Pfblockerng whitelisting

reason

@RonpfS:

Probably the same link you used to create your Deny Tables, change Deny Both for Allow Outbound (or Allow Both depending on your need).

To input IPs, click on the IPv4 Custom list "+" icon.

Also take time to read again my last posts as I refined the answers as we speak.

I meant i'm looking for a tutorial link on how to create these IPv4 Custom IP White lists. This was not included in the initial pfblocker tutorial that I followed (below).

Also, I did not create any Deny Tables. I simply followed the tutorial below. And now integrating this threads information into that setup.

I followed the tutorial below for setting up pfBlocker:
https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943

Any help or links or information you can relay would be greatly appreciated.

RonpfS

@reason:

I meant i'm looking for a tutorial link on how to create these IPv4 Custom IP White lists. This was not included in the initial pfblocker tutorial that I followed (below).

Also, I did not create any Deny Tables. I simply followed the tutorial below. And now integrating this threads information into that setup.

I followed the tutorial below for setting up pfBlocker:
https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943

Any help or links or information you can relay would be greatly appreciated.

That one was for DNSBL (Domain Name).

Start with the first pages of each of these threads:
pfBlockerNG
pfBlockerNG v2.0 w/DNSBL
pfBlockerNG v2.1 w/TLD
And over time ;) why not read all of the pages.

reason

@RonpfS:

@reason:

I meant i'm looking for a tutorial link on how to create these IPv4 Custom IP White lists. This was not included in the initial pfblocker tutorial that I followed (below).

Also, I did not create any Deny Tables. I simply followed the tutorial below. And now integrating this threads information into that setup.

I followed the tutorial below for setting up pfBlocker:
https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943

Any help or links or information you can relay would be greatly appreciated.

That one was for DNSBL (Domain Name).

Start with the first pages of each of these threads:
pfBlockerNG
pfBlockerNG v2.0 w/DNSBL
pfBlockerNG v2.1 w/TLD
And over time ;) why not read all of the pages.

Thanks. Worse case scenario, I use Zimbra and Spamassassin.

I've been trying to use pfBlocker for awhile now and there's just too much information out there separated into difference places.

Some people feel a firewall should be used for just that.

While a spam filter (on a mail server) might be better or just as good.

Right now, I am seeing why the latter feels the way they do.

RonpfS

@reason:

I've been trying to use pfBlocker for awhile now and there's just too much information out there separated into difference places.

It's and Open Source package.

BBCan177 spent most of it's time developing it. With time, new features are added and are included in the package. 8)

I contribute by answering in the forum and testing the new versions with other testers.

But no one currently contribute to documenting the package, making tutorials, etc. :(

reason

@RonpfS:

@reason:

I've been trying to use pfBlocker for awhile now and there's just too much information out there separated into difference places.

It's and Open Source package.

BBCan177 spent most of it's time developing it. With time, new features are added and are included in the package. 8)

I contribute by answering in the forum and testing the new versions.

But no one currently contribute to documenting the package, making tutorials, etc. :(

I completely get that.

I am a huge proponent of open source.

But my email is my life blood.

Various emails have been blocked for a couple days now and I have no idea of knowing, concretely, how to allow or whitelist them.

I thought .domains works.

Then I was told, by you, that IP address whitelisting works but now that requires a whole other learning curve. And this is all hit and miss.

Like I said, I was doing this because pfsense rocks… but pfblocker has been giving me issues since before this version.

It's working but blocking legitimate email servers (newegg, facebook, amazon, etc).

These are not unknown domains.

So I am thinking spamassassin might be a better adept at resolving this issue as it will be just on the mail server. But maybe I am wrong.

BBcan177

Hey Reason,

I sent you a PM… I think you're mixing up IP Blocking with Domain Blocking...  Its best to start with IP Blocking as that is what will best protect your Mail Server from Inbound Spam.  I also sent you a link to add some DNSRBLs to Zimbra as it uses Postfix...  I would highly recommend Spamhaus Zen at a minimum to knock down 90% of the Inbound Spam right off the bat...

Once you have the IP Blocking configured and tuned, then you can move to DNSBL Domain blocking...  But DNSBl is more for Outbound Malicious Domain and ADvert Blocking for Browsers...

Once you get the package configured, you will see the difference...  Security is like an Onion, needs several layers to make it effective...

RonpfS

Oups :o I forgot to mention that BBCan177 is also answering in the forum ::)

BBcan177

@RonpfS:

@reason:

I've been trying to use pfBlocker for awhile now and there's just too much information out there separated into difference places.

It's and Open Source package.

BBCan177 spent most of it's time developing it. With time, new features are added and are included in the package. 8)

I contribute by answering in the forum and testing the new versions with other testers.

But no one currently contribute to documenting the package, making tutorials, etc. :(

There is a pfSense Hangout that I did that provides a decent overview for the package… Its available for all pfSense Gold Subscribers. Check it out if you can!

https://www.pfsense.org/videos/#165034947

reason

@BBcan177:

Hey Reason,

I sent you a PM… I think you're mixing up IP Blocking with Domain Blocking...  Its best to start with IP Blocking as that is what will best protect your Mail Server from Inbound Spam.  I also sent you a link to add some DNSRBLs to Zimbra as it uses Postfix...  I would highly recommend Spamhaus Zen at a minimum to knock down 90% of the Inbound Spam right off the bat...

Once you have the IP Blocking configured and tuned, then you can move to DNSBL Domain blocking...  But DNSBl is more for Outbound Malicious Domain and ADvert Blocking for Browsers...

Once you get the package configured, you will see the difference...  Security is like an Onion, needs several layers to make it effective...

Hey BBCan,

Just got your message and responded.

Thanks again for reaching out. I will look at implementing those Mailserver tweaks and get back to you!

reason

@BBcan177:

Here are more DNSBL Feeds that can be used in pfBlockerNG.
(Copy and paste URLS as plain text)

1. Create a new alias for these.
   These are not necessarily ADvert domains. So I named mine "Malicious"

hpHosts
http://hosts-file.net/download/hosts.zip

SWC
http://someonewhocares.org/hosts/hosts

spam404
https://spam404bl.com/blacklist.txt
https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt

malc0de
https://malc0de.com/bl/BOOT

MDS (use 'Flex' state)
https://mirror1.malwaredomains.com/files/justdomains

MVPS
http://winhelp2002.mvps.org/hosts.txt

MDL
http://www.malwaredomainlist.com/hostslist/hosts.txt

GJTech
http://adblock.gjtech.net/?format=unix-hosts

dShield_SD  (They also have a conservative list available)
https://www.dshield.org/feeds/suspiciousdomains_High.txt

Zeus
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

2. These two feeds post full URLs, so there can be some more false positives.
   Create a new Alias, and use Alexa as a recommendation.

PhishTank
https://data.phishtank.com/data/online-valid.csv.bz2

OpenPhish
https://www.openphish.com/feed.txt

MPatrol (You need to register - Free or Paid subscription. Use Danguardian feed)
https://lists.malwarepatrol.net

3. This is a feed that I manage (as time permits)
   MS_2
   https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw

4. Use this in its own Alias:

BBC_DGA  (This is a large feed of DGA for the likes of Cryptolocker et al…)
http://osint.bambenekconsulting.com/feeds/dga-feed.gz

BBC_C2
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt

5. Use this feed in its own alias as it is updated more frequently.
   So you can update it more often than once per day.

hpHosts_partial
http://hosts-file.net/hphosts-partial.asp

If users find other feeds, please post back so that others may benefit also.
Its also important to donate to the feeds provider (IP and/or Domain) as they all need support.

BBCan,

When you say "create a new alias…" do you mean under DNSBL Feeds or Firewall Aliases?