pfblockerng error: Unknown Not listed!

BBcan177

Run these commands to see where these IPs are listed:

grep "\.0\.0\.0" /var/db/pfblockerng/deny/*
grep "\.0\.0\.0" /var/db/pfblockerng/original/*
grep "\.0\.0\.0" /var/db/aliastables/*

Do you have any entries defined in this Alias "Customlist"?

For the Widget pivot to the Alerts Tab. Run this command to see what entries are in the ip_block.log:

grep "pfB_Attack_v4" /var/log/pfblockerng/ip_block.log

It could be that the ip_block.log is rotating the max. line count and clearing out those entries. You can increase these log line limits in the General Tab.

l0rdraiden

@bbcan17 said in pfblockerng error: Unknown Not listed!:

Run these commands to see where these IPs are listed:

grep "\.0\.0\.0" /var/db/pfblockerng/deny/*
grep "\.0\.0\.0" /var/db/pfblockerng/original/*
grep "\.0\.0\.0" /var/db/aliastables/*

Do you have any entries defined in this Alias "Customlist"?

For the Widget pivot to the Alerts Tab. Run this command to see what entries are in the ip_block.log:

grep "pfB_Attack_v4" /var/log/pfblockerng/ip_block.log

It could be that the ip_block.log is rotating the max. line count and clearing out those entries. You can increase these log line limits in the General Tab.

Shell Output - grep ".0.0.0" /var/db/pfblockerng/deny/*
/var/db/pfblockerng/deny/ET_Block_IP_v4.txt:161.0.0.0/19
/var/db/pfblockerng/deny/ET_Block_IP_v4.txt:223.0.0.0/15

Shell Output - grep ".0.0.0" /var/db/pfblockerng/original/*
/var/db/pfblockerng/original/ET_Block_IP_v4.orig:161.0.0.0/19
/var/db/pfblockerng/original/ET_Block_IP_v4.orig:223.0.0.0/15

Shell Output - grep ".0.0.0" /var/db/aliastables/*
grep: /var/db/aliastables/*: No such file or directory

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

So it's a problem with this list?

What do you mean with this? Do you have any entries defined in this Alias “Customlist”?
Firewall->Aliases? yes I have defined custom ports that I'm using like this, so pfblockerng only blocks ports inbound that I have open

For the second part

Shell Output - grep "pfB_Attack_v4" /var/log/pfblockerng/ip_block.log
Jun 16 10:38:00,1770010014,igb0,LAN,block,4,6,TCP-S,192.168.1.209,196.196.193.44,48140,45278,out,IE,pfB_Attack_v4,196.196.0.0/14,ET_Block_IP_v4,Unknown,Unknown,+

I have increased the limits to 40k

BBcan177

Those IPs must have been in the feed at some point. But the grep commands are telling you that they are no longer in any feed.

I assume that pfBlockerNG is disabled, as this should not return that error if there are files in that folder:

Shell Output - grep “.0.0.0” /var/db/aliastables/*
grep: /var/db/aliastables/*: No such file or directory

What do you mean with this? Do you have any entries defined in this Alias “Customlist”?

At the bottom of each Alias is "IPv4 Custom_list" where you can manually add IPs to an Alias.

l0rdraiden

@bbcan177 said in pfblockerng error: Unknown Not listed!:

Those IPs must have been in the feed at some point. But the grep commands are telling you that they are no longer in any feed.

I assume that pfBlockerNG is disabled, as this should not return that error if there are files in that folder:

Shell Output - grep “.0.0.0” /var/db/aliastables/*
grep: /var/db/aliastables/*: No such file or directory

What do you mean with this? Do you have any entries defined in this Alias “Customlist”?

At the bottom of each Alias is "IPv4 Custom_list" where you can manually add IPs to an Alias.

Right, I enabled it and run the command again

Shell Output - grep ".0.0.0" /var/db/aliastables/*
/var/db/aliastables/pfB_Attack_v4.txt:161.0.0.0/19
/var/db/aliastables/pfB_Attack_v4.txt:223.0.0.0/15

And custom lists are all empty

it's a missconfiguration in my side or a bug? can I fix it?

BBcan177

@l0rdraiden said in pfblockerng error: Unknown Not listed!:

it’s a missconfiguration in my side or a bug? can I fix it?

Well in its current state, I can't see any Feed that has those IPs? So I don't see anything to fix either way.

If it happens again, run those commands and we can do some more debugging.

Also note that there is a new feature in the IP Alias settings > Advanced Tuneables > Suppression CIDR Limit. Here you can define a max CIDR to utilize, so that a Feed doesn't try to block a large range of IPs. YMMV

RonpfS

@l0rdraiden Why don't you remove the http://vxvault.net/ViriList.php?s=0&m=100 URL as it's not geared for IPV4

jazzl0ver

Hi,

Sorry for bumping this topic up, but can somebody explain why I get Unknown Not listed in this case:

# grep 113.1.135.78 /var/db/pfblockerng/* -r
/var/db/pfblockerng/deny/CINS_army_v4.txt:113.1.135.78
/var/db/pfblockerng/mastercat:113.1.135.78
/var/db/pfblockerng/masterfile:CINS_army_v4 113.1.135.78
/var/db/pfblockerng/original/CINS_army_v4.orig:113.1.135.78

Why if this IP is not listed, it's still getting blocked?

Is there a description of what all of those files/folders under /var/db/pfblockerng/ are intended for?

Thanks in advance!

NollipfSense

@jazzl0ver You might be better off starting a new thread and linking this thread as reference.

jazzl0ver

@NollipfSense not sure it's wise to create different threads for the same topic. It'll be harder to search things if someone face same issue.

Gertjan

@jazzl0ver said in pfblockerng error: Unknown Not listed!:

same issue

The pfBlockerNG of today (2.2.5_27) is not comparable with what we've been using in 2018.

jazzl0ver

@Gertjan ok, guys. will do