Alias Native Logging
-
@ronpfs said in Alias Native Logging:
@morgion said in Alias Native Logging:
doing full reload now
If your Permit rules don't generate alerts, try to restart the pfBlockerNG firewall filter service.
You can also peek at the ip_permit.log file.
Restarted pfBlocker Firewall Filter service, ip_permit.log empty
-
@morgion said in Alias Native Logging:
@ronpfs said in Alias Native Logging:
rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig
No output
Looks like you don't need the "
grep ^77.72.82 /var/db/pfblockerng/*/*.txt /var/db/pfblockerng/original/*.orig -
@ronpfs said in Alias Native Logging:
grep ^77.72.82 /var/db/pfblockerng//.txt /var/db/pfblockerng/original/*.orig
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.101
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.14
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.19
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.22
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.31
/var/db/pfblockerng/deny/ET_Block_v4.txt:77.72.82.0/24
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.19 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.22 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.72 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.88 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.125 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.59 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.101 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.14 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.48 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.91 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.31 # Malicious Host
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.19
/var/db/pfblockerng/original/BlockListDE_All_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BlockListDE_SSH_v4.orig:77.72.82.15
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.101
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.14
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.19
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.22
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.31
/var/db/pfblockerng/original/DangerRulez_v4.orig:77.72.82.15 # 2018-05-27 10:23:33 21 1486391
/var/db/pfblockerng/original/ET_Block_v4.orig:77.72.82.0/24
/var/db/pfblockerng/original/ET_Comp_v4.orig:77.72.82.15
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.56
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.14
/var/db/pfblockerng/original/ISC_Block_v4.orig:77.72.82.0 77.72.82.255 24 1342 NETUP-AS , RU aospan@netup.ru
/var/db/pfblockerng/original/SuspectNetworks_v4.orig:77.72.82.0/24 -
-
@ronpfs said in Alias Native Logging:
@morgion said in Alias Native Logging:
ip_permit.log empty
And you see the Permits in FW Logs ?
Yes
-
@morgion said in Alias Native Logging:
@ronpfs said in Alias Native Logging:
grep ^77.72.82 /var/db/pfblockerng//.txt /var/db/pfblockerng/original/*.orig
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.101
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.14
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.19
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.22
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.31
/var/db/pfblockerng/deny/ET_Block_v4.txt:77.72.82.0/24
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.19 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.22 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.72 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.88 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.125 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.59 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.101 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.14 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.48 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.91 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.31 # Malicious Host
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.19
/var/db/pfblockerng/original/BlockListDE_All_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BlockListDE_SSH_v4.orig:77.72.82.15
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.101
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.14
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.19
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.22
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.31
/var/db/pfblockerng/original/DangerRulez_v4.orig:77.72.82.15 # 2018-05-27 10:23:33 21 1486391
/var/db/pfblockerng/original/ET_Block_v4.orig:77.72.82.0/24
/var/db/pfblockerng/original/ET_Comp_v4.orig:77.72.82.15
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.56
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.14
/var/db/pfblockerng/original/ISC_Block_v4.orig:77.72.82.0 77.72.82.255 24 1342 NETUP-AS , RU aospan@netup.ru
/var/db/pfblockerng/original/SuspectNetworks_v4.orig:77.72.82.0/24Strange as 77.72.82.0/24 include 77.72.82.1 to 77.72.82.254
Do you have suppression enabled ?
-
@ronpfs Yes but not used (yet)
-
Can you run
pfctl -vvsr | grep "pf" -
-
@morgion Again a "new" forum qwerk, missing a new line
pfctl -vvsr | grep "pf"2.4.5-RELEASE-p1 (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5 -
@morgion said in Alias Native Logging:
@ronpfs Yes but not used (yet)
It's done when a Reload IP or Cron update run.
It should have remove the /var/db/pfblockerng/deny/CINS_army_v4.txt entriesI see the same thing on my box with De-Duplication, CIDR Aggregation and Suppression enabled
-
Shell Output - pfctl -vvsr | grep "pf"
@127(1770001239) pass quick on igb1 inet proto icmp from any to 10.10.10.1 icmp-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping"
@128(1770001239) pass quick on igb2 inet proto icmp from any to 10.10.10.1 icmp-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping"
@129(1770001239) pass quick on igb3 inet proto icmp from any to 10.10.10.1 icmp-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping"
@130(1770001466) pass quick on igb1 inet proto tcp from any to 10.10.10.1 port = 8081 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@131(1770001466) pass quick on igb1 inet proto tcp from any to 10.10.10.1 port = 8443 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@132(1770001466) pass quick on igb1 inet proto udp from any to 10.10.10.1 port = 8081 keep state label "USER_RULE: pfB_DNSBL_Permit"
@133(1770001466) pass quick on igb1 inet proto udp from any to 10.10.10.1 port = 8443 keep state label "USER_RULE: pfB_DNSBL_Permit"
@134(1770001466) pass quick on igb2 inet proto tcp from any to 10.10.10.1 port = 8081 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@135(1770001466) pass quick on igb2 inet proto tcp from any to 10.10.10.1 port = 8443 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@136(1770001466) pass quick on igb2 inet proto udp from any to 10.10.10.1 port = 8081 keep state label "USER_RULE: pfB_DNSBL_Permit"
@137(1770001466) pass quick on igb2 inet proto udp from any to 10.10.10.1 port = 8443 keep state label "USER_RULE: pfB_DNSBL_Permit"
@138(1770001466) pass quick on igb3 inet proto tcp from any to 10.10.10.1 port = 8081 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@139(1770001466) pass quick on igb3 inet proto tcp from any to 10.10.10.1 port = 8443 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@140(1770001466) pass quick on igb3 inet proto udp from any to 10.10.10.1 port = 8081 keep state label "USER_RULE: pfB_DNSBL_Permit"
@141(1770001466) pass quick on igb3 inet proto udp from any to 10.10.10.1 port = 8443 keep state label "USER_RULE: pfB_DNSBL_Permit"
@142(1770009104) block drop log quick on pppoe0 inet from <pfB_PRI1_v4:17167> to any label "USER_RULE: pfB_PRI1_v4"
@143(1770009128) block drop log quick on pppoe0 inet from <pfB_PRI2_v4:37959> to any label "USER_RULE: pfB_PRI2_v4"
@144(1770009318) block drop log quick on pppoe0 inet from <pfB_PRI3_v4:16803> to any label "USER_RULE: pfB_PRI3_v4"
@145(1770009226) block drop log quick on pppoe0 inet from <pfB_PRI4_v4:14347> to any label "USER_RULE: pfB_PRI4_v4"
@146(1770009208) block drop log quick on pppoe0 inet from <pfB_PRI5_v4:2363> to any label "USER_RULE: pfB_PRI5_v4"
@147(1770008838) block drop log quick on pppoe0 inet from <pfB_MAIL_v4:12149> to any label "USER_RULE: pfB_MAIL_v4"
@148(1770009301) block drop log quick on pppoe0 inet from <pfB_Abuse_PS_v4:2> to any label "USER_RULE: pfB_Abuse_PS_v4"
@149(1770008792) block drop log quick on pppoe0 inet from <pfB_TOR_v4:6703> to any label "USER_RULE: pfB_TOR_v4"
@150(1770009914) block drop log quick on pppoe0 inet from <pfB_Internic_4_v4:13> to any label "USER_RULE: pfB_Internic_4_v4"
@151(1770009587) block drop log quick on pppoe0 inet from <pfB_BlockListDE_v4:155> to any label "USER_RULE: pfB_BlockListDE_v4"
@152(1770009071) block drop log quick on pppoe0 inet from <pfB_DNSBLIP_v4:13203> to any label "USER_RULE: pfB_DNSBLIP_v4"
@153(1770009435) block drop log quick on pppoe0 inet6 from <pfB_PRI1_6_v6:99> to any label "USER_RULE: pfB_PRI1_6_v6"
@154(1770009706) block drop log quick on pppoe0 inet6 from <pfB_Internic_6_v6:13> to any label "USER_RULE: pfB_Internic_6_v6"
@155(1770004209) block return log quick on igb1 inet from any to <pfB_PRI1_v4:17167> label "USER_RULE: pfB_PRI1_v4"
@156(1770004209) block return log quick on igb2 inet from any to <pfB_PRI1_v4:17167> label "USER_RULE: pfB_PRI1_v4"
@157(1770004209) block return log quick on igb3 inet from any to <pfB_PRI1_v4:17167> label "USER_RULE: pfB_PRI1_v4"
@158(1770004233) block return log quick on igb1 inet from any to <pfB_PRI2_v4:37959> label "USER_RULE: pfB_PRI2_v4"
@159(1770004233) block return log quick on igb2 inet from any to <pfB_PRI2_v4:37959> label "USER_RULE: pfB_PRI2_v4"
@160(1770004233) block return log quick on igb3 inet from any to <pfB_PRI2_v4:37959> label "USER_RULE: pfB_PRI2_v4"
@161(1770004423) block return log quick on igb1 inet from any to <pfB_PRI3_v4:16803> label "USER_RULE: pfB_PRI3_v4"
@162(1770004423) block return log quick on igb2 inet from any to <pfB_PRI3_v4:16803> label "USER_RULE: pfB_PRI3_v4"
@163(1770004423) block return log quick on igb3 inet from any to <pfB_PRI3_v4:16803> label "USER_RULE: pfB_PRI3_v4"
@164(1770004331) block return log quick on igb1 inet from any to <pfB_PRI4_v4:14347> label "USER_RULE: pfB_PRI4_v4"
@165(1770004331) block return log quick on igb2 inet from any to <pfB_PRI4_v4:14347> label "USER_RULE: pfB_PRI4_v4"
@166(1770004331) block return log quick on igb3 inet from any to <pfB_PRI4_v4:14347> label "USER_RULE: pfB_PRI4_v4"
@167(1770004313) block return log quick on igb1 inet from any to <pfB_PRI5_v4:2363> label "USER_RULE: pfB_PRI5_v4"
@168(1770004313) block return log quick on igb2 inet from any to <pfB_PRI5_v4:2363> label "USER_RULE: pfB_PRI5_v4"
@169(1770004313) block return log quick on igb3 inet from any to <pfB_PRI5_v4:2363> label "USER_RULE: pfB_PRI5_v4"
@170(1770003943) block return log quick on igb1 inet from any to <pfB_MAIL_v4:12149> label "USER_RULE: pfB_MAIL_v4"
@171(1770003943) block return log quick on igb2 inet from any to <pfB_MAIL_v4:12149> label "USER_RULE: pfB_MAIL_v4"
@172(1770003943) block return log quick on igb3 inet from any to <pfB_MAIL_v4:12149> label "USER_RULE: pfB_MAIL_v4"
@173(1770004406) block return log quick on igb1 inet from any to <pfB_Abuse_PS_v4:2> label "USER_RULE: pfB_Abuse_PS_v4"
@174(1770004406) block return log quick on igb2 inet from any to <pfB_Abuse_PS_v4:2> label "USER_RULE: pfB_Abuse_PS_v4"
@175(1770004406) block return log quick on igb3 inet from any to <pfB_Abuse_PS_v4:2> label "USER_RULE: pfB_Abuse_PS_v4"
@176(1770003897) block return log quick on igb1 inet from any to <pfB_TOR_v4:6703> label "USER_RULE: pfB_TOR_v4"
@177(1770003897) block return log quick on igb2 inet from any to <pfB_TOR_v4:6703> label "USER_RULE: pfB_TOR_v4"
@178(1770003897) block return log quick on igb3 inet from any to <pfB_TOR_v4:6703> label "USER_RULE: pfB_TOR_v4"
@179(1770005019) block return log quick on igb1 inet from any to <pfB_Internic_4_v4:13> label "USER_RULE: pfB_Internic_4_v4"
@180(1770005019) block return log quick on igb2 inet from any to <pfB_Internic_4_v4:13> label "USER_RULE: pfB_Internic_4_v4"
@181(1770005019) block return log quick on igb3 inet from any to <pfB_Internic_4_v4:13> label "USER_RULE: pfB_Internic_4_v4"
@182(1770004692) block return log quick on igb1 inet from any to <pfB_BlockListDE_v4:155> label "USER_RULE: pfB_BlockListDE_v4"
@183(1770004692) block return log quick on igb2 inet from any to <pfB_BlockListDE_v4:155> label "USER_RULE: pfB_BlockListDE_v4"
@184(1770004692) block return log quick on igb3 inet from any to <pfB_BlockListDE_v4:155> label "USER_RULE: pfB_BlockListDE_v4"
@185(1770004176) block return log quick on igb1 inet from any to <pfB_DNSBLIP_v4:13203> label "USER_RULE: pfB_DNSBLIP_v4"
@186(1770004176) block return log quick on igb2 inet from any to <pfB_DNSBLIP_v4:13203> label "USER_RULE: pfB_DNSBLIP_v4"
@187(1770004176) block return log quick on igb3 inet from any to <pfB_DNSBLIP_v4:13203> label "USER_RULE: pfB_DNSBLIP_v4"
@188(1770004540) block return log quick on igb1 inet6 from any to <pfB_PRI1_6_v6:99> label "USER_RULE: pfB_PRI1_6_v6"
@189(1770004540) block return log quick on igb2 inet6 from any to <pfB_PRI1_6_v6:99> label "USER_RULE: pfB_PRI1_6_v6"
@190(1770004540) block return log quick on igb3 inet6 from any to <pfB_PRI1_6_v6:99> label "USER_RULE: pfB_PRI1_6_v6"
@191(1770004811) block return log quick on igb1 inet6 from any to <pfB_Internic_6_v6:13> label "USER_RULE: pfB_Internic_6_v6"
@192(1770004811) block return log quick on igb2 inet6 from any to <pfB_Internic_6_v6:13> label "USER_RULE: pfB_Internic_6_v6"
@193(1770004811) block return log quick on igb3 inet6 from any to <pfB_Internic_6_v6:13> label "USER_RULE: pfB_Internic_6_v6"
@211(1527214027) pass in log quick on pppoe0 reply-to (pppoe0 150.101.32.41) inet proto udp from <pfB_Oceania_v4:6752> to xx.xxx.xxx.xxx port = openvpn keep state label "USER_RULE: pfb_OpenVPN_Remote_Network_Access_wizard" -
@morgion It may be a bug that BBcan177 will need to address.
The pfBlockerNG firewall filter service looks for TrackerID 1770* and the pfB_Oceania_v4 is 1527214027.
-
@ronpfs At least we got to the bottom of it. Thank you very much for your assistance. Yourself and @BBcan17 are assets to the pfSense community!
-
@morgion Can you use Adv. Inbound rules and use "Permit Inbound" and let it auto-create the rule which will have the 177 tracker id prefix?
-
@ronpfs said in Alias Native Logging:
@morgion Can you use Adv. Inbound rules and use "Permit Inbound" and let it auto-create the rule which will have the 177 tracker id prefix?
Those rules do work, I have just been trying to not to create more aliases, and have more flexibility.
