PfBlockerNG
-
@Music:
What is the difference between floating rules enabled and disabled. As i see in the rules the list gets moved from wan to floating but are the same.
Floating Rules are processed before any other Interface rules. Rules are processed top to bottom. You can find more details in the pfSense Wiki documents.
I am not sure what you mean by:
Do the floating rules use a extra list that i can setup somewhere and/or remove/edit?"
Floating or other Firewall rules are both configured by the Alias "List Action" setting, and also by the "General Tab" settings for the Inbound/Outbound Interfaces.
-
yes exactly the IP is from Germany, and i didn't block Germany at all.
when i was last weekend in Germany i couldn't log using VPN to the server. neither the OWA.
also on the same weekend users were on Spain and they couldn't VPN to the server.From the data provided, the Maxmind database looks to be functioning properly.
When you are having these kinds of issues, you need to look at the pfBNG Alerts Tab. It will give you a summary of what is being blocked and by what List. Then you can start to see what to change.
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
-
Hi, are there any progress with the easylist integration? :)
Yes I hope to submit it soon. If you would like to help Beta test v2.0, please send me a PM.
Note: Came across this today:
http://www.webroot.com/blog/2015/08/19/adblocker-plus-puts-osx-at-risk/ -
@Music:
What is the difference between floating rules enabled and disabled. As i see in the rules the list gets moved from wan to floating but are the same.
Floating Rules are processed before any other Interface rules. Rules are processed top to bottom. You can find more details in the pfSense Wiki documents.
I am not sure what you mean by:
Do the floating rules use a extra list that i can setup somewhere and/or remove/edit?"
Floating or other Firewall rules are both configured by the Alias "List Action" setting, and also by the "General Tab" settings for the Inbound/Outbound Interfaces.
i did read about the floating rules. But im still puzzled by how some ip's are blocked when i enabled the floating rules. While the rule lists are the same. But i don't need to use floating rules so its all good now :)
-
yes exactly the IP is from Germany, and i didn't block Germany at all.
when i was last weekend in Germany i couldn't log using VPN to the server. neither the OWA.
also on the same weekend users were on Spain and they couldn't VPN to the server.From the data provided, the Maxmind database looks to be functioning properly.
When you are having these kinds of issues, you need to look at the pfBNG Alerts Tab. It will give you a summary of what is being blocked and by what List. Then you can start to see what to change.
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
Ive checked the alert tab and there was nothing maybe because i've disabled the log ? i am not logging anything at all.
Do you mean change list action from deny inbound to permit inbound ?
Doing so is going to still filter the traffic ? -
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
Ive checked the alert tab and there was nothing maybe because i've disabled the log ? i am not logging anything at all.
Do you mean change list action from deny inbound to permit inbound ?
Doing so is going to still filter the traffic ?In the "General" tab, you can enable "Global" logging so that any blocks that occur due to pfBNG are visible to the Firewall and pfBNG Alerts log. You can also enable logging individually in each pfBNG Alias. Without enabling logging, you can't diagnose any False positives.
Its not really recommended to block the world, and allow just a few Countries. Whats best, is to invert this approach and make a "Permit Inbound" just for the select few Countries that you want to allow access to the Open WAN ports.
-
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
Ive checked the alert tab and there was nothing maybe because i've disabled the log ? i am not logging anything at all.
Do you mean change list action from deny inbound to permit inbound ?
Doing so is going to still filter the traffic ?In the "General" tab, you can enable "Global" logging so that any blocks that occur due to pfBNG are visible to the Firewall and pfBNG Alerts log. You can also enable logging individually in each pfBNG Alias. Without enabling logging, you can't diagnose any False positives.
Its not really recommended to block the world, and allow just a few Countries. Whats best, is to invert this approach and make a "Permit Inbound" just for the select few Countries that you want to allow access to the Open WAN ports.
Thank you so much for your answer.
i am trying to understand something here.
let take China as example . i don't do business with China, none from China need to reach my OWA or VPN server.
Deny all inbouw from China isn't a good idea ?
Can you explain why not deny the inbound ? -
Thank you so much for your answer.
i am trying to understand something here.
let take China as example . i don't do business with China, none from China need to reach my OWA or VPN server.
Deny all inbouw from China isn't a good idea ?
Can you explain why not deny the inbound ?I've posted in this thread a few times and also in Reddit. Here is a one link:
https://www.reddit.com/r/PFSENSE/comments/39253d/the_amount_of_hostile_traffic_on_my_home_network/
Basically, The Inbound (WAN) is implicitly blocking any unsolicited packet. If you open up a Port of the WAN, then you can protect that opened port using the "Adv. Inbound Settings" so that the firewall rule only fires when its a packet to the specific opened port.
As per my post above, if you have an Open WAN port, you can further protect that port with a "Permit Inbound" (select few Countries to allow) rule to only those Specific Open WAN ports. This is that same as blocking all Countries and allowing a few to pass. Its also more efficient, as pfSense packet filter doesn't need to process thru thousands of IPs for each packet analysis.
So if you create a Firewall rule on the WAN with "Deny Inbound" or "Deny Both" and you do not have any open WAN ports, its a complete waste of processing power. All its doing is filling your widget and Logs with spam for packets that are already going to be blocked by the pfSense Implicit block rule.
Most people forget that they need to protect the Outbound (LAN) just as much as the Inbound (WAN). So a "Deny Outbound" to China/Russia would be a good thing if you have no reason for a device on the LAN to talk to those IPs.
pfBlockerNG is also more than a Country Blocker, it can download Feeds of known malicious IPs and protect the network from talking to those IPs. I wrote a script thats available in this thread for 50+ IP Lists.
Its also important to view the pfBNG alerts log and see why things are getting blocked. So don't fill your log with un-necessary data as it will overwhelm you with too much data and you will miss the events that are important to see.
-
Thank you so much for your answer.
i am trying to understand something here.
let take China as example . i don't do business with China, none from China need to reach my OWA or VPN server.
Deny all inbouw from China isn't a good idea ?
Can you explain why not deny the inbound ?I've posted in this thread a few times and also in Reddit. Here is a one link:
https://www.reddit.com/r/PFSENSE/comments/39253d/the_amount_of_hostile_traffic_on_my_home_network/
Basically, The Inbound (WAN) is implicitly blocking any unsolicited packet. If you open up a Port of the WAN, then you can protect that opened port using the "Adv. Inbound Settings" so that the firewall rule only fires when its a packet to the specific opened port.
As per my post above, if you have an Open WAN port, you can further protect that port with a "Permit Inbound" (select few Countries to allow) rule to only those Specific Open WAN ports. This is that same as blocking all Countries and allowing a few to pass. Its also more efficient, as pfSense packet filter doesn't need to process thru thousands of IPs for each packet analysis.
So if you create a Firewall rule on the WAN with "Deny Inbound" or "Deny Both" and you do not have any open WAN ports, its a complete waste of processing power. All its doing is filling your widget and Logs with spam for packets that are already going to be blocked by the pfSense Implicit block rule.
Most people forget that they need to protect the Outbound (LAN) just as much as the Inbound (WAN). So a "Deny Outbound" to China/Russia would be a good thing if you have no reason for a device on the LAN to talk to those IPs.
pfBlockerNG is also more than a Country Blocker, it can download Feeds of known malicious IPs and protect the network from talking to those IPs. I wrote a script thats available in this thread for 50+ IP Lists.
Its also important to view the pfBNG alerts log and see why things are getting blocked. So don't fill your log with un-necessary data as it will overwhelm you with too much data and you will miss the events that are important to see.
well explained,
thank you so much sir for your time explaining this to me , much appreciate.
will change the deny inbound to permitted inbound.
i've noticed Germany and spain are on the top 20 spammers country and i've blocked those countries this probably why everything was blocked.
i've changed the deny inbound nu to permitted inbound.
if the only different between Permitted inbound and deny inbound that the firewall will scan those IPs on each packet will be sent and use a lot of power.
using Deny inbound or permitted abound are both are good choses the only different is power that the firewall will use. -
just applied pfBlocker_import.php from post #600, thanks to BBcan177 and doktornotor and it went swimmingly well, aside form some failed downloads.
here's the smattering in case someone else is having same issue
[ pfB_PRI1 Abuse_Spyeye ] Download FAIL [ 08/22/15 20:02:47 ] [ pfB_PRI2 HoneyPot ] Download FAIL [ 08/22/15 20:03:03 ] [ pfB_PRI3 Infiltrated ] Download FAIL [ 08/22/15 20:03:08 ] [ pfB_PRI3 Juniper ] Download FAIL [ 08/22/15 20:03:24 ] [ pfB_SEC1 OpenBL ] Download FAIL [ 08/22/15 20:03:31 ] [ SFS_All ] file_get_contents(http://www.stopforumspam.com/downloads/bannedips.zip): failed to open stream: HTTP request failed! HTTP/1.1 503 Service Unavailable [ pfB_MAIL ToastedSpam ] Download FAIL [ pfB_MAIL SpamCop ] Download FAIL [ 08/22/15 20:03:51 ]
I suppose this is or can be one time event based on availability of the host, curious if you guys see similar results.
Anyway, Thanks for pfBlocker and especially keeping it up w pfBlockerNG, it's the first thing I setup after configuring my networks.<hat tip=""></hat>
-
When you have issues downloading Feeds, first review the logs to ensure that its not being blocked by another list or the IDS if enabled. You can also load the URL in a browser to get more information. Feeds change URLs from time to time. Feeds also go down.
Its important to donate to some of the Feeds that you rely on, as most do this as a Free service and everyone has bills to pay.
pfB_PRI1 Abuse_Spyeye
This Feed has been discontinued.pfB_PRI2 HoneyPot
Feed is temporarily under MaintenancepfB_PRI3 Infiltrated
Feed not in service.pfB_PRI3 Juniper
Feed not in Service.pfB_SEC1 OpenBL
This feed has some SSL issues from time to time. You can try with http://
But best to wait and see if it continues to have issues.SFS_All stopforumspam.com
This Feed rate limits. Please put it into its own Alias and set for Once per Day.pfB_MAIL ToastedSpam
Feed is temporarily down.pfB_MAIL SpamCop
Use this URL
https://www.spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt -
When you have issues downloading Feeds, first review the logs to ensure that its not being blocked by another list or the IDS if enabled. You can also load the URL in a browser to get more information. Feeds change URLs from time to time. Feeds also go down. Its important to donate to some of the Feeds that you rely on, as most do this as a Free service and everyone has bills to pay.
ok, thanks man. After turning off those lists and forcing a cron the log looks a lot cleaner, except for BBC_GOZ and Feodo_BAD returning empty lists. I gotta tell ya, before I refreshed, the number of hits shown on the dashboard panel was in the thousands for a couple of the aliases. I am a happy camper now.
I concur on donations to list maintainers. I gave a little something to another foss app I use to watch my cat door - zoneminder dvr. One year I was away for a couple weeks around xmas (I'm in a winter lattitude) and feline wasn't doing usual 40 round trips through door - I expected something, so I sent friend to check, sure enough it had got beat up by neighbour cat and was hiding in the basement. So free and open source software earned its keep again. Worthy of a few bucks.
More than likely I'll contrib to pfSense as the little router is/has done a stellar job. I showed another friend my pfSense setup, he pays the subscrip for a Sonicwall, he was impressed with pfS functionality.
-
Does "Enable Alias Table Popup" work for anyone as if i untick it and save not only does it have no effect but the tick is back when i got back into the settings on the homepage?
-
log looks a lot cleaner, except for BBC_GOZ and Feodo_BAD returning empty lists.
Use the following URL for BBC. It incorporates all of their IP lists into one IP feed:
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txtFollow that with a "Force Reload"
-
Does "Enable Alias Table Popup" work for anyone as if i untick it and save not only does it have no effect but the tick is back when i got back into the settings on the homepage?
I had one user complain about this a few months back, but couldn't figure out why its doing that. I suspect an issue with the browser or a conflict with another widget.
What Browser are you using (Can you try a different browser)? and what widgets are enabled? Are you on 2.2.4? Full/Nano/Ramdisk installation? Do the other pfBNG widget settings work for you?
-
Does "Enable Alias Table Popup" work for anyone as if i untick it and save not only does it have no effect but the tick is back when i got back into the settings on the homepage?
Works fine for me. In past versions of pfSense I had issues with most of the widgets not saving their settings. It improved in later releases. I'm on 2.2.4 right now without issue.
-
To download from HE, you need to select the format as "html" or it will fail to download.
Disable this list for 24hrs as HE is denying access (rate-limiting) because you probably have this list attempting to download every hour using the wrong download format.
I came across this thread before attempting to make a new alias from HE data and made sure that HTML was selected before my first update and immediately received a 403 response. Just wondering if anyone else is using HE with any success.
Hypertext Transfer Protocol Line-based text data: text/html \n \n <title>403 Forbidden</title>\n \n # Forbidden \n You don't have permission to access /search\n on this server. \n * * * \n <address>Apache/2.4.7 (Ubuntu) Server at bgp.he.net Port 80</address> \n \n 18 GET /search?search%5Bsearch%5D=facebook&commit=Search HTTP/1.1 Hypertext Transfer Protocol 20 HTTP/1.1 403 Forbidden (text/html) Hypertext Transfer Protocol Line-based text data: text/html \n \n <title>403 Forbidden</title>\n \n # Forbidden \n You don't have permission to access /search\n on this server. \n * * * \n <address>Apache/2.4.7 (Ubuntu) Server at bgp.he.net Port 80</address> \n \n
-
Does "Enable Alias Table Popup" work for anyone as if i untick it and save not only does it have no effect but the tick is back when i got back into the settings on the homepage?
Yes metoo. on 2.2.4 (Alix) nano (rw).
Widgets: System Information; Interfaces; Services Status; NTP Status and pfBlockerNG.
Mozilla FF(40.0.2). -
Does "Enable Alias Table Popup" work for anyone as if i untick it and save not only does it have no effect but the tick is back when i got back into the settings on the homepage?
I would love to keep it ticked. Alas, it keeps unticking itself.
-
Does the same on both Chrome and Safari on OS X (latest versions of each).
I have the following widgets on the homepage:
System Info, Interfaces, Services Status, Interface Statistics, Installed Packages, PFBlockerNG, Snort Alerts, Firewall Logs.
PFsense 2.2.4 full all other widgets seem to work fine.
Thanks
Rob