Forcing pfBlocker DNSBL to Reject the Connection
-
Does pfBlocker have a a way of forcing blocked connections to be rejected?
DNSBL contains the following entry.
local-data: "a.admob.com 60 IN A 192.168.111.1"
I entered the following into a browser several times,
http://a.admob.com/
https://a.admob.com/and did a pcap. (Attached if anybody wants to see it.)
Since there is no reply, the browser hangs until the connection times out.
If this was a part of a web page, (I believe) that page could block, and the browser may become unresponsive (especially if there were a lot of blocked entries).
Am I missing a setting somewhere? Is this the way pfBlocker is supposed to work?
-
The DNSBL Web Server is used to send a 1x1 pixel to the browser to stop the DNS request.
Check your desktop DNS settings, and make sure they are only pointing to the pfSense Resolver IP address. If you have a multi-segmented LAN network, make sure to use the "DNSBL allow firewall rule" option in the DNSBL Tab, to allow those other subnets access to the VIP address.
Make sure you can ping and browse to the DNSBL VIP (should get the 1x1 pixel), without that connectivity working properly, you will see those timeouts.
Also ensure that the DNSBL VIP address is in a different subnet than your LAN networks….
-
The DNS server is resolving properly, I can ping it:
$ dig a.admob.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> a.admob.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50781
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a.admob.com. IN A;; ANSWER SECTION:
a.admob.com. 60 IN A 192.168.111.1;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jan 20 04:33:45 EST 2017
;; MSG SIZE rcvd: 56$ ping 192.168.111.1
PING 192.168.111.1 (192.168.111.1) 56(84) bytes of data.
64 bytes from 192.168.111.1: icmp_seq=1 ttl=64 time=0.246 ms
64 bytes from 192.168.111.1: icmp_seq=2 ttl=64 time=0.267 ms
64 bytes from 192.168.111.1: icmp_seq=3 ttl=64 time=0.279 msbut:
http://a.admob.com/
and
https://a.admob.com/
and
$ wget http://192.168.111.1
–2017-01-20 04:45:51-- http://192.168.111.1/
Connecting to 192.168.111.1:80...All hang.
Port Forward contains the following rules:
LAN TCP * * 192.168.111.1 80 (HTTP) 127.0.0.1 8081 pfB DNSBL - DO NOT EDIT
LAN TCP * * 192.168.111.1 443 (HTTPS) 127.0.0.1 8443 pfB DNSBL - DO NOT EDITAny suggestions on how to get the DNSBL web server working?
-
In the Services menu, is the DNSBL server listed as "running"?
You can check to see if Lighttpd is running:
ps aux | grep pfb_dnsbl_lighty root 69946 0.0 0.1 40260 5664 - S 12:13PM 0:01.63 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.confCheck to see if the webserver ports are listening on (8081 and 8443):
sockstat -4and try to manually restart the DNSBL service, and see if it reports any errors:
/usr/local/etc/rc.d/dnsbl.sh restartOtherwise, check your other Firewall rules and NAT entries to see if something else is colliding…
-
Thanks for the update, the problem is a firewall issue… I'll put the TL;DR at the top, and all the background below in case it's needed for some reason. (might help someone like me who is new to this stuff)
From the shell Filter Logs output... both ports are being blocked:
Rule: 1000000103,em1,match,block Port: 8081 - mss;sackOK;TS;nop;wscale
Rule: 1000000103,em1,match,block Port: 8443 - mss;sackOK;TS;nop;wscaleHere's the offending rule... but I don't know what to do since this rule is high up in the chain above where the GUI can have influence.
@5(1000000103) block drop in log inet all label "Default deny rule IPv4"
[ Evaluations: 813 Packets: 81 Bytes: 7740 States: 0 ]
[ Inserted: pid 55703 State Creations: 0 ]How can I work around this issue since this rule isn't one that I put in?
Initial Checks - Server running / Restarted / Ports listening
Diagnostics / Status / Services Shows: dnsbl pfBlockerNG DNSBL Web Server as Running # ps aux | grep pfb_dnsbl_lighty root 36686 0.0 0.1 40260 5600 - S 5:02AM 0:00.52 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf # sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root lighttpd_p 36686 5 tcp4 *:8081 *:* root lighttpd_p 36686 6 tcp4 *:8443 *:* After service stopped and restarted # sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root lighttpd_p 22249 5 tcp4 *:8081 *:* root lighttpd_p 22249 6 tcp4 *:8443 *:*Raw output from Shell Menu 10) Filter Logs```
Jan 20 13:17:14 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,58770,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,45948,8081,0,S,3847975149,,29200,,mss;sackOK;TS;nop;wscale
Jan 20 13:17:14 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,53302,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,45950,8081,0,S,1577797007,,29200,,mss;sackOK;TS;nop;wscale
Jan 20 13:17:18 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,58771,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,45948,8081,0,S,3847975149,,29200,,mss;sackOK;TS;nop;wscale
Jan 20 13:17:18 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,53303,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,45950,8081,0,S,1577797007,,29200,,mss;sackOK;TS;nop;wscaleJan 20 13:22:19 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,12996,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,50754,8443,0,S,704351713,,29200,,mss;sackOK;TS;nop;wscale
Jan 20 13:22:19 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,27119,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,50758,8443,0,S,2252854924,,29200,,mss;sackOK;TS;nop;wscale
Jan 20 13:22:23 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,12997,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,50754,8443,0,S,704351713,,29200,,mss;sackOK;TS;nop;wscale
Jan 20 13:22:23 guardian filterlog: 5,16777216,,1000000103,em1,match,block,in,4,0x0,,64,27120,0,DF,6,tcp,60,192.168.1.10,127.0.0.1,50758,8443,0,S,2252854924,,29200,,mss;sackOK;TS;nop;wscale**Output from: pfctl -vvsr (Edited to remove some of the noise/confidential info)**``` @@0(0) scrub on em0 all fragment reassemble [ Evaluations: 154347 Packets: 14254 Bytes: 1197540 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @1(0) scrub on em1 all fragment reassemble [ Evaluations: 140097 Packets: 14476 Bytes: 2440715 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @0(0) anchor "relayd/*" all [ Evaluations: 1617 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @1(0) anchor "openvpn/*" all [ Evaluations: 1616 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @2(0) anchor "ipsec/*" all [ Evaluations: 1617 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @3(1000000101) block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" [ Evaluations: 1678 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @4(1000000102) block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" [ Evaluations: 813 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @5(1000000103) block drop in log inet all label "Default deny rule IPv4" [ Evaluations: 813 Packets: 81 Bytes: 7740 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @6(1000000104) block drop out log inet all label "Default deny rule IPv4" [ Evaluations: 1653 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @7(1000000105) block drop in log inet6 all label "Default deny rule IPv6" [ Evaluations: 1678 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @8(1000000106) block drop out log inet6 all label "Default deny rule IPv6" [ Evaluations: 867 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ---------------------------------------- @50(1000000301) block drop in log quick proto tcp from <sshlockout:0>to (self:8) port = ssh label "sshlockout" [ Evaluations: 1677 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @51(1000000351) block drop in log quick proto tcp from <webconfiguratorlockout:0>to (self:8) port = http label "webConfiguratorlockout" [ Evaluations: 57 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @52(1000000400) block drop in log quick from <virusprot:0>to any label "virusprot overload table" [ Evaluations: 858 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @53(11000) block drop in quick on em0 from <bogons:3757>to any label "block bogon IPv4 networks from WAN" [ Evaluations: 858 Packets: 3 Bytes: 924 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @54(11000) block drop in quick on em0 from <bogonsv6:79548>to any label "block bogon IPv6 networks from WAN" [ Evaluations: 91 Packets: 16 Bytes: 1216 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @55(1000001570) block drop in log on ! em0 inet from 192.168.0.0/24 to any [ Evaluations: 818 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @56(1000001570) block drop in log inet from 192.168.0.15 to any [ Evaluations: 810 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @57(1000001570) block drop in log on em0 inet6 from fe80::228:1aff:fee0:1004 to any [ Evaluations: 818 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @58(1000001591) pass in log on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" [ Evaluations: 44 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @59(1000001592) pass out log on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" [ Evaluations: 851 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @60(1000002620) block drop in log on ! em1 inet from 192.168.1.0/24 to any [ Evaluations: 1657 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ---------------------------------------- @61(1000002620) block drop in log on ! em1 inet from 192.168.111.1 to any [ Evaluations: 264 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ---------------------------------------- @62(1000002620) block drop in log inet from 192.168.1.1 to any [ Evaluations: 868 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ---------------------------------------- @63(1000002620) block drop in log inet from 192.168.111.1 to any [ Evaluations: 860 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ---------------------------------------- @68(1000002661) pass in log on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" [ Evaluations: 1649 Packets: 2113 Bytes: 323093 States: 16 ] [ Inserted: pid 55703 State Creations: 160 ] @69(1000002662) pass out log on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" [ Evaluations: 338 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @70(1000002663) pass in log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" [ Evaluations: 346 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @71(1000002664) pass out log on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" [ Evaluations: 168 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @72(1000002665) pass out log inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" [ Evaluations: 1657 Packets: 2113 Bytes: 323093 States: 16 ] [ Inserted: pid 55703 State Creations: 160 ] @73(1000002666) pass out log inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" [ Evaluations: 839 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @74(1000002761) pass out log route-to (em0 192.168.0.1) inet from 192.168.0.15 to ! 192.168.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 839 Packets: 3418 Bytes: 1432738 States: 73 ] [ Inserted: pid 55703 State Creations: 634 ] @75(10000) pass in log quick on em1 proto tcp from any to (em1:3) port = http flags S/SA keep state label "anti-lockout rule" [ Evaluations: 1709 Packets: 2275 Bytes: 770250 States: 10 ] [ Inserted: pid 55703 State Creations: 13 ] @76(10000) pass in log quick on em1 proto tcp from any to (em1:3) port = ssh flags S/SA keep state label "anti-lockout rule" [ Evaluations: 117 Packets: 4107 Bytes: 1578034 States: 2 ] [ Inserted: pid 55703 State Creations: 5 ] @77(0) anchor "userrules/*" all [ Evaluations: 1580 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ---------------------------------------- @78(1770002729) pass quick on em1 inet from any to 192.168.111.1 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Allow_access_to_VIP" [ Evaluations: 1691 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ---------------------------------------- @79(1770008293) block return log quick on em1 inet from any to <pfb_dnsblip:46>label "USER_RULE: pfB_DNSBLIP AR" [ Evaluations: 581 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @80(1770008377) block return log quick on em1 inet from any to <pfb_ethreats:3223>label "USER_RULE: pfB_ETHREATS AR" [ Evaluations: 581 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @81(1770008328) block return log quick on em1 inet from any to <pfb_rw_ipbl:10627>label "USER_RULE: pfB_RW_IPBL AR" [ Evaluations: 581 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @82(1770008734) block return log quick on em1 inet from any to <pfb_sh_ipv4:60>label "USER_RULE: pfB_SH_IPv4 AR" [ Evaluations: 581 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @83(1770008690) block return log quick on em1 inet from any to <pfb_level_1:167115>label "USER_RULE: pfB_Level_1 AR" [ Evaluations: 581 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @84(1770008714) block return log quick on em1 inet from any to <pfb_level_2:137>label "USER_RULE: pfB_Level_2 AR" [ Evaluations: 581 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @85(1469301982) block drop quick on em0 inet6 all label "USER_RULE: Keep IPv6 Noise Out of The Logs" [ Evaluations: 1691 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @86(1469301982) block drop quick on em1 inet6 all label "USER_RULE: Keep IPv6 Noise Out of The Logs" [ Evaluations: 1015 Packets: 8 Bytes: 512 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @87(1469300765) block drop in quick on em0 inet6 all label "USER_RULE: Noise Block IPv6_WAN-Keeps Log Clean" [ Evaluations: 356 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @88(0) block drop in quick on em0 inet6 from <easyruleblockhostswan:2>to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @89(1483770230) block drop in quick on em1 inet6 all label "USER_RULE: Noise Block IPv6_LAN-Keeps Log Clean" [ Evaluations: 356 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ---------------------------------------- @98(1469733859) pass in quick on em1 inet proto tcp from 192.168.111.1 to 192.168.1.1 port = 3000 flags S/SA keep state label "USER_RULE: Allow NTOPNG" [ Evaluations: 3 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ---------------------------------------- @99(1468341693) pass in log quick on em1 inet proto tcp from any to 192.168.1.1 port = domain flags S/SA keep state label "USER_RULE: Allow pfSense to handle DNS requests" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @100(1468341693) pass in log quick on em1 inet proto udp from any to 192.168.1.1 port = domain keep state label "USER_RULE: Allow pfSense to handle DNS requests" [ Evaluations: 544 Packets: 1062 Bytes: 72729 States: 124 ] [ Inserted: pid 55703 State Creations: 532 ] @101(1468981713) pass in log quick on em1 inet proto tcp from 192.168.1.0/24 to any port = http flags S/SA keep state label "USER_RULE: Web Traffic" [ Evaluations: 47 Packets: 27 Bytes: 21493 States: 1 ] [ Inserted: pid 55703 State Creations: 1 ] @102(1468981713) pass in log quick on em1 inet proto tcp from 192.168.1.0/24 to any port = https flags S/SA keep state label "USER_RULE: Web Traffic" [ Evaluations: 34 Packets: 375 Bytes: 94278 States: 2 ] [ Inserted: pid 55703 State Creations: 8 ] ---------------------------------------- @103(1468981713) pass in log quick on em1 inet proto tcp from 192.168.111.1 to any port = http flags S/SA keep state label "USER_RULE: Web Traffic" [ Evaluations: 26 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] @104(1468981713) pass in log quick on em1 inet proto tcp from 192.168.111.1 to any port = https flags S/SA keep state label "USER_RULE: Web Traffic" [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 55703 State Creations: 0 ] ----------------------------------------</easyruleblockhostswan:2></pfb_level_2:137></pfb_level_1:167115></pfb_sh_ipv4:60></pfb_rw_ipbl:10627></pfb_ethreats:3223></pfb_dnsblip:46></bogonsv6:79548></bogons:3757></virusprot:0></webconfiguratorlockout:0></sshlockout:0>
