PfBlockerNG
-
I read that posting but it doesn't helped really.
This is what I do:
Try to access "www.twitch.tv"
See that it's blocked by following Alias List "IBlock_Ads 192.16.64.0/21"
Try to supress it with the "+".
Message that it's already supressed pops up.
Checking the PfBlockerNGSupress alias and see this "pfBlockerNGSuppress 192.16.71.176/32, 192.16.71.176/24 "
Running a forced cron task.
Try to access "www.twitch.tv" again. It is still blocked.
There is something I'm doing wrong, but I can't figure it out.
-
You can't use suppression when the blocked IP is in a CIDR like /21.
Hover over the "+" or the List column in the Alerts tab and you are presented with instructions.
So to circumvent this, create a new "permit Outbound" alias in pfBNG and add the IP to the custom entry box. This will create a permit outbound firewall rule above the Block rules.
-
You can't use suppression when the blocked IP is in a CIDR like /21.
So to circumvent this, create a new "permit Outbound" alias in pfBNG and add the IP to the custom entry box. This will create a permit outbound firewall rule above the Block rules.
Ahh thats it! Thank you!
Just one last question, how can I delete hosts from the suppression list? I removed the the Alias but there are still 2 Hosts suppressed.
-
Sorry if this has already been posted. I did a search but the terms are too general. :(
@BBcan177 in your original script on Github, you have a local source for a list where you're pulling from the local Suricata 'rules' directory. I looked in that directory and I see a bunch of policy rules, but I don't see any IP lists.
So my question is, is this still valid and, if so, how do I add it to pfBlockerNG?
Here's an easy link to the gist.
https://gist.github.com/BBcan177/3cbd01b5b39bb3ce216a
-
Here is a link to a script that I wrote which will import blocklists into pfBNG.
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975The rules in Snort/Suricata that contain IPs are in the botnet, compromised, drop, dshield and port-grouped categories. The script above, has these lists already, so it might not be worth to use the Snort/Suricata files. However, I did notice that there are some discrepancies between the Original Lists vs Snort/Suricata rules for these IPs. I use the ET Pro rules, so maybe those rules have some IPs that are not in the free Open Rulesets.
You can write a small script to pull those IPs and put them into a text file. Create a Cron task and then pull that into pfBNG if you wish:
Just change the path to reflect the IDS type (Snort/Suricata) and either i386/amd64.
find /usr/pbi/snort-amd64/etc/snort/rules/* -name '*bot*' -o -name '*ciarmy*' -o -name '*compromised*' -o -name '*drop*' -o -name '*dshield*' -o -name '*portgrouped*' | xargs cat | grep -aoEw -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?/[0-9]{2})" -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | sort | uniq > /tmp/ips.txt -
Thank you! I'll give this a try.
-
@BBcan177 this worked amazingly! Thank you!
-
Did that fix your problem Jamerson?
no still waiting for some answers,
whenever i activate the pfBlockerNG the internet stops working.We need to see rules.debug or a screenshot of the rules created to give you any information.
what rules are referring to ? Firewall rules or the pfblocker NG rules ?
-
what rules are referring to ? Firewall rules or the pfblocker NG rules ?
Can you post both?
-
I'm sorry by the "stupid question" but….
If i have a DNS and SMTP server (to work my mail and domains) can i use pfblockerng to block all Africa and Asia ??? (i don't have any mail/relation with us)
You will continue to run the dns? or i have problems ???
-
virusbcn - Yes you can block individual countries or entire continents. Default deny inbound rule is blocks all traffic, if you don't want to block everything you can specify which ports you would like to block (53,25,587,995) and allow everything else.
-
Upgraded to 2.2.4 and in the log I see the following error. Any ideas on how to fix? These are files I had created previously and they have been working fine for several months. I see no change in the IDE screen, the list is shown properly.
Thanks
[ pfB_shodan shodan ] Download FAIL
[ pfB_shodan shodan ] Local File Failure[ pfB_BadIPV6 BadIP6_v6 ] Download FAIL
[ pfB_BadIPV6 BadIP6_v6 ] Local File Failure -
Hi cjbujold,
Which folder did you place the localfile into? Are you sure that it still exists after the re-install? You can view the various folders in the pfBNG log browser tab.
-
The issue seems to be with IP6 the IP4 are working properly but when I create an IPv6 table the first one gets created but the second or third list does not. The folder use is /var/db/aliastables
Thnaks
-
I am having issues with squid + pfBlockerNG
I have squid + squidguard running with shalalist as a black list
I added an IP for a website that I use to a custom pfBlockerNG alias.
Put that alias in the floating rules, blocking to and from the IP's.
The single IP I can still get to when put into my web browser….....however, if I open a command prompt and try to ping it, it is blocked.
How can I get squid to play nice with my block list?
-
Dude. Squid issues do not go on this thread.
-
Right…..so are you saying my squid is misconfigured?
Cause I was under the impression I did not set my firewall rules correctly if there was no blocking going on......
-
The issue seems to be with IP6 the IP4 are working properly but when I create an IPv6 table the first one gets created but the second or third list does not. The folder use is /var/db/aliastables
Thnaks
Hi cjbujold, I have tested adding multiple IPv6 lists to a single alias, and also tested adding multiple IPv6 Aliases and can't reproduce your issue.
Can you post a screenshot of the issue? Your localfile shouldn't be saved to /var/db/aliastables, that is the final folder location that pfSense uses to load the tables. You should save your localfile in ie: /var/db/pfblockerng for example.
Thanks!
-
sorry if this questions has been asked before cant seem to find it in this thread.
can I block adult websites with the pfBlockerNG ? because the proxy servers / filter doesn't seems to works since 2.2thank you
-
Has anyone else looked at Critical Shiack's Free Threat Intel Marketplace and thought how it could be used in pfsense?? They already have 104 feeds, and doing normalization on them. The dash board allows you to create collections from the differnet feeds which could in theroy be used with pfBlockerNG, seems like a good match.
https://intel.criticalstack.com/
Edit: Just set this up on a test system and used the command line client to export the final file which combined sources from 10 different lists, example of the output.
#fields indicator indicator_type meta.source meta.do_notice 62.210.72.158 Intel::ADDR from http://rules.emergingthreats.net/blockrules/emerging-botcc.rules via intel.criticalstack.com F 62.245.45.132 Intel::ADDR from http://rules.emergingthreats.net/open/suricata/rules/compromised.rules via intel.criticalstack.com FNext step of getting it into a format pfBlockerNG can import is simple, so we can make this work. But a plugin that hooks directly into criticalstack.com via an API would be a powerful tool, could then be uses in any package via aliases.
Thoughts?
Tony
