PfBlockerNG
-
No.
-
Well then something is working wrong.
If I try to access "twitch.tv" the alert tab shows me this "IBlock_Ads 192.16.64.0/21" and the connection gets refused. (Tested in Firefox) (PfSense 2.2.3 amd64 full install)
Pressing the "+" button ends in this "Host IP address 192.16.71.176 already exists in the pfBlockerNG Suppress Table."
In the Interface rules, there is no auto created rule using the alias "pfBlockerNGSuppress".
I hope I provided enough information to figure this out.
Thanks for your help!
-
Well then something is working wrong.
If I try to access "twitch.tv" the alert tab shows me this "IBlock_Ads 192.16.64.0/21" and the connection gets refused. (Tested in Firefox) (PfSense 2.2.3 amd64 full install)
Pressing the "+" button ends in this "Host IP address 192.16.71.176 already exists in the pfBlockerNG Suppress Table."
In the Interface rules, there is no auto created rule using the alias "pfBlockerNGSuppress".
I hope I provided enough information to figure this out.
Thanks for your help!
Please read the following post to answer your questions :
https://forum.pfsense.org/index.php?topic=86212.msg513676#msg513676 -
I read that posting but it doesn't helped really.
This is what I do:
Try to access "www.twitch.tv"
See that it's blocked by following Alias List "IBlock_Ads 192.16.64.0/21"
Try to supress it with the "+".
Message that it's already supressed pops up.
Checking the PfBlockerNGSupress alias and see this "pfBlockerNGSuppress 192.16.71.176/32, 192.16.71.176/24 "
Running a forced cron task.
Try to access "www.twitch.tv" again. It is still blocked.
There is something I'm doing wrong, but I can't figure it out.
-
You can't use suppression when the blocked IP is in a CIDR like /21.
Hover over the "+" or the List column in the Alerts tab and you are presented with instructions.
So to circumvent this, create a new "permit Outbound" alias in pfBNG and add the IP to the custom entry box. This will create a permit outbound firewall rule above the Block rules.
-
You can't use suppression when the blocked IP is in a CIDR like /21.
So to circumvent this, create a new "permit Outbound" alias in pfBNG and add the IP to the custom entry box. This will create a permit outbound firewall rule above the Block rules.
Ahh thats it! Thank you!
Just one last question, how can I delete hosts from the suppression list? I removed the the Alias but there are still 2 Hosts suppressed.
-
Sorry if this has already been posted. I did a search but the terms are too general. :(
@BBcan177 in your original script on Github, you have a local source for a list where you're pulling from the local Suricata 'rules' directory. I looked in that directory and I see a bunch of policy rules, but I don't see any IP lists.
So my question is, is this still valid and, if so, how do I add it to pfBlockerNG?
Here's an easy link to the gist.
https://gist.github.com/BBcan177/3cbd01b5b39bb3ce216a
-
Here is a link to a script that I wrote which will import blocklists into pfBNG.
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975The rules in Snort/Suricata that contain IPs are in the botnet, compromised, drop, dshield and port-grouped categories. The script above, has these lists already, so it might not be worth to use the Snort/Suricata files. However, I did notice that there are some discrepancies between the Original Lists vs Snort/Suricata rules for these IPs. I use the ET Pro rules, so maybe those rules have some IPs that are not in the free Open Rulesets.
You can write a small script to pull those IPs and put them into a text file. Create a Cron task and then pull that into pfBNG if you wish:
Just change the path to reflect the IDS type (Snort/Suricata) and either i386/amd64.
find /usr/pbi/snort-amd64/etc/snort/rules/* -name '*bot*' -o -name '*ciarmy*' -o -name '*compromised*' -o -name '*drop*' -o -name '*dshield*' -o -name '*portgrouped*' | xargs cat | grep -aoEw -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?/[0-9]{2})" -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | sort | uniq > /tmp/ips.txt -
Thank you! I'll give this a try.
-
@BBcan177 this worked amazingly! Thank you!
-
Did that fix your problem Jamerson?
no still waiting for some answers,
whenever i activate the pfBlockerNG the internet stops working.We need to see rules.debug or a screenshot of the rules created to give you any information.
what rules are referring to ? Firewall rules or the pfblocker NG rules ?
-
what rules are referring to ? Firewall rules or the pfblocker NG rules ?
Can you post both?
-
I'm sorry by the "stupid question" but….
If i have a DNS and SMTP server (to work my mail and domains) can i use pfblockerng to block all Africa and Asia ??? (i don't have any mail/relation with us)
You will continue to run the dns? or i have problems ???
-
virusbcn - Yes you can block individual countries or entire continents. Default deny inbound rule is blocks all traffic, if you don't want to block everything you can specify which ports you would like to block (53,25,587,995) and allow everything else.
-
Upgraded to 2.2.4 and in the log I see the following error. Any ideas on how to fix? These are files I had created previously and they have been working fine for several months. I see no change in the IDE screen, the list is shown properly.
Thanks
[ pfB_shodan shodan ] Download FAIL
[ pfB_shodan shodan ] Local File Failure[ pfB_BadIPV6 BadIP6_v6 ] Download FAIL
[ pfB_BadIPV6 BadIP6_v6 ] Local File Failure -
Hi cjbujold,
Which folder did you place the localfile into? Are you sure that it still exists after the re-install? You can view the various folders in the pfBNG log browser tab.
-
The issue seems to be with IP6 the IP4 are working properly but when I create an IPv6 table the first one gets created but the second or third list does not. The folder use is /var/db/aliastables
Thnaks
-
I am having issues with squid + pfBlockerNG
I have squid + squidguard running with shalalist as a black list
I added an IP for a website that I use to a custom pfBlockerNG alias.
Put that alias in the floating rules, blocking to and from the IP's.
The single IP I can still get to when put into my web browser….....however, if I open a command prompt and try to ping it, it is blocked.
How can I get squid to play nice with my block list?
-
Dude. Squid issues do not go on this thread.
-
Right…..so are you saying my squid is misconfigured?
Cause I was under the impression I did not set my firewall rules correctly if there was no blocking going on......
