Did I find a bug or did I make a configuration mistake?
-
I experienced some very slow page loads, so I looked at the firewall and found blocked traffic that I had to unblock (samples below):
Feb 27 04:40:10 DATA DATA: Allow pfBlocker to Access it's web server (1488139862) 172.16.30.10:35204 127.0.0.1:8443 TCP:S Feb 27 04:40:10 DATA DATA: Allow pfBlocker to Access it's web server (1488139862) 172.16.30.10:58728 127.0.0.1:8081 TCP:S Feb 27 04:40:10 DATA DATA: Allow pfBlocker to Access it's web server (1488139862) 172.16.30.10:58726 127.0.0.1:8081 TCP:S Feb 27 04:40:10 DATA DATA: Allow pfBlocker to Access it's web server (1488139862) 172.16.30.10:35192 127.0.0.1:8443 TCP:S
My configuration don't really use the LAN 172.16.0.1/24, all traffic is on VLANS, and the 172.16.30.1/24 network contains the PCs that browse the web.
DNSBL Listening Interface: LAN
DNSBL Firewall Rule: DATAShould pfBlocker be generating rules to pass traffic to 127.0.0.1? I found a work around, that seems to be doing the job, but If I've found a bug I want to make sure the devs know about it.
Can someone please advise me.
-
DNSBL - DNSBL Firewall Rule
-
DNSBL - DNSBL Firewall Rule
Can you please be more specific… I do have DNSBL firewall rule enabled.
The help says:
This will create a 'Floating' Firewall rule to allow traffic from the Selected Interface(s) below
to access the DNSBL VIP on the LAN interface. This is only required for multiple LAN Segments.This is a multi LAN use case:
DNSBL Listening Interface is LAN
So I have selected DATA the name of the VLAN that I want to use for web browsing.Is that correct?
-
Do you have suppression enabled ? It removes 127.0.0.1 from the tables.
grep "127.0.0.1" /var/db/pfblockerng/deny/* /var/db/aliastables/*
Then check the NAT rules for DNSBL and Floating FW rule for DSNBLIP.
-
Do you have suppression enabled ? It removes 127.0.0.1 from the tables.
No I didn't, but I added it now and still have the same problem.
Note to devs:
Just as an aside, why would the default for that setting not be on rather than off?
I imported list which had local addresses and got really screwed… didn't realise that it was important to have that checked.... I would think based on what I know about most block lists that if someone doesn't turn it on they are asking for real trouble.
Also the text: This will prevent Selected IPs from being blocked. Only for IPv4 lists (/32 and /24). could be better. My thinking was, that because I wasn't using any suppression lists that I created, I didn't need this checked. I missed This will also remove any RFC1918 addresses from all lists.
How about:
Leave this checked to prevent RFC1918 addresses in lists from breaking the firewall
and then whatever you want under the (i) bubble.grep "127.0.0.1" /var/db/pfblockerng/deny/* /var/db/aliastables/*
Done… Nothing found. even looked manually just to be double sure.
Then check the NAT rules for DNSBL and Floating FW rule for DSNBLIP.
The rules seem to be there. They were at the bottom, and I moved them to the topl
I wonder if the problem is that I keep DNS (and NTP) captive to prevent a program from using it's own DNS server and going around the firewall.
Here's what I'm doing:
Rules Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions LAN TCP * * 172.17.0.1 443 (HTTPS) 127.0.0.1 8443 pfB DNSBL - DO NOT EDIT LAN TCP * * 172.17.0.1 80 (HTTP) 127.0.0.1 8081 pfB DNSBL - DO NOT EDIT LAN TCP/UDP * * !LAN address 53 (DNS) 127.0.0.1 53 (DNS) Redirect DNS Requests LAN TCP/UDP * * !LAN address 123 (NTP) 127.0.0.1 123 (NTP) Redirect NTP Requests DATA TCP/UDP * * !DATA address 53 (DNS) 127.0.0.1 53 (DNS) Redirect DNS Requests DATA TCP/UDP * * !DATA address 123 (NTP) 127.0.0.1 123 (NTP) Redirect NTP Requests VLAN1 TCP/UDP * * !VLAN1 address 53 (DNS) 127.0.0.1 53 (DNS) Redirect DNS Requests VLAN1 TCP/UDP * * !VLAN1 address 123 (NTP) 127.0.0.1 123 (NTP) Redirect NTP Requests
Any suggestions?
Do I have a use case that pfBlocker isn't supposed to handle automatically, or did my non-standard setup discover a bug?
With pass rules for 127.0.0.1:8081 / 127.0.0.1:8443 in the DATA interface, things work fine. If there is a better way, of if I've found a bug, please let me know.
I could just let this go, but I want to provide the devs as good quality feedback as I can.
-
I don't know if this is the same on 2.1.1_6, but do you have multiple interface choice in Permit Firewall Rules
The DNSBL IP Floating FW rule is on LAN & TEST interfaces
-
-
The rules are autogenerated by pfBlockerNG, so they will be reordered when at next Update.
Thanks…
I don't know if this is the same on 2.1.1_6, but do you have multiple interface choice in Permit Firewall Rules
The DNSBL IP Floating FW rule is on LAN & TEST interfaces
I have a drop down that let's me pick a single interface for the listening interface: Set to LAN
I can make multiple selections on the firewall rule: Single selection DATA (VLAN I'm using to browse with).
-
The VIP is 172.17.0.1 ?
And did you try add LAN to the Permit Firewall Rules
-
-
Not sure, but I remember seeing some changes about the rules in the DEV version.
Wait until BBcan177 get back to read the forum. -
I experienced some very slow page loads, so I looked at the firewall and found blocked traffic that I had to unblock (samples below):
My configuration don't really use the LAN 172.16.0.1/24, all traffic is on VLANS, and the 172.16.30.1/24 network contains the PCs that browse the web.
DNSBL Listening Interface: LAN
DNSBL Firewall Rule: DATAYou need to ensure that the vlans devices can ping and browse to the DNSBL IP. The default Permit rule is an optional rule to allow multiple lan segments to access the dnsbl vip address. So you can skip this option and create your own rule if that's easier.
For the optional rule, you should be able to select all of the vlans in the select options (ctrl-click) and allow traffic to the dnsbl Web server on the dnsbl listening interface.
-
You need to ensure that the vlans devices can ping and browse to the DNSBL IP. The default Permit rule is an optional rule to allow multiple lan segments to access the dnsbl vip address. So you can skip this option and create your own rule if that's easier.
For the optional rule, you should be able to select all of the vlans in the select options (ctrl-click) and allow traffic to the dnsbl Web server on the dnsbl listening interface.
In my case I am hitting the default deny rule IPv4 (1000000103) on 127.0.0.1:8081 / :8443 NOT the VIP. Any thoughts on that?
At least I've learned enough to unblock them, but I'm wondering if I screwed something up, or if there is an issue that pfBlockerNG is overlooking?
I posted my rules above, but in my case I'm keeping DNS/NTP caged with port forwarding rules so that programs can go around the firewall with their own server settings.