Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reputational sources?

    Scheduled Pinned Locked Moved pfBlockerNG
    2 Posts 2 Posters 506 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      justme2
      last edited by

      As these were not seen in the GUI or any of the associated services, thought posing the question to see if something was missed (alternatively, provide something of how to solve the riddle?) - new to PFSense and considering a move from FreeBSD + PF + (a lot of custom code and integration).

      Has anyone looked into a means to incorporate the eThreats data (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt) and/or the SpamHaus data (https://www.spamhaus.org/drop/edrop.txt and drop.txt) for inclusion in a PF table or any of the various other sources?

      Thinking is simple PF table, but perhaps pfBlockerNG may be the better location? (Still not familiar enough with it, to ascertain alignment), "Reputation" seems to be in this same light?

      These two sources to help cut down on useless inbound connection "chatter". Additionally, services such as "denyhosts.py" (http://denyhosts.sourceforge.net/index.html) can be another good source of data.

      Not being familiar with the dev portion of PFSense, but having done some integrations for non-commercial purposes with FreeBSD and PF... The following are simplistic models to enable usage of these data sources via tables with cron as the update mechanism. Would like to hear from someone who knows more about PF and lower level internals, if: bulk/mass change v. strategic additions and strategic removals - which is better? More efficient? reasons to use one method or the other?

      Likely some other good sources as well for helping to increase security posture.

      ==========
      eThreats
      pf.conf:
      table <ethreats> counters persist file "/path/to/ethreats.pf"

      data pull (daily cron):
      wget -q -O /tmp/ethreats.txt 'http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt'
      grep '^[a-fA-F0-9]' /tmp/ethreats.txt | awk 'length($1) >= 7' | sort -un > /path/to/ethreats.pf
      pfctl -q -t ethreats -T replace -f /path/to/ethreats.pf

      With little additional code, one could check for increment of the version to determine if pfctl should be run. Basically looking for: grep '^# Rev ' in the downloaded file and comparing to existing. This would minimize updates/changes to the firewall table/rules.

      There is a pre-formatted version specifically for PF table usage, but one may prefer the raw data for re-use in other tools, systems, re-distribution internally.

      ==========
      SpamHaus
      pf.conf:
      table <spamhaus_drop> counters persist file "/path/to/spamhaus_drop.pf"
      table <spamhaus_edrop> counters persist file "/path/to/spamhaus_edrop.pf"

      data pull (cron, every 8 hours):
      wget -q -O /tmp/spamhaus_drop.txt 'https://www.spamhaus.org/drop/drop.txt'
      cat /tmp/spamhaus_drop.txt | sed -e's/;.//' | grep '^[a-fA-F0-9]' | awk 'length($1) >= 7' | sort -un > /path/to/spamhaus_drop.pf
      pfctl -q -t spamhaus_drop -T replace -f /path/to/spamhaus_drop.pf
      wget -q -O /tmp/spamhaus_edrop.txt 'https://www.spamhaus.org/drop/edrop.txt'
      cat /tmp/spamhaus_edrop.txt | sed -e's/;.
      //' | grep '^[a-fA-F0-9]' | awk 'length($1) >= 7' | sort -un > /path/to/spamhaus_edrop.pf
      pfctl -q -t spamhaus_edrop -T replace -f /path/to/spamhaus_edrop.pf

      Same scenario as eThreats, except that there is a datestamp at the beginning of the file (creation and expiration) that could be used to determine "change since prior pull".

      ==========
      denyhosts.py
      pf.conf:
      table <deniedsshd> counters persist file "/path/to/deniedssh.pf"

      Data update:
      grep '^sshd:' hosts.deniedssh | sed -e's/^sshd: //' | sed -e's/ :.*//' | grep '^[a-fA-F0-9]' | awk 'length($1) >= 7' | sort -un > /path/to/deniedssh.pf
      pfctl -q -t deniedssh -T replace -f /path/to/deniedssh.pf

      1 Reply Last reply Reply Quote 0
      • BBcan177B Offline
        BBcan177 Moderator
        last edited by

        pfBlockerNG already has all of this functionality... Check out pfBlockerNG-devel.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 2
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.