PfBlockerNG v2.0 w/DNSBL
-
-
Can you follow the instructions in this post:
https://forum.pfsense.org/index.php?topic=102470.msg607864#msg607864
Thank you. It has been up for 3 cron jobs and is still working.
After the first reboot after the patch i did have to force update to get this to work the first time:
===[ DNSBL Process ]================================================
Missing DNSBL stats and/or Unbound DNSBL conf file - Rebuilding -
-
Hello all,
pfSense noob here. Using pfSense since November 2015. Full install of pfSense on SuperMicro A1SAi-27f0F, 16GM RAM. I am having a strange problem, and am not sure what I did. I was happily using pfBlocker_NG with DNSBL. I upgraded pfBNG from 2.04 to 2.05 four days ago. When I reboot, the LAN interface is now assigned the DNSBL Virtual IP (10.10.10.1) and not the 192.168.1.1 IP as specified under Interfaces: LAN. I have to manually "2) Set interface(s) IP address" in a ssh session, before I can log in to the GUI and disable DNSBL. Reboot, and the LAN gets the 192.168.1.1 IP. Same with 2.05 to 2.06. Did not have this issue with version 2.04. I would rather not wipe the box and start over, if someone might point me in another direction. Thanks in advance.
-
When I reboot, the LAN interface is now assigned the DNSBL Virtual IP (10.10.10.1) and not the 192.168.1.1 IP as specified under Interfaces: LAN.
I assume the LAN interface is DHCP? I have only seen this when another user used bridged interfaces… The DNSBL VIP is a virtual alias in the LAN interface... Maybe your LAN device is not getting an IP address before DNSBL executes?
There has not been any changes to that part of the code, but there is another release "2.0.6" which you can try...
-
Thank you! That is something I can try later tonight, at present three ethernet and four WiFi are all bridged, I will eliminate the bridge, and report back. Yes, LAN hands out IPs via DHCP. V. 2.06 also the same behavior as V. 2.05
-
Correction: the LAN interface (currently bridged) is assigned the static IP of 192.168.1.1, I needed to reread your question.
Thanks again. -
Correction: the LAN interface (currently bridged) is assigned the static IP of 192.168.1.1, I needed to reread your question.
Thanks again.If you want to continue bridging… Add another physical interface (without bridging) and assign the DNSBL VIP to that Interface. Just make sure to add firewall rules to allow other LAN addresses to access it...
Otherwise best to remove the bridge and use a more efficient hardware switch :)
-
I have this website which implements most of the content/features with iframes and it stops working when enabling DNSBL. I have added the addresses of the site and iframe's to the "Custom Domain Suppression" but the site simply refuses to load nothing but a white page where the iframe goes. tcpdump shows no activity when loading that site. None of the log files reveal nothing useful. Any way to debug it further?
-
Shopro,
Try to hit "F12" in the browser to open Dev mode, then goto the "console" tab to see additional details that might help diagnose. You can also run a tcpdump command as per the instructions in the DNSBL tab to sniff for dns requests.
-
Updating in the thread, BB :-* .
Yahoo complaining about certificates(pic00) is fixed by adding mail.yahoo.com and login.yahoo.com to the suppress list & 'Force Reload'.
I still have pic01, and I still have the strange NTP to the virtual IP:
| WAN | udp | 84.x.x.x:46231 (10.10.10.1:123) -> 195.200.224.66:123 | MULTIPLE:MULTIPLE |
No idea why, as 10.10.10.1 is completely isolated, my LAN is 192.x.x.x.
-
Mr J.,
If you run this command you will see which site is listing that domain:
grep "login.yahoo.com" /var/db/pfblockerng/dnsblorig/* /var/db/pfblockerng/dnsblorig/PhishTank.orig:3563722,https://login.yahoo.com:443/config/mail?.intl=au&.done=https%3A%2F%2Flogin.yahoo.com%3A443%2Fconfig%2Fmail%3F.intl%3Dau%26.done%3Dhttps%253A%252F%252Fau%252Dmg6.mail.yahoo.com%252Fneo%252Flaunch%253F.rand%253D7j0n99rj7v27t%2523address%23address#address,http://www.phishtank.com/phish_detail.php?phish_id=3563722,2015-10-30T15:52:31+00:00,yes,2016-02-17T06:23:42+00:00,yes,Other /var/db/pfblockerng/dnsblorig/PhishTank.orig:3507774,http://www.stmaria.cl/img/login.yahoo.com%20config%20mail%20.intl=hk.html,http://www.phishtank.com/phish_detail.php?phish_id=3507774,2015-10-03T14:14:09+00:00,yes,2015-10-12T19:54:23+00:00,yes,OtherCan also see if a domain is in the final dnsbl list:
grep "login.yahoo.com" /var/unbound/pfb_dnsbl.conf grep "login.yahoo.com" /var/db/pfblockerng/dnsbl/*So from the first command above, you can see that login.yahoo.com is listed by PhishTank… That feed posts full URLs, so it can cause FPs... Its best to use that Feed with Alexa suppression. Also similar with OpenPhish and MPatrol... If your starting out with DNSBL, maybe disable those three lists, until you get more comfortable with it...
For your certificate issue: In Chrome you can clear the DNS Browser cache with this link:
chrome://net-internals/#dnsI am not sure if FireFox has something similar… You might also need to clear your Desktop and/or Browser DNS cache, since it might still have these blocked domains in the cache even tho you cleared it in DNSBL... Might also need to close and re-open the browser...
ipconfig /flushdnsLook at the post above yours, where i suggest using F12 Dev mode to help diagnose issues…
For your NTP issue, goto the tab Services: NTP, did you select the DNSBL VIP address?
-
Gracias Don BB ;D
Mr J.,
If you run this command you will see which site is listing that domain:
grep "login.yahoo.com" /var/db/pfblockerng/dnsblorig/* /var/db/pfblockerng/dnsblorig/PhishTank.orig:3563722,https://login.yahoo.com:443/config/mail?.intl=au&.done=https%3A%2F%2Flogin.yahoo.com%3A443%2Fconfig%2Fmail%3F.intl%3Dau%26.done%3Dhttps%253A%252F%252Fau%252Dmg6.mail.yahoo.com%252Fneo%252Flaunch%253F.rand%253D7j0n99rj7v27t%2523address%23address#address,http://www.phishtank.com/phish_detail.php?phish_id=3563722,2015-10-30T15:52:31+00:00,yes,2016-02-17T06:23:42+00:00,yes,Other /var/db/pfblockerng/dnsblorig/PhishTank.orig:3507774,http://www.stmaria.cl/img/login.yahoo.com%20config%20mail%20.intl=hk.html,http://www.phishtank.com/phish_detail.php?phish_id=3507774,2015-10-03T14:14:09+00:00,yes,2015-10-12T19:54:23+00:00,yes,OtherCan also see if a domain is in the final dnsbl list:
grep "login.yahoo.com" /var/unbound/pfb_dnsbl.conf grep "login.yahoo.com" /var/db/pfblockerng/dnsbl/*So from the first command above, you can see that login.yahoo.com is listed by PhishTank… That feed posts full URLs, so it can cause FPs... Its best to use that Feed with Alexa suppression. Also similar with OpenPhish and MPatrol... If your starting out with DNSBL, maybe disable those three lists, until you get more comfortable with it...
That Feed was filtered via Alexa. Obviously it missed something one way or the other.
For your certificate issue: In Chrome you can clear the DNS Browser cache with this link:
chrome://net-internals/#dnsI am not sure if FireFox has something similar… You might also need to clear your Desktop and/or Browser DNS cache, since it might still have these blocked domains in the cache even tho you cleared it in DNSBL... Might also need to close and re-open the browser...
ipconfig /flushdnsI need to find out how to do that in FF. For now the problem was fixed with the Force Reload and the manual addition of the domains.
Look at the post above yours, where i suggest using F12 Dev mode to help diagnose issues…
To say it in the usa-kind-of-way: "like duh" ( ;D ).
Seriously, F12 Dev mode never showed me something useful.
For your NTP issue, goto the tab Services: NTP, did you select the DNSBL VIP address?
No sir, of course I did not. Should I? I understood the VIP address to be something like 'dev/null'; don't touch it, let it do its thing.
Gracias Don BB :-*
-
Thank you BBcan!
Perhaps what I did will help somebody else? What I did: per your suggestion, I got rid of the bridge. I had the bridge because I could not figure out how to get the three wireless APs (one ath/Atheros type PCIe card, and two run/Realtek type on USB) to connect. without it. Took me a few evenings to rethink everything, but now it seems to be working as I wish.
The SuperMicro A1SAi-27f0F has four ethernet, igb0 to igb4. My current configuration: WAN is assigned to igb0, igb1 to igb3 is configured as LAGG0. LAN is assigned to LAGG0. Three ports on my switch are also configured to match the LAGG. OPTx interfaces are assigned to each of the three wireless APs. Under Interfaces: LAN, I configured the "Static IPv4 configuration" to 192.168.x.x/16 instead of 192.168.x.x/24. Under Services: DHCP server, on the LAN tab I set a range of IPs to be served out that did not include all possible IPs in the 192.168.x.x/16 range. That made it possible for me to assign a separate range of IPs to be served out by each OPTx interface. Now, the LAN interface no longer gets assigned the DNSBL IP on reboot.
Off topic for this post, but it occurs to me that a useful feature would be the ability to create a network port from tha MAC of an AP that is not connected to the pfSense box, but hanging off a switch on another part of the network. Then you could assign an OPTx interface to it and a tab for it would show up under Services: DHCP server, like the tabs for the OPTx interfaces that are actually connected to the pfSense box. OK, is the abyss of my ignorance showing again? Is this what VLANs are for?
-
"Beware, even things on Amazon come with embedded malware…" Mike Olsen
http://artfulhacker.com/post/142519805054/beware-even-things-on-amazon-comehttps://blog.sucuri.net/2011/03/brenz-pl-is-back-with-malicious-iframes.html
This malicious domain is in DNSBL Feed - MDS - Malware Domains List :)
grep "brenz[.]pl" /var/db/pfblockerng/dnsbl/* /var/db/pfblockerng/dnsbl/MDS.txt:local-data: "brenz[.]pl 60 IN A 10.10.10.1"Other recent articles of interest:
http://researchcenter.paloaltonetworks.com/2016/04/unit42-ramdo/
http://blog.talosintel.com/2016/04/nuclear-tor.html -
BBcan177
I haven't made any changes to my system for a few weeks… or at least since the recent pfBlockerNG updates. Now, in my IPv4 "Allow" rule you helped me setup, I can't make any changes. It keeps returning:
Header field cannot contain special or international characters.
So I backed out and just left the entries that were there and get the same return. The only non Alphas in the Headers are "." and "-". Both those have been there a couple months. Has something changed?
Rick
-
Hey Rick,
Yes I added input validation to that field recently… So you can use an "_" underscore instead of "-".
-
Yes I added input validation to that field recently… So you can use an "_" underscore instead of "-".
Good to know. It does like the "" underscore but won't accept "." periods any more. Not complaining just letting you know… I had to remove ALL non-alpha characters to get the list to save even without adding anything new. Once saved without any non-alphas, I was able to add a Whois/ASN and in the header use a "" to get things to clean up verbiage.
Thanks,
Rick -
Hey Rick,
Previously it would strip out any special characters. So if you entered a Header as "example.list", it would change that to "examplelist".. With the input validation, it lets you know to avoid special or international characters and ask that you fix them before it will save…
-
I am really stuck… Have been searching for an answer for days now and I very seldom give up.
I have PFSense 2.2.6 with pfBlockerNG 2.0.6 installed on a VPS that only as a single WAN interface VTNET0
The aim of the server is simply to act as a remote inbound DNS server that blocks a range of blacklists via pfBlockerNG when queried otherwise it just delivers the usual DNS lookup.
I have an open port 53 for DNS resolver and that works just fine.
THE PROBLEM... pfBlockerNG refuses to LOG any ALERTS (alerts TAB) or ERRORS in LOG (logs TAB). It says those log files don't exist. (error.log dnsbl.log)
On the DNSBL Tab the "DNSBL Listening Interface" has [] nothing listed. Due to fact its looking for a LAN segment. So its not showing LOOPBACK or WAN of course.
I tried to create a VLAN but didn't help as that locked me out of the system and I had to recover via console. (webconfig jumped to VLAN and locked out WAN)
Snort works with logging and alerts just fine. And pfBlockerNG has all the other logs working just fine. The PFsense firewall log works but that doesn't show what is being blocked exactly.
So my conclusion is that it fails to show alerts and some logs due to the fact it can't bind with the LAN segment. I have no way of adding a LAN to this VPS.
Is there some kind of work around, patch or something I can do? I need to see whats being blocked in the ALERT section!
Please help :)
