PfBlockerNG v2.1 w/TLD
-
PR # 156/157 have been posted for pfBlockerNG v2.1.1
CHANGELOG:
MaxMind GeoLite2
New Changes here:
https://dev.maxmind.com/geoip/geoip2/whats-new-in-geoip2/Highlights:
-
GeoLite2 data is already in CIDR format, so should be faster to process then the previous GeoLite data which was in Range format.
-
GeoLite2 data now includes "Represented IPs" along with "Registered IPs"… So the options now include Countries with "_rep".
-
Asia and Europe have an "Undefined" Network list which is now available to be used.
-
Localized Language options are available… See General Tab.
-
Add Antarctica Tab.
-
Downloads via HTTPS MaxMind URLs
-
Top 20 Spammers Tab is now auto-generated (as other GeoIP Tabs)
DNSBL TLD (Beta Feature)
DNSBL TLD is a new feature to determine if all Sub-Domains should be blocked for each listed Domain. TLD is more memory intensive and is not recommended for low performance/Low-Memory installations. TLD will limit the number of Domains that can be processed, Once the TLD Domain limit below is exceeded, the balance of the Domains will be listed as-is. IE: Blocking only the listed Domain (Not Sub-Domains).
TLD Domain Limit Restrictions:
< 1.0GB RAM - Max 100k Domains
< 1.5GB RAM - Max 150k Domains
< 2.0GB RAM - Max 200k Domains
< 2.5GB RAM - Max 250k Domains
< 3.0GB RAM - Max 400k Domains
< 4.0GB RAM - Max 600k Domains
< 5.0GB RAM - Max 1.0M Domains
< 6.0GB RAM - Max 1.5M Domains
< 7.0GB RAM - Max 2.5M Domains
> 7.0GB RAM - > 2.5M DomainsWhen enabled and after all downloads for DNSBL Feeds have completed; TLD will process the Domains. TLD uses a predetermined list of TLDs, to determine if the listed Domain should be configured to block all Sub-Domains. The predetermined TLD list can be found in [ [i] /usr/local/pkg/pfblockerng/dnsbl_tld ]
Options to Blacklist whole TLDs with a provision to Whitelist specific Domain/Sub-Domains in these TLD Blacklists. With the TLD Whitelist option, Alerts will not populate, as the Domains are in a "Static" Resolver zone and as such DNS resolution is via NXDOMAIN.
Options to exclude certain TLDs and/or Domains from the TLD Process.
Lists of worst TLDs:
https://www.spamhaus.org/statistics/tlds/
http://toolbar.netcraft.com/stats/tldsThe TLD feature has so far been tested by approximately a dozen beta testers.
Other Improvements
-
Improve OpenVPN Auto-Rule options
-
Add IPSec Auto-Rule options
-
Add Malware Corpus Tracker to the DNSBL parser www.h3x.eu
-
DNSBL and Alexa Whitelisting has been improved to remove all Sub-Domains. This is accomplished by prefixing a "dot" before the Domain name in the Custom Whitelist.
-
Fix issue with the "XMLRPC Sync" tab - Disable Sync option of "General tab settings" was previously reversed
-
DNSBL Alerts Tab- The Whitelisting User Input popup has been improved.
-
Alerts Tab - Added an "Icon Legend" to the bottom of the page.
-
Escape Log Browser data before printing to screen.
-
Escape Update Tab log before printing to screen.
-
Add additional Alerts Tab Threat Lookups
-
Intel - Threat Intelligence (Formerly McAfee)
-
Threat Miner
-
Threat Crowd
-
Ransomware Tracker
-
Google Safe-Browsing
-
NetCraft Site Report
-
hpHosts
-
mnemonic Passive DNS
-
Other under-the-hood improvements
-
-
This sounds like an awesome update! Thanks for your hard work.
I am trying to better understand what the new TLD feature enables us to do. Would it e.g. allow a captive portal to be set up which allows *.facebook.com (to enable Facebook logins) for example?
-
The TLD feature is used by pfBlockerNG DNSBL for Domain blocking via the Unbound DNS Resolver.
When "TLD" is enabled… It checks each Domain to see what the TLD (Top-Level domain) is for each listed Domain in the DNSBL Blacklist Feeds... then if there is one more level, it will block the whole Domain since its the root Domain name....
When Feeds do not post the Full-Domain, then only the listed Sub-Domains are blocked...
ie: ads.yahoo.com Will ony block that Sub-Domain and not yahoo.comExample 1:
download.101com.comcom - Top-Level Domain
101com.com - Second-level Domain
download.101com.com - Third-level DomainExample 2:
example.uk.comuk.com - Top-Level Domain
example.uk.com - Second-Level DomainThe DNSBL database is located at /var/unbound/pfb_dnsbl.conf
When TLD is enabled, in that conf file you will see "transparent" zones, which means its only blocking the actual Domains listed… None of the Sub-Domains are blocked...
Scroll down that file, and look for lines that have "redirect" zones, which means its blocking the full Domain and all Sub-Domains…
You can also block whole TLD(s) like | cn | ru | pw | xyz | etc…. Option also exist to Whitelist specific Domains when the whole TLD is being blocked.
The following Unbound documentation has additional detail on the "Local-zone" configuration:
https://unbound.net/documentation/unbound.conf.html -
YeY ;D :D :) ;) huge update, awesomeness cant wait for this update, thanks for all your hard work….
-
Sounds like a very exciting update :D
Thank you -
Very nice addition, chapeau 8)
-
Cant wait for this update to roll out!!!!!
-
Is this available to install now? I am only showing version 2.0.17 for update. I uninstalled hoping maybe I would then see the updated version but it's still not there.
As a matter of fact, it says "Not Ready" in the update window when trying to install or update it now. I now do not have it installed and am not able to install it but my system says it is installed.It actually did install but only to version 2.0.17. Is that right?
-
https://twitter.com/pfsense/status/755227123187449856
-
The latest version of pfBlockerNG v2.1.1_1 has been reviewed and merged into pfSense 2.3.3 Dev. If your on the 2.3.3 Snapshots, its available to be installed now.
I believe that the Devs will merge it for pfSense 2.3.2 shortly, so stay tuned for the update.
If you have any questions or Feedback, please let me know….
Please Read the instructions in the DNSBL tab for the new TLD feature before enabling it.
Once enabled, follow that with a "Force Reload - DNSBL".Review any MaxMind GeoIP settings, since there have been significant changes with the upgrade to GeoLite2.
Note: If you have less than 5GB of RAM and you have added the Bambenek DGA DNSBL Feed, please move that to the last entry in the DNSBL Feeds. Since that feed is quite large (700k+ Domains), its best to allow TLD to process the other Feeds first before hitting the max TLD Domain limit. (http://osint.bambenekconsulting.com/feeds/dga-feed.gz).
-
Nice work BBcan177 :D setup blocking of .ru as a test and it works.
-
THANKS! Can't wait! Good stuff….great work...and thanks for helping us dumb dumbs :P here and over at Reddit!
PS - is there a quick n dirty way to test PFBNG to be sure you've generally set it up correctly? Like going to a website and not seeing ads, etc.?
-
Thank you so much for this fantastic work!!!
-
THANKS! Can't wait! Good stuff….great work...and thanks for helping us dumb dumbs :P here and over at Reddit!
PS - is there a quick n dirty way to test PFBNG to be sure you've generally set it up correctly? Like going to a website and not seeing ads, etc.?
Thanks… Are you on the latest 2.1.1_1 version? Haven't heard much feedback yet, so not sure if many have installed it yet...
Not sure what sites are the worst for ADs... but yahoo is probably up there....
Thank you so much for this fantastic work!!!
Thanks!
-
Thanks… Are you on the latest 2.1.1_1 version? Haven't heard much feedback yet, so not sure if many have installed it yet...
Not sure what sites are the worst for ADs... but yahoo is probably up there....
I'm still on 2.0.17. I've slowed down my updating a bit since I've had some snags and had to rebuild 3 times in the past 7 weeks. Two were my fault…lol I thought I had router plugged into the battery port on the UPS but didn't...storm hit...lost power...pf went corrupt. Sooooooooo, I'm a bit worn out on tampering right now. lol That said, I'll probably upgrade it this weekend.
Yahoo it is then. I'm very new to pfBNG so I need to learn it and get comfortable. I don't want to get too aggressive. I just want it to serve as a companion for my Firefox plugins and to help keep my girlfriend protected.
-
pfBlockerNG-2.1.1_1 is working like charm, On 2.3.3-DEVELOPMENT (amd64) no issues.
TLD Blacklist is really handy, Thanks BBcan177
-
Here are the links for Malware Corpus Tracker which can be used w/ pfBlockerNG DNSBL:
Site:
http://track.h3x.eu/about/400Available Feeds:
https://tracker.h3x.eu/api/sites_1month.php
https://tracker.h3x.eu/api/sites_1week.php
https://tracker.h3x.eu/api/sites_1day.php
https://tracker.h3x.eu/api/sites_1hour.phpDO NOT Select all of these Feeds. You should pick only one Feed. For example: the "1Month" will include the "1Week/1Day/1Hour".
[ Edit - change to https ]
Twitter:
https://twitter.com/h3x2b -
Hi BBcan177,
I can't update h3x feed from available feeds list in pfBlockerNG v2.1.
It show below.
[ h3x ] Downloading update .. 200 OK Remote timestamp missing No Domains FoundAnd I can't let TLD Exclusion List working. Can you give a example or check it works?
-
Hi BBcan177,
I can't update h3x feed from available feeds list in pfBlockerNG v2.1.
It show below.
[ h3x ] Downloading update .. 200 OK Remote timestamp missing No Domains FoundSame here
And I can't let TLD Exclusion List working. Can you give a example or check it works?
Did you do a Force Reload after changing the list ?
-
[ 1month ] Downloading update .. 200 OK Remote timestamp missing No Domains Found [ 1week ] Downloading update [ 07/30/16 12:31:20 ] .. 200 OK Remote timestamp missing No Domains Found [ 1day ] Downloading update .. 200 OK Remote timestamp missing No Domains Found [ 1hour ] Downloading update .. 200 OK Remote timestamp missing No Domains FoundMe three, anyone post how exactly you get these list working?
