pfBlockerNG and 1.1.1.1 - possible solution.

dragoangel

Hi all, I saw this topic not new, but I have suggestion how to fix this one and for all.
pfBlockerNG use IP 1.1.1.1 if list of IPs is NULL, so any time list is null CloudFlare DNS can be banned, filtered or even allowed (if filter elsewhere used as native) to illegal info. Could this fixed by creating logic about that NULL list must be not created? Or if not - could it point to one of test supnets described in RFC 5737: 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 and for IPv6 list to 2001:db8::/32 as RFC 3849 "Addresses used in documentation and example source code". Thank you.

dragoangel

P.S. If you now interesting have you NULL pointing lists you can launch at https://pfsense:8443/diag_command.php this 2 commands:

grep "^1\.1\.1\.1" /var/db/pfblockerng/*
grep "^1\.1\.1\.1" /var/db/pfblockerng/*/*

They find all lists with IP 1.1.1.1, example output:

/var/db/pfblockerng/native/akamai_AS393234.txt:1.1.1.1
/var/db/pfblockerng/native/vmware_AS203309.txt:1.1.1.1
/var/db/pfblockerng/native/vmware_AS53512.txt:1.1.1.1

After this you can better understand what lists must be fixed or removed.

Grimson

You are running an outdated version of pfBlockerNG, that has been fixed quite some time ago.

BBcan177

@grimson said in pfBlockerNG and 1.1.1.1 - possible solution.:

You are running an outdated version of pfBlockerNG, that has been fixed quite some time ago.

This is fixed in pfBlockerNG-devel.

dragoangel

@bbcan177 and @Grimson thank you for your quick response, is pfBlockerNG-devel branch OK for production use (it enough stable)? How I understand if I choose to use devel I need reproduce all config from stable to devel or this automated process?

BBcan177

@dragoangel

There is a recent thread about this. Yes the config is backward/forward compatible except for the Easylist page which would need to be reconfigured.

It's going to be the next release. So the more users test it out and confirm, the quicker it gets released. There are a lot of improvements to devel so I highly recommend it.

Especially since you use ASN, devel has a lot of new improvements!

Any issues, post back to the forum, so that I can address them.

Thanks!

dragoangel

@bbcan177 Big thanks you for the answers and yours work at all . It really nice, and sorry for "duplicated posts".

dragoangel

@BBcan177 P.S. after your post I launch update to devel version, and all goes smooth like a charm - need only to launch cron update from pfBlockerNG menu (i'm not use easylists), new menus, autocomplite for GeoIP, ASNs and other functions is awesome!