DNSBL and syslog

madloki

Hello,
        I can't understand properly how the syslog rules from request blocked by DNSBL aliases could be identified in the log.

There is mentioned in release notes, that "alias ascii characters ord sum" is used, but I simply have no idea, where to get proper
alias name from DNSBL feeds menu.

There is a "DNS Group Name" ("HPhost" in my case), "DNS Group Description" ("hosts-file.net/hphosts-partial.txt", really looks like URL),
then "Header/Label" ("HPhPhishing")

OK, in the UI I have pfBlockerNG dashboard, there is a "DNSBL_Hphosts" in the alias column.

I use python like this:

a="<alias name="">"
x=0
for i in a:
      x=x+ord(i)

print x

In my syslog I have this ID number: 1770009064

I have no idea, how this number (9064) was created from strings above, tried all of them.

A little explanation should help a lot there.

Sorry for my stupidity, but it takes me a lot of time without any idea howto solve that problem.</alias>

RonpfS

DNSBL doesn't use "Firewall" Aliases, only pfblockerNG IP Table may create Firewall Aliases

DNSBL uses unbound to intercept DNS request to redirect Blocked domain to the VIP.

To see the content of pfblockeNG files, go to pfBlockerNG Logs tab.

RonpfS

@BBcan177:

How the pfBlockerNG Tracker ID number is created :
Each Firewall rule for pfBlockerNG is assigned a unique Tracker Number.
This Number can be used in a Remote syslog so that Events can be tracked by this unique Tracker Number.

Tracker Number function is here:

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L2036

Basically it takes the Alias Name, various Interface Information and converts this to a unique tracker number…

All pfBlockerNG Tracker Numbers start with "177"