[SOLVED] exception for 192.168.0.0 addresses



  • Hello,

    I have pfblocker ng installed, and I'm using it to enforce an IPv4 Blocklist. Specifically the one from the "firehol" project. One of the ip lists I want to use is here:

    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset

    It contains this line:
    192.168.0.0/16

    which works great for inbound rules, but I also want to use this list to make sure none of the computers on my network are trying to communicate with any of the listed IPs. If I apply that list to the LAN interface, things fail in ways you would expect.

    Is there some kind of trick or setting I can use to get around that 192.168.0.0/16 line, but only for the outgoing/LAN rules?

    Thanks!
    Chris



  • Looks like pfblockerng 2.1.2 has a new "suppress" option that does exactly this!


  • Moderator

    That Feed should only be used for Inbound as it contains the Bogons feed. I typically recommend to download feeds from the original source.

    Suppression has always been an option since the first release of the package…. Hope that helps.



  • @BBcan177:

    Suppression has always been an option since the first release of the package…. Hope that helps.

    Could you explain how suppression exactly works, please? I'm asking, because I had the same problem using the same blocklist and after I checked the suppression box, the 3 of 4 IPv4 blocklist aliases just disappeared (maybe after the cron job). Now they are back again, but seem to be empty (see screenshot below) or have just a few IP's instead of thousands before. I've done the reload procedure several times, but it didn't help.

    And one more question: do I need to add my RFC1918 networks to the suppression alias manually or are they already added by default?



  • Moderator

    When suppression is enabled, on an IP Feed download, it will remove all RFC1918 and Loopback addresses. It will also remove any /32 or /24 IPs that you added to the Suppress list (From the Alerts Tab "+" icon)…

    There is no need to add your RFC1918 addresses as they are already part of the above...

    I recommend to use the pfSense Block Bogon feature instead of using a Feed that contains Bogons.

    There are not many feeds that are in the Lvl 1 feed, so just add the original feeds instead to the IPv4 tab.



  • Ok, it seems to be all fine now. Maybe the fact I've added my networks to the suppress alias was the problem? After I removed them and reloaded DNSBL all the IPv4 block lists are working properly. Thanks for your fast reply!



  • @BBcan177:

    There are not many feeds that are in the Lvl 1 feed, so just add the original feeds instead to the IPv4 tab.

    Hi BBcan177,

    Can you eleborate on that statement, I am bit confused by the 'not many feeds that are in the Lvl1 feed' ?
    The list posted by OP is quite long:
    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset

    Am I missing something ?


  • Moderator

    The feeds which are included in lvl1:

    A firewall blacklist composed from IP lists, providing

    maximum protection with minimum false positives. Suitable

    for basic protection on all internet facing servers,

    routers and firewalls. (includes: bambenek_c2 dshield feodo

    fullbogons spamhaus_drop spamhaus_edrop sslbl zeus_badips

    ransomware_rw)

    So instead of using lvl1, find those original feed urls and add those to a new IPv4 alias. The lvl1 feed includes bogons which should not be used to block outbound traffic.


Log in to reply