Pfblockerng blocking googledns despite it wasn't in a list…



  • I had some… odd results from one of my lists in pfblockerng

    I was using this list:
    https://isc.sans.edu/api/sources/attacks/10000

    It contains 1 month of information
    <lastseen>2017-04-04</lastseen> is the oldest last seen date, so it's not like the information just fell off.

    pfblockerng was blocking googledns , from this list, except 8.8.8.8 which is blocked, wasn't in the list at all!

    I have it on an hourly cron update for both the list, and general cron.

    See attached image:

    ![googledns pfblocker.png](/public/imported_attachments/1/googledns pfblocker.png)
    ![googledns pfblocker.png_thumb](/public/imported_attachments/1/googledns pfblocker.png_thumb)


  • Moderator

    Run the following command to see which feed contains that IP:

    grep "8.8.8.8" /var/db/pfblockerng/deny/*
    

    If you enable the suppression feature, it will add a "+" icon in the Alerts tab which can be used to suppress this IP. This IP shouldn't be listed in any feed, so once you find out which feed listed that IP, you may want to report it to the feed maintainer.


Log in to reply