Monster pfBlockerNG import script pfBlockerNG_import_gravity.php 224 lists

tonymorella · Oct 3, 2016, 4:55 AM

pfBlockerNG_import_gravity.php Copyright (C) 2016 gravity@demarctech.com All rights reserved.
URL and Header data pull from firehole project file update-ipsets.in https://github.com/firehol/firehol
Orginal pfBlockerng_import.php script pfBlockerNG Copyright (C) 2014 BBcan177@gmail.com All rights reserved.

Total 224, 36 Organisations rest block lists for Ads, Abuse, Reputation, SPAM/Bots/PHP, TOR, Anonymizers and bogons
Notes: Includes all the lists from the original script

1. ssh into the pfSense console
2. Type 8 to get to the shell
3. Paste```
curl https://raw.githubusercontent.com/tonymorella/pfsense_scipts/master/pfBlockerNG_import_gravity.php > pfBlockerNG_import_gravity.php

4\. Paste```
php -f ./pfBlockerNG_import_gravity.php

5. Press Return
6. Will return pfBlockerNG Alias List Import Completed
7. Exit pfSense console
8. Select Firewall>pfBlockerNG>IPv4
9. Enable Level_1 and Level_2 to have the least amount of false positives, select Deny_Outbound action with update time of 1 hour
10. Enable Attacks and Malware, but expect to have false positives and update white lists, select Deny_Outbound action with update time of 8 hours.
11. Enable Ads if you want to back ads select Deny_Outbound action with update time of EveryDay

Enjoy :)

Tony

10/3/2016 UPDATE: Moved a bunch of lists into Level 1, primarily used for to block bad ips outbound i.e. browsers.

pfcode · Sep 18, 2016, 3:33 PM

Appreciated, is it only for firehol or is it for firehol + original ones from BBCan77? Since I have original ones installed, don't want to be screwed. Thanks.

tonymorella · Sep 18, 2016, 6:40 PM

It includes the ones from the original, but under different alias and header names so it will not overwrite

Tony

pfcode · Sep 18, 2016, 9:54 PM

@tonymorella:

It includes the ones from the original, but under different alias and header names so it will not overwrite

Tony

Thanks, is it possible to just import the firehol ones?

tonymorella · Sep 18, 2016, 10:01 PM

@pfcode:

@tonymorella:

It includes the ones from the original, but under different alias and header names so it will not overwrite

Tony

Thanks, is it possible to just import the firehol ones?

Could just do the import and turn off the ones you don't want, the Alias are disabled so they will not run until you set them to. Or modify the script before doing the import, delete the ones you don't need.

n3by · Sep 19, 2016, 7:43 AM

Parse error: syntax error, unexpected 'infolists' (T_STRING), expecting ')' in /usr/local/www/pfBlockerNG_import_gravity.php on line 563

… and more

djjerdog · Sep 20, 2016, 9:53 PM

@n3by:

Parse error: syntax error, unexpected 'infolists' (T_STRING), expecting ')' in /usr/local/www/pfBlockerNG_import_gravity.php on line 563

… and more

Same error here :/

tonymorella · Sep 20, 2016, 10:21 PM

@djjerdog:

@n3by:

Parse error: syntax error, unexpected 'infolists' (T_STRING), expecting ')' in /usr/local/www/pfBlockerNG_import_gravity.php on line 563

… and more

Same error here :/

Crud sorry about that typo on line 563


"description"    => "Malware Expect false positives white lists will need to be created",",

Change to


"description"    => "Malware Expect false positives white lists will need to be created",

Also update file on Github

n3by · Sep 21, 2016, 6:08 AM

also change this:

line 680

                    "header"     => "trustedsec_atif"),

->

                    "header"     => "trustedsec_atif")),

and
line 1020

            "custom_update"      => "disabled")

->

            "custom_update"      => "disabled"),

javcasta · Sep 21, 2016, 1:58 PM

Hello.

Very good tool for pfBlockerNG :)

this is my debugged script that works for me, (zip file attached. or in my web: http://www.javcasta.com/?smd_process_download=1&download_id=33310 )

Regads.

pfBlockerNG_import_gravity.php.zip

tonymorella · Sep 21, 2016, 2:12 PM

@n3by:

also change this:

line 680

                    "header"     => "trustedsec_atif"),

->

                    "header"     => "trustedsec_atif")),

and
line 1020

            "custom_update"      => "disabled")

->

            "custom_update"      => "disabled"),

Thanks for the review, changes updated on github. This is what happens when your up 24 hours straight :)

iplost · Sep 21, 2016, 2:33 PM

Ok, thanks for update in github

One detail, wget is not by default in pfSense 2.3.2, other way to download script:


 curl https://raw.githubusercontent.com/tonymorella/pfsense_scipts/master/pfBlockerNG_import_gravity.php > pfBlockerNG_import_gravity.php

pfcode · Oct 12, 2016, 8:35 PM

Some of the lists blocked other lists. e.g. Malware[ransomware_feed] blocks Spam_Bots_PHP[lashback_ubl], Attacks[gofferje_sip] blocks Attacks[blueliv_crimeserver_online, blueliv_crimeserver_recent]. Totally confusion. Also, can't get access from "https://freeapi.blueliv.com"

tonymorella · Oct 13, 2016, 4:30 AM

@pfcode:

Some of the lists blocked other lists. e.g. Malware[ransomware_feed] blocks Spam_Bots_PHP[lashback_ubl], Attacks[gofferje_sip] blocks Attacks[blueliv_crimeserver_online, blueliv_crimeserver_recent]. Totally confusion. Also, can't get access from "https://freeapi.blueliv.com"

Good point, by default I added all the URLs to a custom allow lists so they can not block each other :) Also you need to create and account to access the blueliv.com API

pfcode · Oct 15, 2016, 2:48 PM

@tonymorella:

@pfcode:

Some of the lists blocked other lists. e.g. Malware[ransomware_feed] blocks Spam_Bots_PHP[lashback_ubl], Attacks[gofferje_sip] blocks Attacks[blueliv_crimeserver_online, blueliv_crimeserver_recent]. Totally confusion. Also, can't get access from "https://freeapi.blueliv.com"

Good point, by default I added all the URLs to a custom allow lists so they can not block each other :) Also you need to create and account to access the blueliv.com API

Added 88.198.202.51 (blueliv.com) into the pfBlockerNG surpress list, but it was still blocked by gofferje, What am I missing?

BBcan177 · Oct 15, 2016, 6:42 PM

@pfcode:

Also, can't get access from "https://freeapi.blueliv.com"

Added 88.198.202.51 (blueliv.com) into the pfBlockerNG surpress list, but it was still blocked by gofferje, What am I missing?

I haven't used blueliv, but your not checking the correct domain name…

ping freeapi.blueliv.com

PING f01.blueliv.com (88.198.51.46): 56 data bytes

pfcode · Oct 15, 2016, 11:47 PM

@BBcan177:

@pfcode:

Also, can't get access from "https://freeapi.blueliv.com"

Added 88.198.202.51 (blueliv.com) into the pfBlockerNG surpress list, but it was still blocked by gofferje, What am I missing?

I haven't used blueliv, but your not checking the correct domain name…

ping freeapi.blueliv.com

PING f01.blueliv.com (88.198.51.46): 56 data bytes

Hi,

if I manually add the ip in the suppress list and apply the changes, Should I do a update or force reload?

johnabbot · Oct 16, 2016, 7:17 AM

I think you should put a warning about false positives on the bots and organisations ones. I had to delete them.

tonymorella · Oct 16, 2016, 6:46 PM

@johnabbot:

I think you should put a warning about false positives on the bots and organisations ones. I had to delete them.

Sure why not :) I used Organisations for allow rules not block, did you notice issues with this one??

johnabbot · Oct 18, 2016, 4:25 AM

blocking emails to/from me.com from a local mail server I think it was.