.
Get lost with this useless crap, please.
-
@jim1000:
Thanks, again, for proving my point. I like how the original fellow suckered others into starting a flame way, that you just happily joined into without a single regard for facts. Just noise and light.
I learned a long time ago to push back at bullies and others with 1) issues that they need to push others around, or 2) sucker people such as you into doing it for them, then laugh about it and feel good because of the power they feel they have over others … such as yourself.
As I said, it's unfortunate how people like the OP can trick others into circling the wagons on his behalf. I bet you feel insulted and defensive because I actually stood up for myself and pushed back. Every office has one or two. They're glib, social and sociable, highly likable to most, manipulative, good at looking like a victim to get people protective of them, good at starting pity parties on their behalf, and excel at using others as a focal point in a destructive way to control the group. The best way to anger one is to throw a monkey-wrench in their plan to manipulate. They love destroying people, or, more to the point, getting others to do it for them. It's what gets them out of bed in the morning. This is the infection I walked into.
I suckered noone into anything. You behave like an idiot – come here, asking for help and when asked for relevant information, you "stood up for yourself" with stubborn refusal to provide that info, and instead started this incessant moaning/bitching/crybaby fest and insulting people left and right. Then you felt the need to expand your useless moaning to this useless thread, because the original one wasn't enough. And then decided it'd be a wonderful idea to hijack other people's threads for your complaints as well – such as this one.
Noone's interested here in your psychological discourse nor this off-topic shit. Go see a shrink if you want to have similar chat. This is technical forum dealing with pfSense.
@jim1000:
Wake up, please.
Get lost with this useless crap, please.
Dok, we both know we often disagree on things, mostly because I try to be nice and you don't give a sh*t about being nice; this time I admire you for your Master's qualities in this area ( ;D ;D ;D ).
I'm with you: BABIP.
-
@Mr.:
Dok, we both know we often disagree on things, mostly because I try to be nice and you don't give a sh*t about being nice; this time I admire you for your Master's qualities in this area ( ;D ;D ;D ).
You have no idea how many swear words, insults and invectives were dropped from the post you quoted before I finally dared to hit the "Post" button… ;D :D
-
this thread is useless, ending it here.
