pfblockerng error: Unknown Not listed!
-
@bbcan17 said in pfblockerng error: Unknown Not listed!:
Not sure which URL you are using for that?
Maybe something like : http://vxvault.net/ViriList.php
-
@BBcan17 @RonpfS
Thanks for your help. I am going to post all the evidences I found to clarify this issue.
First and example of the log where for example this forum is being blocked and they all appear as not listed... but somehow those IP's are part of the blocklist
This is the list of url inside that group
http://vxvault.net/ViriList.php?s=0&m=100This is the ip_block.log
Jun 16 10:53:15,1770010922,igb0,LAN,block,4,6,TCP-S,192.168.1.110,208.123.73.199,55932,443,out,US,pfB_MalwareAndSites_v4,208.0.0.0/4,VxVault_v4,forum.netgate.com,pc,+
Jun 16 10:53:15,1770010922,igb0,LAN,block,4,6,TCP-S,192.168.1.110,208.123.73.199,55932,443,out,US,pfB_MalwareAndSites_v4,208.0.0.0/4,VxVault_v4,forum.netgate.com,pc,-
Jun 16 10:53:15,1770010922,igb0,LAN,block,4,6,TCP-S,192.168.1.110,208.123.73.199,55932,443,out,US,pfB_MalwareAndSites_v4,208.0.0.0/4,VxVault_v4,forum.netgate.com,pc,-Masterfile
VxVault origin file
[0_1529140752720_VxVault_v4.orig](Uploading 100%)
VxVault_v4.orig -> https://pastebin.com/ntsNk03sSo I don't understand why it's blocking 208.0.0.0/4 and 176.0.0.0/5 if these are not in the original list and still remain after reload the ip lists. I don't know how to get rid of them. Maybe is a problem with the VXVault format. But still that doesn't explain why those IPs don't disappear and why is blocking something that is not related to any list, at least I don't understand it.
I can understand that If I update and an IP disappear in the log the old blocks will appear as "not listedold_list_name" but I don't undestand why a non listed IP is blocking stuff, or that a "non listednot listed" IP what ever it means (it was not listed and now is either listed) is blocking something. pfblockerng should delete not listed IPs so this doesn't block anything anymore and I think this is what is failing here.
How I can fix it? It's the 3rd or 4th time that I have had this problem with pfblockerng since I started to use it (3 months ago) and the only way to fix it what to start from scracth.The only thing I can think that I did wrong maybe was this "** AVOID ** Running these "Force" options - when CRON is expected to RUN!" so maybe I run and update while cron was working, I don't know for sure but I can't discard it since when I whitelist something I usually run the Update task. Could this be the root cause of my issue? maybe I'm that stupid and I did the same mistake 3 times xD
On the other hand the widget packet count doesn't work very well
and then if I click in attackv4
Thanks
-
Run these commands to see where these IPs are listed:
grep "\.0\.0\.0" /var/db/pfblockerng/deny/* grep "\.0\.0\.0" /var/db/pfblockerng/original/* grep "\.0\.0\.0" /var/db/aliastables/*
Do you have any entries defined in this Alias "Customlist"?
For the Widget pivot to the Alerts Tab. Run this command to see what entries are in the ip_block.log:
grep "pfB_Attack_v4" /var/log/pfblockerng/ip_block.log
It could be that the ip_block.log is rotating the max. line count and clearing out those entries. You can increase these log line limits in the General Tab.
-
@bbcan17 said in pfblockerng error: Unknown Not listed!:
Run these commands to see where these IPs are listed:
grep "\.0\.0\.0" /var/db/pfblockerng/deny/* grep "\.0\.0\.0" /var/db/pfblockerng/original/* grep "\.0\.0\.0" /var/db/aliastables/*
Do you have any entries defined in this Alias "Customlist"?
For the Widget pivot to the Alerts Tab. Run this command to see what entries are in the ip_block.log:
grep "pfB_Attack_v4" /var/log/pfblockerng/ip_block.log
It could be that the ip_block.log is rotating the max. line count and clearing out those entries. You can increase these log line limits in the General Tab.
Shell Output - grep ".0.0.0" /var/db/pfblockerng/deny/*
/var/db/pfblockerng/deny/ET_Block_IP_v4.txt:161.0.0.0/19
/var/db/pfblockerng/deny/ET_Block_IP_v4.txt:223.0.0.0/15Shell Output - grep ".0.0.0" /var/db/pfblockerng/original/*
/var/db/pfblockerng/original/ET_Block_IP_v4.orig:161.0.0.0/19
/var/db/pfblockerng/original/ET_Block_IP_v4.orig:223.0.0.0/15Shell Output - grep ".0.0.0" /var/db/aliastables/*
grep: /var/db/aliastables/*: No such file or directoryhttps://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
So it's a problem with this list?
What do you mean with this? Do you have any entries defined in this Alias “Customlist”?
Firewall->Aliases? yes I have defined custom ports that I'm using like this, so pfblockerng only blocks ports inbound that I have open
For the second part
Shell Output - grep "pfB_Attack_v4" /var/log/pfblockerng/ip_block.log
Jun 16 10:38:00,1770010014,igb0,LAN,block,4,6,TCP-S,192.168.1.209,196.196.193.44,48140,45278,out,IE,pfB_Attack_v4,196.196.0.0/14,ET_Block_IP_v4,Unknown,Unknown,+I have increased the limits to 40k
-
Those IPs must have been in the feed at some point. But the grep commands are telling you that they are no longer in any feed.
I assume that pfBlockerNG is disabled, as this should not return that error if there are files in that folder:
Shell Output - grep “.0.0.0” /var/db/aliastables/*
grep: /var/db/aliastables/*: No such file or directoryWhat do you mean with this? Do you have any entries defined in this Alias “Customlist”?
At the bottom of each Alias is "IPv4 Custom_list" where you can manually add IPs to an Alias.
-
@bbcan177 said in pfblockerng error: Unknown Not listed!:
Those IPs must have been in the feed at some point. But the grep commands are telling you that they are no longer in any feed.
I assume that pfBlockerNG is disabled, as this should not return that error if there are files in that folder:
Shell Output - grep “.0.0.0” /var/db/aliastables/*
grep: /var/db/aliastables/*: No such file or directoryWhat do you mean with this? Do you have any entries defined in this Alias “Customlist”?
At the bottom of each Alias is "IPv4 Custom_list" where you can manually add IPs to an Alias.
Right, I enabled it and run the command again
Shell Output - grep ".0.0.0" /var/db/aliastables/*
/var/db/aliastables/pfB_Attack_v4.txt:161.0.0.0/19
/var/db/aliastables/pfB_Attack_v4.txt:223.0.0.0/15And custom lists are all empty
it's a missconfiguration in my side or a bug? can I fix it?
-
@l0rdraiden said in pfblockerng error: Unknown Not listed!:
it’s a missconfiguration in my side or a bug? can I fix it?
Well in its current state, I can't see any Feed that has those IPs? So I don't see anything to fix either way.
If it happens again, run those commands and we can do some more debugging.
Also note that there is a new feature in the IP Alias settings > Advanced Tuneables > Suppression CIDR Limit. Here you can define a max CIDR to utilize, so that a Feed doesn't try to block a large range of IPs. YMMV
-
@l0rdraiden Why don't you remove the http://vxvault.net/ViriList.php?s=0&m=100 URL as it's not geared for IPV4
-
Hi,
Sorry for bumping this topic up, but can somebody explain why I get Unknown Not listed in this case:
# grep 113.1.135.78 /var/db/pfblockerng/* -r /var/db/pfblockerng/deny/CINS_army_v4.txt:113.1.135.78 /var/db/pfblockerng/mastercat:113.1.135.78 /var/db/pfblockerng/masterfile:CINS_army_v4 113.1.135.78 /var/db/pfblockerng/original/CINS_army_v4.orig:113.1.135.78
Why if this IP is not listed, it's still getting blocked?
Is there a description of what all of those files/folders under /var/db/pfblockerng/ are intended for?
Thanks in advance!
-
@jazzl0ver You might be better off starting a new thread and linking this thread as reference.
-
@NollipfSense not sure it's wise to create different threads for the same topic. It'll be harder to search things if someone face same issue.
-
@jazzl0ver said in pfblockerng error: Unknown Not listed!:
same issue
The pfBlockerNG of today (2.2.5_27) is not comparable with what we've been using in 2018.
-
@Gertjan ok, guys. will do