[SOLVED] exception for 192.168.0.0 addresses
-
Hello,
I have pfblocker ng installed, and I'm using it to enforce an IPv4 Blocklist. Specifically the one from the "firehol" project. One of the ip lists I want to use is here:
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
It contains this line:
192.168.0.0/16which works great for inbound rules, but I also want to use this list to make sure none of the computers on my network are trying to communicate with any of the listed IPs. If I apply that list to the LAN interface, things fail in ways you would expect.
Is there some kind of trick or setting I can use to get around that 192.168.0.0/16 line, but only for the outgoing/LAN rules?
Thanks!
Chris -
Looks like pfblockerng 2.1.2 has a new "suppress" option that does exactly this!
-
That Feed should only be used for Inbound as it contains the Bogons feed. I typically recommend to download feeds from the original source.
Suppression has always been an option since the first release of the package…. Hope that helps.
-
Suppression has always been an option since the first release of the package…. Hope that helps.
Could you explain how suppression exactly works, please? I'm asking, because I had the same problem using the same blocklist and after I checked the suppression box, the 3 of 4 IPv4 blocklist aliases just disappeared (maybe after the cron job). Now they are back again, but seem to be empty (see screenshot below) or have just a few IP's instead of thousands before. I've done the reload procedure several times, but it didn't help.
And one more question: do I need to add my RFC1918 networks to the suppression alias manually or are they already added by default?
-
When suppression is enabled, on an IP Feed download, it will remove all RFC1918 and Loopback addresses. It will also remove any /32 or /24 IPs that you added to the Suppress list (From the Alerts Tab "+" icon)…
There is no need to add your RFC1918 addresses as they are already part of the above...
I recommend to use the pfSense Block Bogon feature instead of using a Feed that contains Bogons.
There are not many feeds that are in the Lvl 1 feed, so just add the original feeds instead to the IPv4 tab.
-
Ok, it seems to be all fine now. Maybe the fact I've added my networks to the suppress alias was the problem? After I removed them and reloaded DNSBL all the IPv4 block lists are working properly. Thanks for your fast reply!
-
There are not many feeds that are in the Lvl 1 feed, so just add the original feeds instead to the IPv4 tab.
Hi BBcan177,
Can you eleborate on that statement, I am bit confused by the 'not many feeds that are in the Lvl1 feed' ?
The list posted by OP is quite long:
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netsetAm I missing something ?
-
The feeds which are included in lvl1:
A firewall blacklist composed from IP lists, providing
maximum protection with minimum false positives. Suitable
for basic protection on all internet facing servers,
routers and firewalls. (includes: bambenek_c2 dshield feodo
fullbogons spamhaus_drop spamhaus_edrop sslbl zeus_badips
ransomware_rw)
So instead of using lvl1, find those original feed urls and add those to a new IPv4 alias. The lvl1 feed includes bogons which should not be used to block outbound traffic.