Forcing pfBlocker DNSBL to Reject the Connection



  • Does pfBlocker have a a way of forcing blocked connections to be rejected?

    DNSBL contains the following entry.

    local-data: "a.admob.com 60 IN A 192.168.111.1"

    I entered the following into a browser several times,

    http://a.admob.com/
    https://a.admob.com/

    and did a pcap. (Attached if anybody wants to see it.)

    Since there is no reply, the browser hangs until the connection times out.

    If this was a part of a web page, (I believe) that page could block, and the browser may become unresponsive (especially if there were a lot of blocked entries).

    Am I missing a setting somewhere?  Is this the way pfBlocker is supposed to work?

    pfBlockerNG_DNSBL.pcap


  • Moderator

    The DNSBL Web Server is used to send a 1x1 pixel to the browser to stop the DNS request.

    Check your desktop DNS settings, and make sure they are only pointing to the pfSense Resolver IP address. If you have a multi-segmented LAN network, make sure to use the "DNSBL allow firewall rule" option in the DNSBL Tab, to allow those other subnets access to the VIP address.

    Make sure you can ping and browse to the DNSBL VIP (should get the 1x1 pixel), without that connectivity working properly, you will see those timeouts.

    Also ensure that the DNSBL VIP address is in a different subnet than your LAN networks….



  • The DNS server is resolving properly, I can ping it:

    $ dig a.admob.com

    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> a.admob.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50781
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;a.admob.com.                  IN      A

    ;; ANSWER SECTION:
    a.admob.com.            60      IN      A      192.168.111.1

    ;; Query time: 0 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Fri Jan 20 04:33:45 EST 2017
    ;; MSG SIZE  rcvd: 56

    $ ping 192.168.111.1
    PING 192.168.111.1 (192.168.111.1) 56(84) bytes of data.
    64 bytes from 192.168.111.1: icmp_seq=1 ttl=64 time=0.246 ms
    64 bytes from 192.168.111.1: icmp_seq=2 ttl=64 time=0.267 ms
    64 bytes from 192.168.111.1: icmp_seq=3 ttl=64 time=0.279 ms

    but:

    http://a.admob.com/

    and

    https://a.admob.com/

    and

    $ wget http://192.168.111.1
    –2017-01-20 04:45:51--  http://192.168.111.1/
    Connecting to 192.168.111.1:80...

    All hang.

    Port Forward contains the following rules:
    LAN TCP * * 192.168.111.1 80 (HTTP) 127.0.0.1 8081 pfB DNSBL - DO NOT EDIT
    LAN TCP * * 192.168.111.1 443 (HTTPS) 127.0.0.1 8443 pfB DNSBL - DO NOT EDIT

    Any suggestions on how to get the DNSBL web server working?


  • Moderator

    In the Services menu, is the DNSBL server listed as "running"?

    You can check to see if Lighttpd is running:

    ps aux | grep pfb_dnsbl_lighty
    root    69946   0.0  0.1  40260   5664  -  S    12:13PM     0:01.63 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
    

    Check to see if the webserver ports are listening on (8081 and 8443):

    sockstat -4
    

    and try to manually restart the DNSBL service, and see if it reports any errors:

    /usr/local/etc/rc.d/dnsbl.sh restart
    

    Otherwise, check your other Firewall rules and NAT entries to see if something else is colliding…



  • Thanks for the update, the problem is a firewall issue… I'll put the TL;DR at the top, and all the background below in case it's needed for some reason.  (might help someone like me who is new to this stuff)

    From the shell Filter Logs output... both ports are being blocked:
    Rule: 1000000103,em1,match,block Port: 8081 - mss;sackOK;TS;nop;wscale
    Rule: 1000000103,em1,match,block Port: 8443 - mss;sackOK;TS;nop;wscale

    Here's the offending rule... but I don't know what to do since this rule is high up in the chain above where the GUI can have influence.
    @5(1000000103) block drop in log inet all label "Default deny rule IPv4"
      [ Evaluations: 813      Packets: 81        Bytes: 7740        States: 0    ]
      [ Inserted: pid 55703 State Creations: 0    ]

    How can I work around this issue since this rule isn't one that I put in?

    Initial Checks - Server running / Restarted / Ports listening

    
    Diagnostics / Status / Services
    Shows: dnsbl 	pfBlockerNG DNSBL Web Server as Running
    
    # ps aux | grep pfb_dnsbl_lighty
    root    36686   0.0  0.1  40260   5600  -  S     5:02AM     0:00.52 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
    
    # sockstat -4
    USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
    root     lighttpd_p 36686 5  tcp4   *:8081                *:*
    root     lighttpd_p 36686 6  tcp4   *:8443                *:*
    
    After service stopped and restarted
    
    # sockstat -4
    USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
    root     lighttpd_p 22249 5  tcp4   *:8081                *:*
    root     lighttpd_p 22249 6  tcp4   *:8443                *:*
    
    

    Raw output from Shell Menu 10) Filter Logs```

    Jan 20 13:17:14 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,58770,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,45948,8081,0,S,3847975149,,29200,,mss;sackOK;TS;nop;wscale
    Jan 20 13:17:14 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,53302,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,45950,8081,0,S,1577797007,,29200,,mss;sackOK;TS;nop;wscale
    Jan 20 13:17:18 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,58771,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,45948,8081,0,S,3847975149,,29200,,mss;sackOK;TS;nop;wscale
    Jan 20 13:17:18 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,53303,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,45950,8081,0,S,1577797007,,29200,,mss;sackOK;TS;nop;wscale

    Jan 20 13:22:19 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,12996,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,50754,8443,0,S,704351713,,29200,,mss;sackOK;TS;nop;wscale
    Jan 20 13:22:19 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,27119,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,50758,8443,0,S,2252854924,,29200,,mss;sackOK;TS;nop;wscale
    Jan 20 13:22:23 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,12997,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,50754,8443,0,S,704351713,,29200,,mss;sackOK;TS;nop;wscale
    Jan 20 13:22:23 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,27120,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,50758,8443,0,S,2252854924,,29200,,mss;sackOK;TS;nop;wscale

    
    **Output from: pfctl -vvsr (Edited to remove some of the noise/confidential info)**```
    
    @@0(0) scrub on em0 all fragment reassemble
      [ Evaluations: 154347    Packets: 14254     Bytes: 1197540     States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @1(0) scrub on em1 all fragment reassemble
      [ Evaluations: 140097    Packets: 14476     Bytes: 2440715     States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @0(0) anchor "relayd/*" all
      [ Evaluations: 1617      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @1(0) anchor "openvpn/*" all
      [ Evaluations: 1616      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @2(0) anchor "ipsec/*" all
      [ Evaluations: 1617      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @3(1000000101) block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
      [ Evaluations: 1678      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @4(1000000102) block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
      [ Evaluations: 813       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @5(1000000103) block drop in log inet all label "Default deny rule IPv4"
      [ Evaluations: 813       Packets: 81        Bytes: 7740        States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @6(1000000104) block drop out log inet all label "Default deny rule IPv4"
      [ Evaluations: 1653      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @7(1000000105) block drop in log inet6 all label "Default deny rule IPv6"
      [ Evaluations: 1678      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @8(1000000106) block drop out log inet6 all label "Default deny rule IPv6"
      [ Evaluations: 867       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------
    @50(1000000301) block drop in log quick proto tcp from <sshlockout:0>to (self:8) port = ssh label "sshlockout"
      [ Evaluations: 1677      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @51(1000000351) block drop in log quick proto tcp from <webconfiguratorlockout:0>to (self:8) port = http label "webConfiguratorlockout"
      [ Evaluations: 57        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @52(1000000400) block drop in log quick from <virusprot:0>to any label "virusprot overload table"
      [ Evaluations: 858       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @53(11000) block drop in quick on em0 from <bogons:3757>to any label "block bogon IPv4 networks from WAN"
      [ Evaluations: 858       Packets: 3         Bytes: 924         States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @54(11000) block drop in quick on em0 from <bogonsv6:79548>to any label "block bogon IPv6 networks from WAN"
      [ Evaluations: 91        Packets: 16        Bytes: 1216        States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @55(1000001570) block drop in log on ! em0 inet from 192.168.0.0/24 to any
      [ Evaluations: 818       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @56(1000001570) block drop in log inet from 192.168.0.15 to any
      [ Evaluations: 810       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @57(1000001570) block drop in log on em0 inet6 from fe80::228:1aff:fee0:1004 to any
      [ Evaluations: 818       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @58(1000001591) pass in log on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
      [ Evaluations: 44        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @59(1000001592) pass out log on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
      [ Evaluations: 851       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @60(1000002620) block drop in log on ! em1 inet from 192.168.1.0/24 to any
      [ Evaluations: 1657      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------
    @61(1000002620) block drop in log on ! em1 inet from 192.168.111.1 to any
      [ Evaluations: 264       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------
    @62(1000002620) block drop in log inet from 192.168.1.1 to any
      [ Evaluations: 868       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------
    @63(1000002620) block drop in log inet from 192.168.111.1 to any
      [ Evaluations: 860       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------
    @68(1000002661) pass in log on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      [ Evaluations: 1649      Packets: 2113      Bytes: 323093      States: 16    ]
      [ Inserted: pid 55703 State Creations: 160   ]
    @69(1000002662) pass out log on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      [ Evaluations: 338       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @70(1000002663) pass in log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      [ Evaluations: 346       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @71(1000002664) pass out log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      [ Evaluations: 168       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @72(1000002665) pass out log inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
      [ Evaluations: 1657      Packets: 2113      Bytes: 323093      States: 16    ]
      [ Inserted: pid 55703 State Creations: 160   ]
    @73(1000002666) pass out log inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
      [ Evaluations: 839       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @74(1000002761) pass out log route-to (em0 192.168.0.1) inet from 192.168.0.15 to ! 192.168.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 839       Packets: 3418      Bytes: 1432738     States: 73    ]
      [ Inserted: pid 55703 State Creations: 634   ]
    @75(10000) pass in log quick on em1 proto tcp from any to (em1:3) port = http flags S/SA keep state label "anti-lockout rule"
      [ Evaluations: 1709      Packets: 2275      Bytes: 770250      States: 10    ]
      [ Inserted: pid 55703 State Creations: 13    ]
    @76(10000) pass in log quick on em1 proto tcp from any to (em1:3) port = ssh flags S/SA keep state label "anti-lockout rule"
      [ Evaluations: 117       Packets: 4107      Bytes: 1578034     States: 2     ]
      [ Inserted: pid 55703 State Creations: 5     ]
    @77(0) anchor "userrules/*" all
      [ Evaluations: 1580      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------
    @78(1770002729) pass quick on em1 inet from any to 192.168.111.1 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Allow_access_to_VIP"
      [ Evaluations: 1691      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------
    @79(1770008293) block return log quick on em1 inet from any to <pfb_dnsblip:46>label "USER_RULE: pfB_DNSBLIP AR"
      [ Evaluations: 581       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @80(1770008377) block return log quick on em1 inet from any to <pfb_ethreats:3223>label "USER_RULE: pfB_ETHREATS AR"
      [ Evaluations: 581       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @81(1770008328) block return log quick on em1 inet from any to <pfb_rw_ipbl:10627>label "USER_RULE: pfB_RW_IPBL AR"
      [ Evaluations: 581       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @82(1770008734) block return log quick on em1 inet from any to <pfb_sh_ipv4:60>label "USER_RULE: pfB_SH_IPv4 AR"
      [ Evaluations: 581       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @83(1770008690) block return log quick on em1 inet from any to <pfb_level_1:167115>label "USER_RULE: pfB_Level_1 AR"
      [ Evaluations: 581       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @84(1770008714) block return log quick on em1 inet from any to <pfb_level_2:137>label "USER_RULE: pfB_Level_2 AR"
      [ Evaluations: 581       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @85(1469301982) block drop quick on em0 inet6 all label "USER_RULE: Keep IPv6 Noise Out of The Logs"
      [ Evaluations: 1691      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @86(1469301982) block drop quick on em1 inet6 all label "USER_RULE: Keep IPv6 Noise Out of The Logs"
      [ Evaluations: 1015      Packets: 8         Bytes: 512         States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @87(1469300765) block drop in quick on em0 inet6 all label "USER_RULE: Noise Block IPv6_WAN-Keeps Log Clean"
      [ Evaluations: 356       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @88(0) block drop in quick on em0 inet6 from <easyruleblockhostswan:2>to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @89(1483770230) block drop in quick on em1 inet6 all label "USER_RULE: Noise Block IPv6_LAN-Keeps Log Clean"
      [ Evaluations: 356       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------
    @98(1469733859) pass in quick on em1 inet proto tcp from 192.168.111.1 to 192.168.1.1 port = 3000 flags S/SA keep state label "USER_RULE: Allow NTOPNG"
      [ Evaluations: 3         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------
    @99(1468341693) pass in log quick on em1 inet proto tcp from any to 192.168.1.1 port = domain flags S/SA keep state label "USER_RULE: Allow pfSense to handle DNS requests"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @100(1468341693) pass in log quick on em1 inet proto udp from any to 192.168.1.1 port = domain keep state label "USER_RULE: Allow pfSense to handle DNS requests"
      [ Evaluations: 544       Packets: 1062      Bytes: 72729       States: 124   ]
      [ Inserted: pid 55703 State Creations: 532   ]
    @101(1468981713) pass in log quick on em1 inet proto tcp from 192.168.1.0/24 to any port = http flags S/SA keep state label "USER_RULE: Web Traffic"
      [ Evaluations: 47        Packets: 27        Bytes: 21493       States: 1     ]
      [ Inserted: pid 55703 State Creations: 1     ]
    @102(1468981713) pass in log quick on em1 inet proto tcp from 192.168.1.0/24 to any port = https flags S/SA keep state label "USER_RULE: Web Traffic"
      [ Evaluations: 34        Packets: 375       Bytes: 94278       States: 2     ]
      [ Inserted: pid 55703 State Creations: 8     ]
    ----------------------------------------
    @103(1468981713) pass in log quick on em1 inet proto tcp from 192.168.111.1 to any port = http flags S/SA keep state label "USER_RULE: Web Traffic"
      [ Evaluations: 26        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    @104(1468981713) pass in log quick on em1 inet proto tcp from 192.168.111.1 to any port = https flags S/SA keep state label "USER_RULE: Web Traffic"
      [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 55703 State Creations: 0     ]
    ----------------------------------------</easyruleblockhostswan:2></pfb_level_2:137></pfb_level_1:167115></pfb_sh_ipv4:60></pfb_rw_ipbl:10627></pfb_ethreats:3223></pfb_dnsblip:46></bogonsv6:79548></bogons:3757></virusprot:0></webconfiguratorlockout:0></sshlockout:0> 
    

Log in to reply