pfBlockerNG ipv4 not blocking ebay but is blocking twitter

robatwork

I am using pfBlocker 2.1.4_16 on pfSense to block users going to social websites, via the IPv4 alias list/firewall rules. I do this with ASN definitions.

This works great for Twitter and Facebook but for some reason doesn't block Ebay, LinkedIn ( or Paypal for that matter). For example here is my IPv4 setup:

In each alias I have the ASN's published on Hurricane https://bgp.he.net/search?search%5Bsearch%5D=ebay&commit=Search

The ebay one looks like this:

So from the list above, 4 floating firewall rules are generated, and each shows traffic:

Twitter and Facebook can't be accessed which is as expected, but Ebay (both .com and .co.uk) and Linkedin are working ok.

Any ideas what I can look at ? I've already tried blocking via the published list of IPs on Hurricane and this also is ineffective.

NogBadTheBad

I'd try updating pfBlocker to pfBlockerNG-devel 2.2.5_22.

NogBadTheBad

Just tried it myself and got the same results.

If you do a host or nslookup, I bet the IP address thats being returned isn't in the Ebay AS and as a result its not being blocked.

Last login: Fri Apr 26 08:20:10 on console
mac-pro:~ andy$ host www.ebay.co.uk
www.ebay.co.uk is an alias for slot11847.ebay.com.edgekey.net.
slot11847.ebay.com.edgekey.net is an alias for e11847.g.akamaiedge.net.
e11847.g.akamaiedge.net has address 2.20.92.239
mac-pro:~ andy$

AS details for 2.20.92.239 :-

route:          2.20.92.0/22
descr:          Akamai Technologies
origin:         AS16625
mnt-by:         AKAM1-RIPE-MNT
created:        2017-04-26T09:45:19Z
last-modified:  2017-04-26T09:45:19Z
source:         RIPE
remarks:        ****************************
remarks:        * THIS OBJECT IS MODIFIED
remarks:        * Please note that all data that is generally regarded as personal
remarks:        * data has been removed from this object.
remarks:        * To view the original object, please query the RIPE Database at:
remarks:        * http://www.ripe.net/whois
remarks:        ****************************

route:          2.20.92.0/22
descr:          Akamai Technologies
origin:         AS20940
mnt-by:         AKAM1-RIPE-MNT
created:        2017-04-26T09:45:19Z
last-modified:  2017-04-26T09:45:19Z
source:         RIPE
remarks:        ****************************
remarks:        * THIS OBJECT IS MODIFIED
remarks:        * Please note that all data that is generally regarded as personal
remarks:        * data has been removed from this object.
remarks:        * To view the original object, please query the RIPE Database at:
remarks:        * http://www.ripe.net/whois
remarks:        ****************************

route:      2.16.0.0/13
descr:      REACH (Customer Route)
tech-c:     RRNOC1-REACH
origin:     AS34164
notify:     irr@team.telstra.com
mnt-by:     MAINT-REACH-NOC
remarks:    This auto-generated route object was created
remarks:    for a REACH customer route
remarks:    
remarks:    This route object was created because
remarks:    some REACH peers filter based on these objects
remarks:    and this route may be rejected
remarks:    if this object is not created.
remarks:    
remarks:    Please contact irr@team.telstra.com if you have any
remarks:    questions regarding this object.
source:     REACH
changed:    irr@team.telstra.com 20170411


Friday, 26 April 2019 at 10:42:58 British Summer Time

robatwork

Thanks NBtB.

My nslookup shows 6 results
66.135.209.52
66.211.181.123
66.211.160.86
66.135.216.190
66.211.185.25
66.211.162.12

The first one for starters isn't on the ASN lists.
Short of trial & error putting IPs into another blocking list, I'm not sure what I can do about this - are the companies themselves responsible for keeping the ASN up to date?

NogBadTheBad

They are hosting their services with another provider that's the issue.

You could try using the DNSBL TLD blacklist, that might work.

Last login: Fri Apr 26 10:49:18 on ttys000
mac-pro:~ andy$ host www.ebay.co.uk
www.ebay.co.uk has address 172.16.255.2
mac-pro:~ andy$ host www.ebay.com
www.ebay.com has address 172.16.255.2
mac-pro:~ andy$

robatwork

Hi,
If I understand it correctly, the DNSBL just redirects all DNS requests to the pfsense box - this just has DNS Forwarder (not DNS resolver) enabled for reasons nothing to do with this issue. And anything defined in the DNSBL goes to /dev/null?

So it's not firewalling it at all, just preventing a DNS lookup.

Is that how it works?

(I did try this earlier and got nowhere, am running DNS and a domain internally on windows servers so thought this may not work anyway)

NogBadTheBad

@NogBadTheBad said in pfBlockerNG ipv4 not blocking ebay but is blocking twitter:

Yup it relies on DNS pointing to your pfSense box and returns a local IP address :(