PfBlockerNG
-
You can't use suppression when the blocked IP is in a CIDR like /21.
So to circumvent this, create a new "permit Outbound" alias in pfBNG and add the IP to the custom entry box. This will create a permit outbound firewall rule above the Block rules.
Ahh thats it! Thank you!
Just one last question, how can I delete hosts from the suppression list? I removed the the Alias but there are still 2 Hosts suppressed.
-
Sorry if this has already been posted. I did a search but the terms are too general. :(
@BBcan177 in your original script on Github, you have a local source for a list where you're pulling from the local Suricata 'rules' directory. I looked in that directory and I see a bunch of policy rules, but I don't see any IP lists.
So my question is, is this still valid and, if so, how do I add it to pfBlockerNG?
Here's an easy link to the gist.
https://gist.github.com/BBcan177/3cbd01b5b39bb3ce216a
-
Here is a link to a script that I wrote which will import blocklists into pfBNG.
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975The rules in Snort/Suricata that contain IPs are in the botnet, compromised, drop, dshield and port-grouped categories. The script above, has these lists already, so it might not be worth to use the Snort/Suricata files. However, I did notice that there are some discrepancies between the Original Lists vs Snort/Suricata rules for these IPs. I use the ET Pro rules, so maybe those rules have some IPs that are not in the free Open Rulesets.
You can write a small script to pull those IPs and put them into a text file. Create a Cron task and then pull that into pfBNG if you wish:
Just change the path to reflect the IDS type (Snort/Suricata) and either i386/amd64.
find /usr/pbi/snort-amd64/etc/snort/rules/* -name '*bot*' -o -name '*ciarmy*' -o -name '*compromised*' -o -name '*drop*' -o -name '*dshield*' -o -name '*portgrouped*' | xargs cat | grep -aoEw -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?/[0-9]{2})" -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | sort | uniq > /tmp/ips.txt
-
Thank you! I'll give this a try.
-
@BBcan177 this worked amazingly! Thank you!
-
Did that fix your problem Jamerson?
no still waiting for some answers,
whenever i activate the pfBlockerNG the internet stops working.We need to see rules.debug or a screenshot of the rules created to give you any information.
what rules are referring to ? Firewall rules or the pfblocker NG rules ?
-
what rules are referring to ? Firewall rules or the pfblocker NG rules ?
Can you post both?
-
I'm sorry by the "stupid question" but….
If i have a DNS and SMTP server (to work my mail and domains) can i use pfblockerng to block all Africa and Asia ??? (i don't have any mail/relation with us)
You will continue to run the dns? or i have problems ???
-
virusbcn - Yes you can block individual countries or entire continents. Default deny inbound rule is blocks all traffic, if you don't want to block everything you can specify which ports you would like to block (53,25,587,995) and allow everything else.
-
Upgraded to 2.2.4 and in the log I see the following error. Any ideas on how to fix? These are files I had created previously and they have been working fine for several months. I see no change in the IDE screen, the list is shown properly.
Thanks
[ pfB_shodan shodan ] Download FAIL
[ pfB_shodan shodan ] Local File Failure[ pfB_BadIPV6 BadIP6_v6 ] Download FAIL
[ pfB_BadIPV6 BadIP6_v6 ] Local File Failure -
Hi cjbujold,
Which folder did you place the localfile into? Are you sure that it still exists after the re-install? You can view the various folders in the pfBNG log browser tab.
-
The issue seems to be with IP6 the IP4 are working properly but when I create an IPv6 table the first one gets created but the second or third list does not. The folder use is /var/db/aliastables
Thnaks
-
I am having issues with squid + pfBlockerNG
I have squid + squidguard running with shalalist as a black list
I added an IP for a website that I use to a custom pfBlockerNG alias.
Put that alias in the floating rules, blocking to and from the IP's.
The single IP I can still get to when put into my web browser….....however, if I open a command prompt and try to ping it, it is blocked.
How can I get squid to play nice with my block list?
-
Dude. Squid issues do not go on this thread.
-
Right…..so are you saying my squid is misconfigured?
Cause I was under the impression I did not set my firewall rules correctly if there was no blocking going on......
-
The issue seems to be with IP6 the IP4 are working properly but when I create an IPv6 table the first one gets created but the second or third list does not. The folder use is /var/db/aliastables
Thnaks
Hi cjbujold, I have tested adding multiple IPv6 lists to a single alias, and also tested adding multiple IPv6 Aliases and can't reproduce your issue.
Can you post a screenshot of the issue? Your localfile shouldn't be saved to /var/db/aliastables, that is the final folder location that pfSense uses to load the tables. You should save your localfile in ie: /var/db/pfblockerng for example.
Thanks!
-
sorry if this questions has been asked before cant seem to find it in this thread.
can I block adult websites with the pfBlockerNG ? because the proxy servers / filter doesn't seems to works since 2.2thank you
-
Has anyone else looked at Critical Shiack's Free Threat Intel Marketplace and thought how it could be used in pfsense?? They already have 104 feeds, and doing normalization on them. The dash board allows you to create collections from the differnet feeds which could in theroy be used with pfBlockerNG, seems like a good match.
https://intel.criticalstack.com/
Edit: Just set this up on a test system and used the command line client to export the final file which combined sources from 10 different lists, example of the output.
#fields indicator indicator_type meta.source meta.do_notice 62.210.72.158 Intel::ADDR from http://rules.emergingthreats.net/blockrules/emerging-botcc.rules via intel.criticalstack.com F 62.245.45.132 Intel::ADDR from http://rules.emergingthreats.net/open/suricata/rules/compromised.rules via intel.criticalstack.com F
Next step of getting it into a format pfBlockerNG can import is simple, so we can make this work. But a plugin that hooks directly into criticalstack.com via an API would be a powerful tool, could then be uses in any package via aliases.
Thoughts?
Tony -
I've looked at C.S. before, but I don't really see any current benefit to integrate it into pfBNG.
All of the feeds are free and can be used directly in pfBNG 'as is'. This allows greater control over the feeds and on the frequency of the updates to the Source Feeds. The de-duplication (normalization) in CS is done on a "Class" basis, versus as a whole with pfBNG. Not to mention that pfBNG can take into consideration Country/Continent blocking and further de-duplicate redundant IPs that are already being blocking by a Country/Continent blocklist. I also assume that de-duplication in CS is not done on a CIDR basis as in pfBNG and instead is de-duplicated on a 1:1 basis.
It should also be noted that CS formats the Feeds to be used primarily with BRO. There are also limitations/efficiency issues with large lists as is noted on the CS site. Also having CS process these free Feeds, add extra text per line, and then have pfBNG strip away the extra text to get the IP/Domain is a bit redundant when the Free Feed can be downloaded directly with pfBNG. Some of the Domain based Feeds also mix some IPs which pfBNG can process into an IP Blocklist automatically.
pfBNG can also make use of "Reputation" to further analyse the maliciousness of an IP range.
pfBNG v2.0 (expected to post a Pull Request in the next few weeks), will have DNSBL Domain name blocking via Unbound DNS.
Of the 104 Lists currently available in CS, most of those are listed in the Script that I have provided in this Thread previously. Some of the Sources (BBC, hpHosts for example) have listed all of their feeds individually (some Feeds provide a combined Feed URL) which exaggerates the number of Feeds available. Most of the Domain based Feeds provided in CS are also being beta tested in the DEV version of pfBNG by several beta testers. I have written a Domain parser for the 'Original' Source Feeds and to use the CS Domain based feeds, I would have to re-write the code to allow for the change in format.
I also prefer to deal with the 'Original' provider of Feeds instead of using a 'middleman' approach. If anything, CS can be used as a listing of Feeds that are freely available, and these can be used directly in pfBNG without the need to have the Feeds processed by CS.
Next steps for pfBNG will be to implement an improved method to add Source Feed URLs, instead of manually adding these one by one. I am considering some scenarios for upcoming releases.
-
Yes, I've got it all worked out now very good work sir on this package.
As far as the AdBlock on iblock, you are right it isn't the greatest. I have a question since your doing most of the design it seems, when 2.0 expected for one and two are the list going to be limited to only IP lists or could we say use the AdBlock plus list aka easylist?
Yes I am the Developer of the package .. I haven't put much development into it for the past couple weeks, since v1.0 was released.. Maybe another month or so… I want to make sure that its stable and all the tires kicked every which way by the beta testers that helped me with v1.0 :)
You can see some more Features in this link:
https://forum.pfsense.org/index.php?topic=78356.msg477682#msg477682I have all of the features in the link working and will be working on Easylist next...
Hi, are there any progress with the easylist integration? :)
Regards.