Pfblockerng whitelisting
-
Hello and good evening.
The pfBlocker is working great, for the most part.
However, the DNSBL is blocking various mail servers from connecting and delivering email (such as newegg, kickstarter, etc).
I have added the domain to the Custom White list but it does not work.I have tried adding under "Custom Domain Whitelist":
newegg.com
.newegg.com
.email.newegg.com
mta3.email.newegg.comBut to no avail.
The Alerts keep showing the connection as being blocked.
Am I doing something wrong?
I have use forced update and nothing seems to allow this connection.
-
Maybe you should read the last BBCan177 post above about clicking the blue
infoblock icons for informations about the package.@Custom:
Note: These entries are only Whitelisted when Feeds are downloaded or on a 'Force Reload'.
To debug DNSBL :
Go to Diagnostics / DNS Lookup and resolve those FQDNs, if they resolve to DNSBL VIP, then they are NOT whitelisted.Check pfblockeng.log to see what is whitelisted
[ BB_EasyListFR ] Reload [ 08/13/16 22:04:10 ] . completed .. Whitelist: goo.gl|Look at dnsbl.log to see what DNSBL blocks.
-
Thanks for the fast response :)
So I read BBCan's message and did a force reload dnsbl.
I also did a dns look up and newegg did not resolve to to the dnsbl vip.
I did a grep of newegg.com with no output.
I looked in the dnsbl.log and newegg was not in there either.
When running the force reload dnsbl, I noticed some of the TLD's, that I enter in the custom whitelist, were listed but not the exact subdomains that should have been whitelisted by using (for example) .facebook.com. I wanted mail.facebook.com to be whitelisted but it whitelisted ads.facebook.
Newegg was not even listed.
So it looks like it searching the other DNSBL lists for those hostnames but not finding them so it's not exclusively whitelisting them.
Do I need to enter the fqdn as listed in the alerts?
-
Using .fqdn, and looking at the dnsbl logs, does not show all domains being white listed. It shows some. It seems like it is looking at the other lists, and only listing what domains/sub domains are listed in those lists. But I could be wrong.
The documentation says to use .domain.tld. so is that different than .fqdn?
The + icon is only available for ssl connections, right? The ! Is only available on the alerts tab for denied alerts. There is no plus to white list.
-
Using .fqdn, and looking at the dnsbl logs, does not show all domains being white listed. It shows some. It seems like it is looking at the other lists, and only listing what domains/sub domains are listed in those lists. But I could be wrong.
The documentation says to use .domain.tld. so is that different than .fqdn?
The + icon is only available for ssl connections, right? The ! Is only available on the alerts tab for denied alerts. There is no plus to white list.
Sorry about the FQDN things, I was not the right nomenclature. I updated my post. The TLD domains are in /usr/local/pkg/pfblockerng/dnsbl_tld as indicated by the
info block icon under Enable TLD.Do you have Suppression enabled in the Firewall / pfBlockerNG / General tab?
Maybe you could post a screenshot of your alerts tab.
-
It's not something I use all the time but I KNOW there used to be links on one of the pfBlockerNG screens to get you to an external lookup for finding AS numbers. Has that moved? Been dropped? I can't find it anywhere…..
When editing a table under Firewall / pfBlockerNG / Edit / IPV4 tab, click on the blue
infoblock icon to the right of List Settings. -
It's not something I use all the time but I KNOW there used to be links on one of the pfBlockerNG screens to get you to an external lookup for finding AS numbers. Has that moved? Been dropped? I can't find it anywhere…..
When editing a table under Firewall / pfBlockerNG / Edit / IPV4 tab, click on the blue
infoblock icon to the right of List Settings.No. I do not have Suppression enabled.
Do you want a screenshot of the column of alerts that are being denied?
-
No. I do not have Suppression enabled.
Do you want a screenshot of the column of alerts that are being denied?
You quoted the wrong post in your reply :-[
Without Suppression enabled, you will not be able to Suppress IPV4 alerts nor to Whitelist DNSBL alerts.
If you want to know what the icons means, click on the last [img]http://i.imgur.com/Yxodhwt.jpg at the bottom of the Alerts tab.If you need help whitelisting, then post a screenshot of the DNSBL alerts tab, not just the column.
-
No. I do not have Suppression enabled.
Do you want a screenshot of the column of alerts that are being denied?
You quoted the wrong post in your reply :-[
Without Suppression enabled, you will not be able to Suppress IPV4 alerts nor to Whitelist DNSBL alerts.
If you want to know what the icons means, click on the last [img]http://i.imgur.com/Yxodhwt.jpg at the bottom of the Alerts tab.If you need help whitelisting, then post a screenshot of the DNSBL alerts tab, not just the column.
Sorry about that :( I clicked the REPLY at the bottom of the message instead of at the top.
I have enabled Suppression.
I am noticing that certain items being listed under DENY have I's and +'s while some only have I's.
I is for information while the +'s are to whitelist.
I was able to click + next to newegg but some of the others do not allow me to do this.
Am I meant to enter these other domains under the Custom Domain Whitelist?
-
Sorry about that :( I clicked the REPLY at the bottom of the message instead of at the top.
You can modify your post ;)
I have enabled Suppression.
I am noticing that certain items being listed under DENY have I's and +'s while some only have I's.
I is for information while the +'s are to whitelist.
I was able to click + next to newegg but some of the others do not allow me to do this.
Am I meant to enter these other domains under the Custom Domain Whitelist?
This isn't easy to debug without seeing a screen shot of your Alerts tab.
There is a Screen capture tool under Windows / Accessories, or use Alt-PrtScr and crop the picture.
If the List is "no match", that means that DNSBL doesn't find it in your tables (maybe the domain is no longer blocked or the list was removed at some point, etc) so it won't allow you to Whitelist it.
-
Sorry about that :( I clicked the REPLY at the bottom of the message instead of at the top.
You can modify your post ;)
I have enabled Suppression.
I am noticing that certain items being listed under DENY have I's and +'s while some only have I's.
I is for information while the +'s are to whitelist.
I was able to click + next to newegg but some of the others do not allow me to do this.
Am I meant to enter these other domains under the Custom Domain Whitelist?
This isn't easy to debug without seeing a screen shot of your Alerts tab.
There is a Screen capture tool under Windows / Accessories, or use Alt-PrtScr and crop the picture.
If the List is "no match", that means that DNSBL doesn't find it in your tables (maybe the domain is no longer blocked or the list was removed at some point, etc) so it won't allow you to Whitelist it.
Here is a screenshot.
Let me know if this includes the info you are looking for.
https://drive.google.com/open?id=0B_lE49yIpBbnSmkxQ2gyS2ZyX28
-
Here is a screenshot.
Let me know if this includes the info you are looking for.
I see no picture.
-
-
Here is a screenshot.
Let me know if this includes the info you are looking for.
I see no picture.
Try it now. I used the IMG tags and it did not work.
But here it is again: https://drive.google.com/open?id=0B_lE49yIpBbnSmkxQ2gyS2ZyX28
You can post images with the + Attachments and other options
Did you ran a Force Reload after enabling suppression ?
Your screen shot is missing the last column that display the range involved in the block.
Also take time to read the in the General Tab under Suppression. -
Here is a screenshot.
Let me know if this includes the info you are looking for.
I see no picture.
Try it now. I used the IMG tags and it did not work.
But here it is again: https://drive.google.com/open?id=0B_lE49yIpBbnSmkxQ2gyS2ZyX28
You can post images with the + Attachments and other options
Did you ran a Force Reload after enabling suppression ?
Your screen shot is missing the last column that display the range involved in the block.
Also take time to read the in the General Tab under Suppression.Here is an updated with with more pertinent information.
-
Well as they are not /24 or /32 block ranges, you will have to whitelist the IPs
@Suppression:
Alerts can be suppressed using the '+' icon in the Alerts tab and IPs added to the 'pfBlockerNGSuppress' alias. A blocked IP in a CIDR other than /32 or /24 will need a 'Whitelist alias' w/ list action: 'Permit Outbound' Firewall rule
If you are using Iblocklist.com URL, maybe you should read iBlocklist.com is either dead or a scam?
-
Well as they are not /24 or /32 block ranges, you will have to whitelist the IPs
@Suppression:
Alerts can be suppressed using the '+' icon in the Alerts tab and IPs added to the 'pfBlockerNGSuppress' alias. A blocked IP in a CIDR other than /32 or /24 will need a 'Whitelist alias' w/ list action: 'Permit Outbound' Firewall rule
And where do I white list the IP's? I have white listed the domains but that does not seem to be working.
newegg, facebook and amazonses are in that screen shot and those items are not being delivered.
-
And where do I white list the IP's? I have white listed the domains but that does not seem to be working.
newegg, facebook and amazonses are in that screen shot and those items are not being delivered.
Don't mix IP and Domain name, they have different mode of operation. You query a name server with the Domain name (FQDN) of a host to obtain it's IP.
IPV4 and IPV6 are used with Firewall rules to control access.
DNSBL operate on the Name service to give the VIP instead of the "real" IP of a host.
Again, the answer is already given in the infobox ('Whitelist alias'). Take time to read or use Google translate to bring it to your native language.
-
And where do I white list the IP's? I have white listed the domains but that does not seem to be working.
newegg, facebook and amazonses are in that screen shot and those items are not being delivered.
Don't mix IP and Domain name, they have different mode of operation. You query a name server with the Domain name (FQDN) of a host to obtain it's IP.
IPV4 and IPV6 are used with Firewall rules to control access.
DNSBL operate on the Name service to give the VIP instead of the "real" IP of a host.
Again, the answer is already given in the infobox ('Whitelist alias'). Take time to read or use Google translate to bring it to your native language.
So use the IPV4. Create an Alias List. Enter the IP's I want to whitelist on the new IP list?
Where do the IP's get added to the firewall for whilelisting?
Or is it automatically integrated?
I am American and speak English. I just don't speak Firewall Networking so well :)
I want to use pfBlocker but if this is too difficult for me to grasp.
I am also looking at upgrading my zimbra and using spam assassin instead.
But I think I am half way there with pfSense and pfBlocker.
I'm just not getting something.
Also, what "Infobox"?
-
The infobox under Suppression ???
1 ) You might use a pfBlockerNG IPV4 table, put the IPs you want to whitelist in the IPv4 Custom list. pfBlockerNG will generate FW rules.
2 ) Use a pfBlockerNG IPV4 table, specify a local file containing the IPs to whitelist. pfBlockerNG will generate FW rules.
3 ) You could create and Alias with the IPs you want to whitelist and create FW rules to permit access.
For beginners, start with 1) then switch to 3) using similar FW rules as pfBlockerNG created in 1) if you prefer to manage a Firewall Alias.
