pfBlockerNG ipv4 not blocking ebay but is blocking twitter



  • I am using pfBlocker 2.1.4_16 on pfSense to block users going to social websites, via the IPv4 alias list/firewall rules. I do this with ASN definitions.

    This works great for Twitter and Facebook but for some reason doesn't block Ebay, LinkedIn ( or Paypal for that matter). For example here is my IPv4 setup:
    1.png

    In each alias I have the ASN's published on Hurricane https://bgp.he.net/search?search[search]=ebay&commit=Search

    The ebay one looks like this:
    2.png

    So from the list above, 4 floating firewall rules are generated, and each shows traffic:

    3.png

    Twitter and Facebook can't be accessed which is as expected, but Ebay (both .com and .co.uk) and Linkedin are working ok.

    Any ideas what I can look at ? I've already tried blocking via the published list of IPs on Hurricane and this also is ineffective.


  • Galactic Empire

    I'd try updating pfBlocker to pfBlockerNG-devel 2.2.5_22.


  • Galactic Empire

    Just tried it myself and got the same results.

    If you do a host or nslookup, I bet the IP address thats being returned isn't in the Ebay AS and as a result its not being blocked.

    Last login: Fri Apr 26 08:20:10 on console
    mac-pro:~ andy$ host www.ebay.co.uk
    www.ebay.co.uk is an alias for slot11847.ebay.com.edgekey.net.
    slot11847.ebay.com.edgekey.net is an alias for e11847.g.akamaiedge.net.
    e11847.g.akamaiedge.net has address 2.20.92.239
    mac-pro:~ andy$
    
    AS details for 2.20.92.239 :-
    
    route:          2.20.92.0/22
    descr:          Akamai Technologies
    origin:         AS16625
    mnt-by:         AKAM1-RIPE-MNT
    created:        2017-04-26T09:45:19Z
    last-modified:  2017-04-26T09:45:19Z
    source:         RIPE
    remarks:        ****************************
    remarks:        * THIS OBJECT IS MODIFIED
    remarks:        * Please note that all data that is generally regarded as personal
    remarks:        * data has been removed from this object.
    remarks:        * To view the original object, please query the RIPE Database at:
    remarks:        * http://www.ripe.net/whois
    remarks:        ****************************
    
    route:          2.20.92.0/22
    descr:          Akamai Technologies
    origin:         AS20940
    mnt-by:         AKAM1-RIPE-MNT
    created:        2017-04-26T09:45:19Z
    last-modified:  2017-04-26T09:45:19Z
    source:         RIPE
    remarks:        ****************************
    remarks:        * THIS OBJECT IS MODIFIED
    remarks:        * Please note that all data that is generally regarded as personal
    remarks:        * data has been removed from this object.
    remarks:        * To view the original object, please query the RIPE Database at:
    remarks:        * http://www.ripe.net/whois
    remarks:        ****************************
    
    route:      2.16.0.0/13
    descr:      REACH (Customer Route)
    tech-c:     RRNOC1-REACH
    origin:     AS34164
    notify:     irr@team.telstra.com
    mnt-by:     MAINT-REACH-NOC
    remarks:    This auto-generated route object was created
    remarks:    for a REACH customer route
    remarks:    
    remarks:    This route object was created because
    remarks:    some REACH peers filter based on these objects
    remarks:    and this route may be rejected
    remarks:    if this object is not created.
    remarks:    
    remarks:    Please contact irr@team.telstra.com if you have any
    remarks:    questions regarding this object.
    source:     REACH
    changed:    irr@team.telstra.com 20170411
    
    
    Friday, 26 April 2019 at 10:42:58 British Summer Time
    


  • Thanks NBtB.

    My nslookup shows 6 results
    66.135.209.52
    66.211.181.123
    66.211.160.86
    66.135.216.190
    66.211.185.25
    66.211.162.12

    The first one for starters isn't on the ASN lists.
    Short of trial & error putting IPs into another blocking list, I'm not sure what I can do about this - are the companies themselves responsible for keeping the ASN up to date?


  • Galactic Empire

    They are hosting their services with another provider that's the issue.

    You could try using the DNSBL TLD blacklist, that might work.

    Last login: Fri Apr 26 10:49:18 on ttys000
    mac-pro:~ andy$ host www.ebay.co.uk
    www.ebay.co.uk has address 172.16.255.2
    mac-pro:~ andy$ host www.ebay.com
    www.ebay.com has address 172.16.255.2
    mac-pro:~ andy$
    

    Screenshot 2019-04-26 at 13.10.30.png

    Screenshot 2019-04-26 at 13.11.04.png



  • Hi,
    If I understand it correctly, the DNSBL just redirects all DNS requests to the pfsense box - this just has DNS Forwarder (not DNS resolver) enabled for reasons nothing to do with this issue. And anything defined in the DNSBL goes to /dev/null?

    So it's not firewalling it at all, just preventing a DNS lookup.

    Is that how it works?

    (I did try this earlier and got nowhere, am running DNS and a domain internally on windows servers so thought this may not work anyway)


  • Galactic Empire

    @NogBadTheBad said in pfBlockerNG ipv4 not blocking ebay but is blocking twitter:

    Yup it relies on DNS pointing to your pfSense box and returns a local IP address :(


Log in to reply