Firehol level 1 list blocking LAN resources
-
Yes, thanks to all who are contributing here.
I loaded the list from seanr22a. I took a while to download and compile. It did not "appear" to slow down the pfSense box. My mobo is a Gigabyte GA-J1900N-D3V so a Celeron quad-core 2Ghz and 8 GB of RAM. What I did notice was a lot of issues loading news sites like cnn, foznews, drudgereport, etc. Videos were stalling out and certain essential elements of the page would not load. However, I would like to hear from others on their use of the list and if they had any obvious issues. I simply disabled the list until I have more time to test later.
Check the Pfblocker logs for what is blocked related to the sites you visit. You have logs for both DNSBL and IP lists.
As you can see in the info.txt file the lists are made from public available lists maintained by many different people and organizations. Unfortunately there is no list that fits everyone. Simply whitelist those sites that causes you problem, I've done that for many ip's and domains to make it work for me so start dig in to the logs :) -
-
http://dnsbl.dyndns.org
@seanr22a: i give a "thank you"
and by the way: before importing your banlist, I checked the IP provenience behind your dyndns address (sorry for that).
Interstingly I did note a Spamhaus ZEN blocklist entry for that IP ;) (just for the record: I imported and I will thankfully update your list weekly). -
I ended up taking BBcan's advice (good advice it always is) and simply put the lists that comprise firehol1 into pfblocker (minus the bogons list of course).
Using the Lvl 1 Feed is going to cause grief… Just don't do it ;) ;)
Even with Suppression enabled?
I'm interested to know as well.
Also, when someone refers to whitelist the LAN_NET (and other vlans I guess) where does one actually whitelist those?
-
In Firewall > Aliases > IP > pfBlockerNGSuppress ?
-
In Firewall > pfBlockerNG > IPv4 > Create a new "Permit Outbound" list and add them there? Ensuring that this new list is on top of every other list (similarly to the firewall rules) as to ensure that it is applied before any "Deny" lists?"
Thanks a lot!
-
-
This got far more complicated than I thought ….. Now I've put up a new small webserver for external access so I don't have to mess around with our production systems for this.
http://dnsbl.dyndns.org:9080/MyBlocklist.txt
http://dnsbl.dyndns.org:9080/mydnsblfeed.txtI hope everything ok now. I modified my previous posts :P
Info about all the public available IP and DNSBL lists I'm using
http://dnsbl.dyndns.org:9080/info.txtFor all of you using this please see the updated info.txt file. There is a few new ipblock lists added and a few dnsbl lists. There is more than 200 downloads every day so apperently it's not only me finding them useful :)
Info about all the public available IP and DNSBL lists I'm using:
http://dnsbl.dyndns.org:9080/info.txtThe resulting lists:
http://dnsbl.dyndns.org:9080/MyBlocklist.txt
http://dnsbl.dyndns.org:9080/mydnsblfeed.txt -
Hi seanr22a, I've been using your lists for a bit now and they have been just what i've been after.. however, I wonder if you could help with a little issue which is causing poor connectivity, it seems one (or more) of the lists you use are blocking certain ranges within the cdn's of Cloudflare, CloudFront and aws. they seem to vary daily as the lists are updated.. Possibly for good reason, however, given that the ranges are generally from anywhere in the entire world assigned randomly to a site, the blocking is causing connectivity issues to certain websites, which dnbl whitelisting is having no effect on, as the IP's change all the time.
I wondered if you could process out the ranges? at the moment i'm having to go through the alerts after an update to see if there are any blocked ranges attempting to connect to/from a server or client. Having the ranges in pf suppression doesn't always seem to work for some reason.
ranges are:
http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
https://www.cloudflare.com/ips-v4
https://ip-ranges.amazonaws.com/ip-ranges.jsonAlso, (you or a mod) perhaps make a separate thread for your list to save hijacking this one further? :)
-
I've been struggling with level 1 list as well. Unfortunately, this forum was down for maintenance during my struggles so I came up with the following. Please let me know if I took the wrong approach.
At first I was screwing around with the block inbound/outbound settings and with the auto rule order (which kept doing it wrong by the way). Also, I use separators to keep a good overview of which rules are for what. Obviously pfblocker doesn't understand which separators are for which set of rules, so it kept reordering in a way that I don't want/like. Another problem was that, probably due to my incompetence, I was unable to override some blocked IP's until I changed the order (or changed a rule from 'any' to 'out' but a reload would change the order and reload the rules back to their default.
So, I simply changed all the IP lists to alias native and created my own LAN rules in the LAN tab with a whitelist rule for false positives above it.
I feel this is actually a better way because it gives more control and doesn't mess with my rule order.
Any tips/comments on this approach?
Thanks.
-
@securvark said in Firehol level 1 list blocking LAN resources:
I’ve been struggling with level 1 list as well.
Using the Level1 Feed will cause issues with any Outbound Blocking as that Feed contains the Team Cymru Bogons and Private IP address lists... You are better off in just using the Feeds that comprise the Level1 Feed without the Cymru Feed.
Alternatively, use the DEVEL pfBlockerNG "PRI1" Feed which contains a better selection of Feeds.
-
@seanr22a I know, very very old thread :) I've supplied these merged and cleaned blocklists since 2018 and there is still a lot of downloads every day. Today I will have to make a change so those still using this please change the download address to: https://dnsbl.akracing.se to get the blocklists. You can read the updated info.txt at https://dnsbl.akracing.se/info.txt
-
@seanr22a Just found this and started using them. THX!
