PfBlockerNG
-
I am currently blocking Asia and have hired a developer in India. How can I exclude his subnet and still have the rest of India blocked.
I have India( CTRL + CLICK to unselect countries) at the moment so he has access. -
@scott@hosiermail.com:
I am currently blocking Asia and have hired a developer in India. How can I exclude his subnet and still have the rest of India blocked.
I have India( CTRL + CLICK to unselect countries) at the moment so he has access.Just create a new floating rule and add his subnet as the source for incoming traffic for your WAN interface.
Tony
-
HI,
I have found that if I'm using RAMDisk, After a pfSense start/restart, the pfBlockerNG Alerts page list 'No match' on all alerts until I manually do a force update. I thought the lists should be all loaded after a root/start. Obviously it didn't when using RAMDisk. No issue when not using RAM Disk. This is annoying. Am I missing something?
-
HI,
I have found that if I'm using RAMDisk, After a pfSense start/restart, the pfBlockerNG Alerts page list 'No match' on all alerts until I manually do a force update. I thought the lists should be all loaded after a root/start. Obviously it didn't when using RAMDisk. No issue when not using RAM Disk. This is annoying. Am I missing something?
Well this is the issue with RamDisk installations… On a reboot the /var folder is wiped out… That would include any other packages that store data there...
I have added a workaround to copy the final "/var/db/aliastables/pfB_*" files… and restore those after a reboot so that the tables and firewall rules don't have any issues...
However, the rest of the files are gone, and the only way to recover is with a "Force Reload" or wait for the next Cron task to execute. The issue with a RamDisk is always size, so Its not appropriate to try and archive all the files and restore them... Not to mention that any time Cron ran, or you used a "Force" command, it would archive the files and take some time (I assume) depending on how many Lists you use... Whats the benefit to use a Ramdisk anyways?
-
HI,
I have found that if I'm using RAMDisk, After a pfSense start/restart, the pfBlockerNG Alerts page list 'No match' on all alerts until I manually do a force update. I thought the lists should be all loaded after a root/start. Obviously it didn't when using RAMDisk. No issue when not using RAM Disk. This is annoying. Am I missing something?
Well this is the issue with RamDisk installations… On a reboot the /var folder is wiped out… That would include any other packages that store data there...
I have added a workaround to copy the final "/var/db/aliastables/pfB_*" files… and restore those after a reboot so that the tables and firewall rules don't have any issues...
However, the rest of the files are gone, and the only way to recover is with a "Force Reload" or wait for the next Cron task to execute. The issue with a RamDisk is always size, so Its not appropriate to try and archive all the files and restore them... Not to mention that any time Cron ran, or you used a "Force" command, it would archive the files and take some time (I assume) depending on how many Lists you use... Whats the benefit to use a Ramdisk anyways?
Thanks for the clarification. My pfSense box is using SSD, and 16GB RAM, lots of memory, so I thought why not use RAM Disk.
-
Could somebody help me, i'am using a few firewall rules and set them in the wat they work correctely.
After for example 1 hour everything is set again to the default alphabeticly
Whats wrong /or what i'am doing wrong .Or is the only way to solve this, to create floating rules ?
-
If you need a particular sorting, then use one of the Alias actions and create the rules manually, instead of using Block/Reject.
-
@The:
Could somebody help me, i'am using a few firewall rules and set them in the wat they work correctely.
After for example 1 hour everything is set again to the default alphabeticly
Whats wrong /or what i'am doing wrong .Or is the only way to solve this, to create floating rules ?
Did you try to change the "Rule Order" in the General Tab? Otherwise for more complicated setups, you will need to use "Alias" type rules as Dok indicated.
-
@The:
Could somebody help me, i'am using a few firewall rules and set them in the wat they work correctely.
After for example 1 hour everything is set again to the default alphabeticly
Whats wrong /or what i'am doing wrong .Or is the only way to solve this, to create floating rules ?
Just to be sure what i'am trying to reach:
This is the standard setting:
I changed this otherwise G-mail / e-mail wont arrive on the Zimbra server i run:
after for example 1 hour everything is the same as the standard setting en e-mail stop's arriving .
What to do ?
Create some floating rules (as i read in the Wiki)
create some alias as you replied ? -
@The:
Could somebody help me, i'am using a few firewall rules and set them in the wat they work correctely.
After for example 1 hour everything is set again to the default alphabeticly
Whats wrong /or what i'am doing wrong .Or is the only way to solve this, to create floating rules ?
Did you try to change the "Rule Order" in the General Tab? Otherwise for more complicated setups, you will need to use "Alias" type rules as Dok indicated.
I change this rules order using: firewall -> rules
-
Why the hell are you blocking the entire world? Please, read this thread on the implicit "default deny" rule on WAN and general sane usage notes.
-
@The:
What to do ?
Create some floating rules (as i read in the Wiki)
create some alias as you replied ?In v1.10 I added some additional text to the TOP20 tab to help with this issue. (See Note:)
Instead of blocking the world, you can change all of the "Deny" rule(s) to be a single "Permit Inbound" Rule…
For example: It seems like you want to allow South America only to hit your Zimbra mail server, follow the instructions below: ( BTW: Big fan of Zimbra!! )
-
Remove all of your existing Country Blocking Rules.
-
Remove all of your existing "Pass" Firewall rules for Zimbra.
You could also just disable these pass rules and keep them there as a backup, if pfBNG is disabled for any reason. -
Goto "South America" Country Tab.
-
Select the IPv4/6 Countries that you want to allow access.
-
List Action: "Permit Inbound"
-
In "Advanced Inbound Firewall Rule Settings":
-
Enable the Custom Port checkbox
Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_Ports" (Change the alias name to what ever you wish), and enter all of the Mail ports in the alias.
-
Enable Custom Destination checkbox
Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_IPs"
(Change the alias name to what ever you wish), and enter all of the Mail Destination IPs (ie: the 192.x.x.x address from your screenshot above) -
Custom Protocol: Select "TCP/UDP" (Or as required)
-
Hope that helps!
-
-
Why the hell are you blocking the entire world? Please, read this thread on the implicit "default deny" rule on WAN and general sane usage notes.
Just to be sure ;-)
I followed soms YouTube configuration instructions that told me to configure it this wat
Yesterday i start reading this topic, stopped at page 20, but at this moment there's nothing about the default een rule :( or maybe i was to tired to find it ? -
@The:
What to do ?
Create some floating rules (as i read in the Wiki)
create some alias as you replied ?In v1.10 I added some additional text to the TOP20 tab to help with this issue. (See Note:)
Instead of blocking the world, you can change all of the "Deny" rule(s) to be a single "Permit Inbound" Rule…
For example: It seems like you want to allow South America only to hit your Zimbra mail server, follow the instructions below: ( BTW: Big fan of Zimbra!! )
-
Remove all of your existing Country Blocking Rules.
-
Remove all of your existing "Pass" Firewall rules for Zimbra.
You could also just disable these pass rules and keep them there as a backup, if pfBNG is disabled for any reason. -
Goto "South America" Country Tab.
-
Select the IPv4/6 Countries that you want to allow access.
-
List Action: "Permit Inbound"
-
In "Advanced Inbound Firewall Rule Settings":
-
Enable the Custom Port checkbox
Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_Ports" (Change the alias name to what ever you wish), and enter all of the Mail ports in the alias.
-
Enable Custom Destination checkbox
Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_IPs"
(Change the alias name to what ever you wish), and enter all of the Mail Destination IPs (ie: the 192.x.x.x address from your screenshot above) -
Custom Protocol: Select "TCP/UDP" (Or as required)
-
Hope that helps!
Big thnx for this ! I'll changed the configuration exactly as above.
What should be the list action for the rest of the clean selected country's : deny inbound ?Btw the only reason why i need N.A enabled is to recieve mail from gmail users who mail me at the Zimbra server
-
-
@The:
What should be the list action for the rest of the clean selected country's : deny inbound ?
ZOMG. What's not allowed is already denied by default… You need no other action.
-
Hello, I was using pfBlocker and had a list that was built for just VZW Ip's. Here is the list as it is still in the firewall.
https://127.0.0.1:443/pfblocker.php?pfb=pfBlockerVZW_Custom
Is this still be updated? If not how do I find the source of that list to rebuild it in NG under the IPV4 Ailias tab
Thanks for the pointers.
-
Hello, I was using pfBlocker and had a list that was built for just VZW Ip's. Here is the list as it is still in the firewall.
https://127.0.0.1:443/pfblocker.php?pfb=pfBlockerVZW_Custom
Is this still be updated? If not how do I find the source of that list to rebuild it in NG under the IPV4 Ailias tab
Thanks for the pointers.
Hi apbirch67,
The old pfBlocker files are located in the following folder:
ls /usr/local/pkg/pfblockerThe files are a longfile name like:
a5535b15c63d449c51574971f9ab6098.txtThese files are an md5 hash of the URL used for each List. View each file to determine which file is the one you are looking for.
-
@The:
What should be the list action for the rest of the clean selected country's : deny inbound ?
ZOMG. What's not allowed is already denied by default… You need no other action.
Excuse me for beeing an newbee user . But i'll try to learn everyday and want to have the network as save as possible (like all the other people here i thing ;) )
The question is not that bad i think, because when you look at the rule action it's disabled . -
Unfortunately BGP has blocked access to "non-humans".
In the interim, I have posted some of these [ Domain -> IPs ] lists. I will try to keep them updated as time permits.
Please use the "html" format:
Facebook https://gist.githubusercontent.com/BBcan177/fb389885e4fb39508bcc/raw Twitter https://gist.githubusercontent.com/BBcan177/0caa6ae9badee2206660/raw Spotify https://gist.githubusercontent.com/BBcan177/58ae5e02838cea68de25/raw Netflix https://gist.githubusercontent.com/BBcan177/419897fb723a24323f1f/raw Dropbox https://gist.githubusercontent.com/BBcan177/3ddcf1ef916f70b9bc26/raw Also posted are two feeds which I have collected from recent Security Blogs etc: MS_1 https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw MS_3 https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw -
Hi
First very thanks to BBcan177 for the package.
These IP list are a strange world
The list: http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz
are blocking that: http://www.reputationauthority.org/toptens.php
Cheers.
