PfBlockerNGSuppress using domains instead of IPs?
-
First off - pfBlockerNG, great product! I love it. Same goes for freshly released 2.3.
Here's my question:
pfBlockerNG allows a pfBlockerNGSuppress alias. In this alias one could specify IPs (24|32 CIDR only) that would be suppressed and not added to the aliases created by pfBlockerNG.
My problem is that it is rather difficult managing a long list of IPs. Especially if some of these IPs may change at any moment.
Is there an easy way by which I could generate a pfBlockerNGSuppress alias from a list of domains? I guess it is not hard writing a script for this, but I was hoping there might be a more obvious way of doing this?
The problem with a pfBlockerNG whitelist is that it will take preference and override your actual firewall rules.
A related question:
The snort suppress list can also be defined as an alias. However, snort also has this habit of not wanting domains only IPs listed in that alias. So I'm experiencing the same problem there.
Thanks in advance.
PS: I get the feeling this might have been asked before - it is possible that I simply couldn't find the historic post. If this is the case please just point me to the relevant thread.
-
Sorry for bumping this to the top again. I think the 2.3 release probably occupied everyone's attention at the time I posted it.
Nonetheless, I think this might be a problem/nice to have relevant to many people.
I noticed that pfBlockerNG's DNSBL has got the domain/AS list capability. This is rather awesome. Being able to specify domain/AS in the pfBlockerNGSuppress and Snort whitelist too will be awesome.
At the moment it seems it is impossible to suppress anything else than an IP from pfBlockerNG/Snort. This is a little of a hindrance since sites often change IP without notice.
Any solutions welcome :D :)
-
Hi,
In pfBlockerNG, there are two main types 1) IP Addresses 2) Domain Names:
-
IPv4/6 and the Continent Tabs, allow for the collection of IP addresses. The IPv4 Tab can be suppressed with the pfBlockerNGSuppress Alias only (IPs only). You can also collect ASN's in the IPv4/6 Tab. To circumvent a Blocked IP that is not in a /32 or /24 CIDR, you can create a new pfBlockerNG alias, and select the "Action" as "Permit OutBound". Add the Whitelisted IPs to the customlist at the bottom of this new Alias. Ensure that the "Rule Order" is defined such that the Permit Rules, are above the Block/Reject Rules.
-
Domain Names (DNSBL) are unrelated the the IP type above. You can configure Domain name whitelists, in the DNSBL tab, at the bottom of the page, in the "Whitelist Customlist" section.
Hope that helps!
-