PfBlockerNG v2.1 w/TLD

BBcan177

PR # 156/157 have been posted for pfBlockerNG v2.1.1

CHANGELOG:

MaxMind GeoLite2

New Changes here:
    https://dev.maxmind.com/geoip/geoip2/whats-new-in-geoip2/

Highlights:

• GeoLite2 data is already in CIDR format, so should be faster to process then the previous GeoLite data which was in Range format.

• GeoLite2 data now includes "Represented IPs" along with "Registered IPs"… So the options now include Countries with "_rep".

• Asia and Europe have an "Undefined" Network list which is now available to be used.

• Localized Language options are available… See General Tab.

• Add Antarctica Tab.

• Downloads via HTTPS MaxMind URLs

• Top 20 Spammers Tab is now auto-generated (as other GeoIP Tabs)

DNSBL TLD (Beta Feature)

DNSBL TLD is a new feature to determine if all Sub-Domains should be blocked for each listed Domain. TLD is more memory intensive and is not recommended for low performance/Low-Memory installations. TLD will limit the number of Domains that can be processed, Once the TLD Domain limit below is exceeded, the balance of the Domains will be listed as-is. IE: Blocking only the listed Domain (Not Sub-Domains).

TLD Domain Limit Restrictions:

< 1.0GB RAM - Max 100k Domains
    < 1.5GB RAM - Max 150k Domains
    < 2.0GB RAM - Max 200k Domains
    < 2.5GB RAM - Max 250k Domains
    < 3.0GB RAM - Max 400k Domains
    < 4.0GB RAM - Max 600k Domains
    < 5.0GB RAM - Max 1.0M Domains
    < 6.0GB RAM - Max 1.5M Domains
    < 7.0GB RAM - Max 2.5M Domains
    > 7.0GB RAM - > 2.5M Domains

When enabled and after all downloads for DNSBL Feeds have completed; TLD will process the Domains. TLD uses a predetermined list of TLDs, to determine if the listed Domain should be configured to block all Sub-Domains. The predetermined TLD list can be found in [  [i] /usr/local/pkg/pfblockerng/dnsbl_tld   ]

Options to Blacklist whole TLDs with a provision to Whitelist specific Domain/Sub-Domains in these TLD Blacklists. With the TLD Whitelist option, Alerts will not populate, as the Domains are in a "Static" Resolver zone and as such DNS resolution is via NXDOMAIN.

Options to exclude certain TLDs and/or Domains from the TLD Process.

Lists of worst TLDs:

https://www.spamhaus.org/statistics/tlds/
    http://toolbar.netcraft.com/stats/tlds

The TLD feature has so far been tested by approximately a dozen beta testers.

Other Improvements

• Improve OpenVPN Auto-Rule options

• Add IPSec Auto-Rule options

• Add Malware Corpus Tracker to the DNSBL parser www.h3x.eu

• DNSBL and Alexa Whitelisting has been improved to remove all Sub-Domains. This is accomplished by prefixing a "dot" before the Domain name in the Custom Whitelist.

• Fix issue with the "XMLRPC Sync" tab - Disable Sync option of "General tab settings" was previously reversed

• DNSBL Alerts Tab- The Whitelisting User Input popup has been improved.

• Alerts Tab - Added an "Icon Legend" to the bottom of the page.

• Escape Log Browser data before printing to screen.

• Escape Update Tab log before printing to screen.

• Add additional Alerts Tab Threat Lookups

• Intel - Threat Intelligence (Formerly McAfee)

• Threat Miner

• Threat Crowd

• Ransomware Tracker

• Google Safe-Browsing

• NetCraft Site Report

• hpHosts

• mnemonic Passive DNS

• Other under-the-hood improvements

luckman212

This sounds like an awesome update!  Thanks for your hard work.

I am trying to better understand what the new TLD feature enables us to do. Would it e.g. allow a captive portal to be set up which allows *.facebook.com (to enable Facebook logins) for example?

BBcan177

The TLD feature is used by pfBlockerNG DNSBL for Domain blocking via the Unbound DNS Resolver.

When "TLD" is enabled… It checks each Domain to see what the TLD (Top-Level domain) is for each listed Domain in the DNSBL Blacklist Feeds... then if there is one more level, it will block the whole Domain since its the root Domain name....

When Feeds do not post the Full-Domain, then only the listed Sub-Domains are blocked... 
ie: ads.yahoo.com  Will ony block that Sub-Domain and not yahoo.com

Example 1:
download.101com.com

com                                - Top-Level Domain
101com.com                  - Second-level Domain
download.101com.com  - Third-level Domain

Example 2:
example.uk.com

uk.com                          - Top-Level Domain
example.uk.com            - Second-Level Domain

The DNSBL database is located at    /var/unbound/pfb_dnsbl.conf

When TLD is enabled, in that conf file you will see "transparent" zones, which means its only blocking the actual Domains listed…  None of the Sub-Domains are blocked...

Scroll down that file, and look for lines that have "redirect" zones, which means its blocking the full Domain and all Sub-Domains…

You can also block whole TLD(s) like  | cn  |  ru  | pw  |  xyz  | etc…. Option also exist to Whitelist specific Domains when the whole TLD is being blocked.

The following Unbound documentation has additional detail on the "Local-zone" configuration:
    https://unbound.net/documentation/unbound.conf.html

someuser123

YeY ;D :D :) ;) huge update, awesomeness cant wait for this update, thanks for all your hard work….

brandur

Sounds like a very exciting update :D
Thank you

Pippin

Very nice addition, chapeau 8)

pftdm007

Cant wait for this update to roll out!!!!!

zerodamage

Is this available to install now?  I am only showing version 2.0.17 for update.  I uninstalled hoping maybe I would then see the updated version but it's still not there.

As a matter of fact, it says "Not Ready" in the update window when trying to install or update it now.  I now do not have it installed and am not able to install it but my system says it is installed.

It actually did install but only to version 2.0.17.  Is that right?

BBcan177

https://twitter.com/pfsense/status/755227123187449856

BBcan177

The latest version of pfBlockerNG  v2.1.1_1  has been reviewed and merged into pfSense 2.3.3 Dev. If your on the 2.3.3 Snapshots, its available to be installed now.

I believe that the Devs will merge it for pfSense 2.3.2 shortly, so stay tuned for the update.

If you have any questions or Feedback, please let me know….

Please Read the instructions in the DNSBL tab for the new TLD feature before enabling it.
Once enabled, follow that with a "Force Reload - DNSBL".

Review any MaxMind GeoIP settings, since there have been significant changes with the upgrade to GeoLite2.

Note: If you have less than 5GB of RAM and you have added the Bambenek DGA DNSBL Feed, please move that to the last entry in the DNSBL Feeds. Since that feed is quite large (700k+ Domains), its best to allow TLD to process the other Feeds first before hitting the max TLD Domain limit.  (http://osint.bambenekconsulting.com/feeds/dga-feed.gz).

f34rinc

Nice work BBcan177  :D  setup blocking of .ru as a test and it works.

DownloadDeviant

THANKS! Can't wait! Good stuff….great work...and thanks for helping us dumb dumbs  :P here and over at Reddit!

PS - is there a quick n dirty way to test PFBNG to be sure you've generally set it up correctly? Like going to a website and not seeing ads, etc.?

mauroman33

Thank you so much for this fantastic work!!!

BBcan177

@DownloadDeviant:

THANKS! Can't wait! Good stuff….great work...and thanks for helping us dumb dumbs  :P here and over at Reddit!

PS - is there a quick n dirty way to test PFBNG to be sure you've generally set it up correctly? Like going to a website and not seeing ads, etc.?

Thanks… Are you on the latest 2.1.1_1 version?  Haven't heard much feedback yet, so not sure if many have installed it yet...

Not sure what sites are the worst for ADs... but yahoo is probably up there....

@mauroman33:

Thank you so much for this fantastic work!!!

Thanks!

DownloadDeviant

@BBcan177:

Thanks… Are you on the latest 2.1.1_1 version?  Haven't heard much feedback yet, so not sure if many have installed it yet...

Not sure what sites are the worst for ADs... but yahoo is probably up there....

I'm still on 2.0.17. I've slowed down my updating a bit since I've had some snags and had to rebuild 3 times in the past 7 weeks. Two were my fault…lol I thought I had router plugged into the battery port on the UPS but didn't...storm hit...lost power...pf went corrupt. Sooooooooo, I'm a bit worn out on tampering right now. lol That said, I'll probably upgrade it this weekend.

Yahoo it is then. I'm very new to pfBNG so I need to learn it and get comfortable. I don't want to get  too aggressive. I just want it to serve as a companion for my Firefox plugins and to help keep my girlfriend protected.

someuser123

pfBlockerNG-2.1.1_1 is working like charm, On 2.3.3-DEVELOPMENT (amd64) no issues.

TLD Blacklist is really handy, Thanks BBcan177

BBcan177

Here are the links for Malware Corpus Tracker which can be used w/ pfBlockerNG DNSBL:

Site:
http://track.h3x.eu/about/400

Available Feeds:
https://tracker.h3x.eu/api/sites_1month.php
https://tracker.h3x.eu/api/sites_1week.php
https://tracker.h3x.eu/api/sites_1day.php
https://tracker.h3x.eu/api/sites_1hour.php

DO NOT Select all of these Feeds. You should pick only one Feed. For example: the "1Month" will include the "1Week/1Day/1Hour".

[ Edit - change to https ]

Twitter:
https://twitter.com/h3x2b

ntct

Hi BBcan177,

I can't update h3x feed from available feeds list in pfBlockerNG v2.1.

It show below.

[ h3x ]			 Downloading update .. 200 OK
 Remote timestamp missing 
 No Domains Found

And I can't let TLD Exclusion List working. Can you give a example or check it works?

RonpfS

@ntct:

Hi BBcan177,

I can't update h3x feed from available feeds list in pfBlockerNG v2.1.

It show below.

[ h3x ]			 Downloading update .. 200 OK
 Remote timestamp missing 
 No Domains Found

Same here

@ntct:

And I can't let TLD Exclusion List working. Can you give a example or check it works?

Did you do a Force Reload after changing the list ?

hulleyrob

[ 1month ]		 Downloading update .. 200 OK
  Remote timestamp missing 
 No Domains Found

[ 1week ]		 Downloading update [ 07/30/16 12:31:20 ] .. 200 OK
  Remote timestamp missing 
 No Domains Found

[ 1day ]		 Downloading update .. 200 OK
  Remote timestamp missing 
 No Domains Found

[ 1hour ]		 Downloading update .. 200 OK
  Remote timestamp missing 
 No Domains Found

Me three, anyone post how exactly you get these list working?

BBcan177

Here is a patch to fix the H3X Feed…  Sorry about that  ...

@BBcan177:

Here are the links for Malware Corpus Tracker which can be used w/ pfBlockerNG DNSBL:

UPDATE:

Guess the internal QA testing didn't work too well when I tested this Feed.
Please follow these instructions below to patch the code to get the following feed to parse:

Edit     /usr/local/pkg/pfblockerng/pfblockerng.inc

Goto Line 3368 which contains the following:

$h3x_feed = TRUE;

Reference:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L3368

and add the following line after line 3368:

$liteparser = TRUE;

Then follow that with a    "Force Update"

BBcan177

@ntct:

And I can't let TLD Exclusion List working. Can you give a example or check it works?

Can you provide more detail about what you're trying to accomplish?

hulleyrob

Works for me.

For the lazy:

vi +3368 /usr/local/pkg/pfblockerng/pfblockerng.inc

to go straight to the line.

Thanks BBcan

BBcan177

I have posted a PR #164 to fix the H3x parser issue noted above.
‎https://github.com/pfsense/FreeBSD-ports/pull/164‎

Once this is merged the pkg will be at version 2.1.1_2.

If you manually edited the file noted above, or not, you do not need to make any further changes with this version.

oddworld19

…...and I'm buying another 8 gigs RAM tonight (from 8G to 16G) now that unbound is VIRT 12.3G and I've swapped 6G.

Worth it though.

Andrew453

Hi BBcan177

Thanks for implementing this.  Would you be able to explain a bit more what the role of the /usr/local/pkg/pfblockerng/dnsbl_tld file is please?

I was expecting it to contain a pure list of TLDs which pfblockerng can then use to work out whether any given domain is a second level domain or higher.  But it seems itself to contain some second level domains?

That said, when I've looked that the /var/unbound/pfb_dnsbl.conf on my set up that pfblockerng has created, it does contain exactly what I would expect to see (i.e. full blocking of the entire domain for second level domains, but only specific blocking for higher level domains).  So it does seem to be doing exactly what I'd like it to, but I'm not sure how the dnsbl_tld file is working to do that.

Thanks.

Qinn

Hi BBcan177,

Is there any good install/setup/configure instruction (video or guide) for the last version op pfblockerNG, that you could/would recommend?

Thanks for your advice, cheers Qinn

BBcan177

@Andrew453:

I was expecting it to contain a pure list of TLDs which pfblockerng can then use to work out whether any given domain is a second level domain or higher.  But it seems itself to contain some second level domains?

Hi Andrew453,

If I only used the TLD, it would be a simple process of looking at any listed Domain and seeing if it had only a second-level Domain (SLD) then block the entire Domain. However, there are suffixes like "uk.com" which is what I would call the TLD that is used to determine if there is one more level. So all of the TLDs (suffixes) in that file are known TLDs which is used in the determination process. Most of the file was taken from the "Public Suffix Registry".

BBcan177

@Qinn:

Hi BBcan177,

Is there any good install/setup/configure instruction (video or guide) for the last version op pfblockerNG, that you could/would recommend?

Thanks for your advice, cheers Qinn

There is a pfSense Hangout that I did which can be used for an overview of the pkg functionality. However, apart from the three main pfBlockerNG threads in this forum, there isn't any other documentation.

Qinn

Thanks for the quick reply. Darn  :( I found this one can you can agree to this one?

Youtube Video

Andrew453

@BBcan177:

@Andrew453:

I was expecting it to contain a pure list of TLDs which pfblockerng can then use to work out whether any given domain is a second level domain or higher.  But it seems itself to contain some second level domains?

Hi Andrew453,

If I only used the TLD, it would be a simple process of looking at any listed Domain and seeing if it had only a second-level Domain (SLD) then block the entire Domain. However, there are suffixes like "uk.com" which is what I would call the TLD that is used to determine if there is one more level. So all of the TLDs (suffixes) in that file are known TLDs which is used in the determination process. Most of the file was taken from the "Public Suffix Registry".

Yes ok.  That's exactly what I thought the file was for.  (i.e. some eTLDs are longer than others, so you need a list e.g. .com vs .co.uk to work out what to treat as an eTLD)

The thing that was confusing me was there were some domains in the list that looked a bit odd, e.g.

myactivedirectory.com
mydrobo.com
mysecuritycamera.com
myshopblocks.com
myvnc.com

I think all you're saying is that pfblockerng will treat those as eTLDs even though, strictly speaking, they aren't … which is fine.

p.s. a big thank you for implementing this.  It was on my wish-list as I recall - https://forum.pfsense.org/index.php?topic=106534

Guest

@RonpfS:

@ntct:

Hi BBcan177,

I can't update h3x feed from available feeds list in pfBlockerNG v2.1.

It show below.

[ h3x ]			 Downloading update .. 200 OK
 Remote timestamp missing 
 No Domains Found

Same here

@ntct:

And I can't let TLD Exclusion List working. Can you give a example or check it works?

Did you do a Force Reload after changing the list ?

I'm on 2.1.1_2, the h3x fix is included, but I get the same error as above.

I tried with Update, Cron , Reload.

[ malw_corpus ] Downloading update .. 200 OK
  Remote timestamp missing
No Domains Found

CiscoX

Hi,
Thank you for your hard work on this package :)

After updating to 2.1.1_2 i can't "clear DNSBL Packets" from the pfBlockerNG widge
The DNSBL_EasyList won't delete the packets

[Video 31-07-2016 16.54.57.zip](/public/imported_attachments/1/Video 31-07-2016 16.54.57.zip)

RonpfS

@Redyr:

I'm on 2.1.1_2, the h3x fix is included, but I get the same error as above.

I tried with Update, Cron , Reload.

[ malw_corpus ] Downloading update .. 200 OK
  Remote timestamp missing
No Domains Found

Each URL contains sites that were active in the last period (month, week, day or hour).

If you look at the 1hour or the 1day csv file, they only have one comment. The 1week and 1month have entries.

You should only choose one of the feeds according to your need. I guess most will pick the 1month URL.

pftdm007

Not sure if this is related to pfblockerNG (2.1 w/ TLD) but I went to the package manager to install a package, and saw that my copy of pfblockerNG was outdated, so I clicked the yellow round arrow to update the package.  It went well, but immediately after I returned to the package manager I was greeted with a red ribbon saying "Unable to retrieve package information".  This happens for the "Installed Packages as well as "Available Packages" tabs!

On the main page, I see "Obtaining update status ", then it turns to "Unable to check for updates".

Tried disabling both pfblockerNG and DNSBL to no avail.  Snort is disabled and the blocked hosts list is empty.

Now I cannot update, install or uninstall packages….  How do I remedy to this?

Andrew453

I've had that trouble before too.  It happened when I was trying to change from the development thread for updates to the stable thread.  I couldn't update anything.  I eventually found some instructions to reinstall the main pfsense components from the command line.  I ended up still on the development thread and didn't venture to try to change it back after that.

pftdm007

@Andrew453:

I've had that trouble before too.  It happened when I was trying to change from the development thread for updates to the stable thread.  I couldn't update anything.  I eventually found some instructions to reinstall the main pfsense components from the command line.  I ended up still on the development thread and didn't venture to try to change it back after that.

Not sure I understand that.  I am not playing with development stuff, nor that I am configured to retrieve packages from development repos..  Just a vanilla pfsense install with pfblockerNG, snort and thats it.  Not normal all of a sudden I lose connection to repos..

Also after a reboot I see these warnings in the main page:

There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfB_Europe_v6: Cannot allocate memory - The line in question reads [37]: table <pfB_Europe_v6> persist file "/var/db/aliastables/pfB_Europe_v6.txt" @ 2016-07-31 14:55:00
There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfB_Europe_v6: Cannot allocate memory - The line in question reads [37]: table <pfB_Europe_v6> persist file "/var/db/aliastables/pfB_Europe_v6.txt" @ 2016-07-31 14:55:11
There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfB_Europe_v6: Cannot allocate memory - The line in question reads [37]: table <pfB_Europe_v6> persist file "/var/db/aliastables/pfB_Europe_v6.txt" @ 2016-07-31 14:55:20 

BBcan177

@lpallard:

There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfB_Europe_v6: Cannot allocate memory - The line in question reads [37]: table <pfB_Europe_v6> persist file "/var/db/aliastables/pfB_Europe_v6.txt" @ 2016-07-31 14:55:00
There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfB_Europe_v6: Cannot allocate memory - The line in question reads [37]: table <pfB_Europe_v6> persist file "/var/db/aliastables/pfB_Europe_v6.txt" @ 2016-07-31 14:55:11
There were error(s) loading the rules: /tap/rules.debug:37: cannot define table pfB_Europe_v6: Cannot allocate memory - The line in question reads [37]: table <pfB_Europe_v6> persist file "/var/db/aliastables/pfB_Europe_v6.txt" @ 2016-07-31 14:55:20 

These all seem to be related to the MaxMind IPv6 database. Looks like you will need to bump the pfSense max aliastable entries limit from 2M to 4M. If you enable aggregation in the general tab, it should condense the CIDRs and reduce the overall IP count. This changed due to using the new MaxMind Geolite2 database which seems to have smaller subsets of the data listed causing more IP entries to be added.

BBcan177

@CiscoX:

After updating to 2.1.1_2 i can't "clear DNSBL Packets" from the pfBlockerNG widge
The DNSBL_EasyList won't delete the packets

I am away for a few weeks but will check that out. Seems like some regression somewhere. Thanks for reporting.

java007md

@lpallard:

Not sure if this is related to pfblockerNG (2.1 w/ TLD) but I went to the package manager to install a package, and saw that my copy of pfblockerNG was outdated, so I clicked the yellow round arrow to update the package.  It went well, but immediately after I returned to the package manager I was greeted with a red ribbon saying "Unable to retrieve package information".  This happens for the "Installed Packages as well as "Available Packages" tabs!

On the main page, I see "Obtaining update status ", then it turns to "Unable to check for updates".

Tried disabling both pfblockerNG and DNSBL to no avail.  Snort is disabled and the blocked hosts list is empty.

Now I cannot update, install or uninstall packages….  How do I remedy to this?

From the following thread:

https://forum.pfsense.org/index.php?topic=116019.0

I followed the ssh command line execution steps:

pkg update -f
pkg upgrade -f

and the same problem was resolved.