Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] exception for 192.168.0.0 addresses

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      charvey
      last edited by

      Hello,

      I have pfblocker ng installed, and I'm using it to enforce an IPv4 Blocklist. Specifically the one from the "firehol" project. One of the ip lists I want to use is here:

      https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset

      It contains this line:
      192.168.0.0/16

      which works great for inbound rules, but I also want to use this list to make sure none of the computers on my network are trying to communicate with any of the listed IPs. If I apply that list to the LAN interface, things fail in ways you would expect.

      Is there some kind of trick or setting I can use to get around that 192.168.0.0/16 line, but only for the outgoing/LAN rules?

      Thanks!
      Chris

      1 Reply Last reply Reply Quote 0
      • C
        charvey
        last edited by

        Looks like pfblockerng 2.1.2 has a new "suppress" option that does exactly this!

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          That Feed should only be used for Inbound as it contains the Bogons feed. I typically recommend to download feeds from the original source.

          Suppression has always been an option since the first release of the package…. Hope that helps.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • U
            un1que
            last edited by

            @BBcan177:

            Suppression has always been an option since the first release of the package…. Hope that helps.

            Could you explain how suppression exactly works, please? I'm asking, because I had the same problem using the same blocklist and after I checked the suppression box, the 3 of 4 IPv4 blocklist aliases just disappeared (maybe after the cron job). Now they are back again, but seem to be empty (see screenshot below) or have just a few IP's instead of thousands before. I've done the reload procedure several times, but it didn't help.

            And one more question: do I need to add my RFC1918 networks to the suppression alias manually or are they already added by default?

            pfb.png
            pfb.png_thumb

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              When suppression is enabled, on an IP Feed download, it will remove all RFC1918 and Loopback addresses. It will also remove any /32 or /24 IPs that you added to the Suppress list (From the Alerts Tab "+" icon)…

              There is no need to add your RFC1918 addresses as they are already part of the above...

              I recommend to use the pfSense Block Bogon feature instead of using a Feed that contains Bogons.

              There are not many feeds that are in the Lvl 1 feed, so just add the original feeds instead to the IPv4 tab.

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • U
                un1que
                last edited by

                Ok, it seems to be all fine now. Maybe the fact I've added my networks to the suppress alias was the problem? After I removed them and reloaded DNSBL all the IPv4 block lists are working properly. Thanks for your fast reply!

                1 Reply Last reply Reply Quote 0
                • B
                  borisnet
                  last edited by

                  @BBcan177:

                  There are not many feeds that are in the Lvl 1 feed, so just add the original feeds instead to the IPv4 tab.

                  Hi BBcan177,

                  Can you eleborate on that statement, I am bit confused by the 'not many feeds that are in the Lvl1 feed' ?
                  The list posted by OP is quite long:
                  https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset

                  Am I missing something ?

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    The feeds which are included in lvl1:

                    A firewall blacklist composed from IP lists, providing

                    maximum protection with minimum false positives. Suitable

                    for basic protection on all internet facing servers,

                    routers and firewalls. (includes: bambenek_c2 dshield feodo

                    fullbogons spamhaus_drop spamhaus_edrop sslbl zeus_badips

                    ransomware_rw)

                    So instead of using lvl1, find those original feed urls and add those to a new IPv4 alias. The lvl1 feed includes bogons which should not be used to block outbound traffic.

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.