Reputational sources?



  • As these were not seen in the GUI or any of the associated services, thought posing the question to see if something was missed (alternatively, provide something of how to solve the riddle?) - new to PFSense and considering a move from FreeBSD + PF + (a lot of custom code and integration).

    Has anyone looked into a means to incorporate the eThreats data (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt) and/or the SpamHaus data (https://www.spamhaus.org/drop/edrop.txt and drop.txt) for inclusion in a PF table or any of the various other sources?

    Thinking is simple PF table, but perhaps pfBlockerNG may be the better location? (Still not familiar enough with it, to ascertain alignment), "Reputation" seems to be in this same light?

    These two sources to help cut down on useless inbound connection "chatter". Additionally, services such as "denyhosts.py" (http://denyhosts.sourceforge.net/index.html) can be another good source of data.

    Not being familiar with the dev portion of PFSense, but having done some integrations for non-commercial purposes with FreeBSD and PF... The following are simplistic models to enable usage of these data sources via tables with cron as the update mechanism. Would like to hear from someone who knows more about PF and lower level internals, if: bulk/mass change v. strategic additions and strategic removals - which is better? More efficient? reasons to use one method or the other?

    Likely some other good sources as well for helping to increase security posture.

    ==========
    eThreats
    pf.conf:
    table <ethreats> counters persist file "/path/to/ethreats.pf"

    data pull (daily cron):
    wget -q -O /tmp/ethreats.txt 'http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt'
    grep '^[a-fA-F0-9]' /tmp/ethreats.txt | awk 'length($1) >= 7' | sort -un > /path/to/ethreats.pf
    pfctl -q -t ethreats -T replace -f /path/to/ethreats.pf

    With little additional code, one could check for increment of the version to determine if pfctl should be run. Basically looking for: grep '^# Rev ' in the downloaded file and comparing to existing. This would minimize updates/changes to the firewall table/rules.

    There is a pre-formatted version specifically for PF table usage, but one may prefer the raw data for re-use in other tools, systems, re-distribution internally.

    ==========
    SpamHaus
    pf.conf:
    table <spamhaus_drop> counters persist file "/path/to/spamhaus_drop.pf"
    table <spamhaus_edrop> counters persist file "/path/to/spamhaus_edrop.pf"

    data pull (cron, every 8 hours):
    wget -q -O /tmp/spamhaus_drop.txt 'https://www.spamhaus.org/drop/drop.txt'
    cat /tmp/spamhaus_drop.txt | sed -e's/;.//' | grep '^[a-fA-F0-9]' | awk 'length($1) >= 7' | sort -un > /path/to/spamhaus_drop.pf
    pfctl -q -t spamhaus_drop -T replace -f /path/to/spamhaus_drop.pf
    wget -q -O /tmp/spamhaus_edrop.txt 'https://www.spamhaus.org/drop/edrop.txt'
    cat /tmp/spamhaus_edrop.txt | sed -e's/;.
    //' | grep '^[a-fA-F0-9]' | awk 'length($1) >= 7' | sort -un > /path/to/spamhaus_edrop.pf
    pfctl -q -t spamhaus_edrop -T replace -f /path/to/spamhaus_edrop.pf

    Same scenario as eThreats, except that there is a datestamp at the beginning of the file (creation and expiration) that could be used to determine "change since prior pull".

    ==========
    denyhosts.py
    pf.conf:
    table <deniedsshd> counters persist file "/path/to/deniedssh.pf"

    Data update:
    grep '^sshd:' hosts.deniedssh | sed -e's/^sshd: //' | sed -e's/ :.*//' | grep '^[a-fA-F0-9]' | awk 'length($1) >= 7' | sort -un > /path/to/deniedssh.pf
    pfctl -q -t deniedssh -T replace -f /path/to/deniedssh.pf


  • Moderator

    pfBlockerNG already has all of this functionality... Check out pfBlockerNG-devel.