Pfblockerng understanding the log and how it works



    1. I have many entries in the pfblockerng log (IP sets) of incoming connections from external IP's to other IP's that are not my public IP address and in the log, the "list" column it says "no match". So I don't understand 2 things
    • Why pfblockerng is blocking something that doesn't go to my public IP address (or any internal IP)
    • Why the log says that this block has "no match" with any list, what does it mean? I have reloaded and still happens. I hace check that the blocked IP's doesn't appear in the any list or in the master list but still I get in the log that the connection was blocked by the rule that pfblockerng created for a list.
    1. On the other hand I have thousands of entries in the log of an external IP port scanning my public IP, I have a few ports open.
      I guess that even without pfblockerng, pfsense would drop all the incoming calls to closed ports except for the open ones. Then does it make sense to enable the pfblockerng WAN rules only for the open ports? I have seen it is possible with the option "Advanced Inbound Firewall Rule Settings" but how do I add several alias of ports? separated by a comma? doesn't seem to work, on the other hand I guess I have to activate the "invert" option, right?


    1. “no match” only refers to the address given to the pfBlocker web instance.  A common situation occurs when the domain being requested resolves to a CNAME and the name it points to is blacklisted.  There is a new version of pfBlocker in the works and this should be much less of an issue.

    2. is up to you, I like being able to show all the probes and attempts to attack my network that are being stopped, but you could instruct pfSense to drop traffic for closed privileged ports (under 1024) before they get to pfBlocker to keep to more relevant attempts to access your network.



  • @motific:

    1. “no match” only refers to the address given to the pfBlocker web instance.  A common situation occurs when the domain being requested resolves to a CNAME and the name it points to is blacklisted.  There is a new version of pfBlocker in the works and this should be much less of an issue.

    2. is up to you, I like being able to show all the probes and attempts to attack my network that are being stopped, but you could instruct pfSense to drop traffic for closed privileged ports (under 1024) before they get to pfBlocker to keep to more relevant attempts to access your network.

    Thanks for the answers.

    Any idea on when the new version will be ready, I haven't seen recent news on Patreon.


  • Moderator

    Its been submitted here for review by the pfSense Devs:

    https://github.com/pfsense/FreeBSD-ports/pull/515

    It will be released as DEVEL and following a short review period will be the next Release.



  • Thanks for the info, I will wait for the new version to see if it solves the issue. I guess I could uninstall the package and star over again but I prefer to wait a bit for the new version. From the screenshots in Twitter all I can say is that you have been doing a great job.
    I think there is no tool like this in the market, opnsense (a pitty not to have a migration), SophosXG, fortigate, etc. can't do all this.



  • For it to address the CNAME issue you will need to remember to whitelist sites via the reporting UI, and using that won’t be any different to you listing them yourself as both the server and servers they refer to will end up in the whitelist.  So don’t feel a need to wipe & redeploy.