pfBlockerNG ipv4 not blocking ebay but is blocking twitter
-
I am using pfBlocker 2.1.4_16 on pfSense to block users going to social websites, via the IPv4 alias list/firewall rules. I do this with ASN definitions.
This works great for Twitter and Facebook but for some reason doesn't block Ebay, LinkedIn ( or Paypal for that matter). For example here is my IPv4 setup:
In each alias I have the ASN's published on Hurricane https://bgp.he.net/search?search%5Bsearch%5D=ebay&commit=Search
The ebay one looks like this:
So from the list above, 4 floating firewall rules are generated, and each shows traffic:
Twitter and Facebook can't be accessed which is as expected, but Ebay (both .com and .co.uk) and Linkedin are working ok.
Any ideas what I can look at ? I've already tried blocking via the published list of IPs on Hurricane and this also is ineffective.
-
I'd try updating pfBlocker to pfBlockerNG-devel 2.2.5_22.
-
Just tried it myself and got the same results.
If you do a host or nslookup, I bet the IP address thats being returned isn't in the Ebay AS and as a result its not being blocked.
Last login: Fri Apr 26 08:20:10 on console mac-pro:~ andy$ host www.ebay.co.uk www.ebay.co.uk is an alias for slot11847.ebay.com.edgekey.net. slot11847.ebay.com.edgekey.net is an alias for e11847.g.akamaiedge.net. e11847.g.akamaiedge.net has address 2.20.92.239 mac-pro:~ andy$ AS details for 2.20.92.239 :- route: 2.20.92.0/22 descr: Akamai Technologies origin: AS16625 mnt-by: AKAM1-RIPE-MNT created: 2017-04-26T09:45:19Z last-modified: 2017-04-26T09:45:19Z source: RIPE remarks: **************************** remarks: * THIS OBJECT IS MODIFIED remarks: * Please note that all data that is generally regarded as personal remarks: * data has been removed from this object. remarks: * To view the original object, please query the RIPE Database at: remarks: * http://www.ripe.net/whois remarks: **************************** route: 2.20.92.0/22 descr: Akamai Technologies origin: AS20940 mnt-by: AKAM1-RIPE-MNT created: 2017-04-26T09:45:19Z last-modified: 2017-04-26T09:45:19Z source: RIPE remarks: **************************** remarks: * THIS OBJECT IS MODIFIED remarks: * Please note that all data that is generally regarded as personal remarks: * data has been removed from this object. remarks: * To view the original object, please query the RIPE Database at: remarks: * http://www.ripe.net/whois remarks: **************************** route: 2.16.0.0/13 descr: REACH (Customer Route) tech-c: RRNOC1-REACH origin: AS34164 notify: irr@team.telstra.com mnt-by: MAINT-REACH-NOC remarks: This auto-generated route object was created remarks: for a REACH customer route remarks: remarks: This route object was created because remarks: some REACH peers filter based on these objects remarks: and this route may be rejected remarks: if this object is not created. remarks: remarks: Please contact irr@team.telstra.com if you have any remarks: questions regarding this object. source: REACH changed: irr@team.telstra.com 20170411 Friday, 26 April 2019 at 10:42:58 British Summer Time -
Thanks NBtB.
My nslookup shows 6 results
66.135.209.52
66.211.181.123
66.211.160.86
66.135.216.190
66.211.185.25
66.211.162.12The first one for starters isn't on the ASN lists.
Short of trial & error putting IPs into another blocking list, I'm not sure what I can do about this - are the companies themselves responsible for keeping the ASN up to date? -
They are hosting their services with another provider that's the issue.
You could try using the DNSBL TLD blacklist, that might work.
Last login: Fri Apr 26 10:49:18 on ttys000 mac-pro:~ andy$ host www.ebay.co.uk www.ebay.co.uk has address 172.16.255.2 mac-pro:~ andy$ host www.ebay.com www.ebay.com has address 172.16.255.2 mac-pro:~ andy$
-
Hi,
If I understand it correctly, the DNSBL just redirects all DNS requests to the pfsense box - this just has DNS Forwarder (not DNS resolver) enabled for reasons nothing to do with this issue. And anything defined in the DNSBL goes to /dev/null?So it's not firewalling it at all, just preventing a DNS lookup.
Is that how it works?
(I did try this earlier and got nowhere, am running DNS and a domain internally on windows servers so thought this may not work anyway)
-
@NogBadTheBad said in pfBlockerNG ipv4 not blocking ebay but is blocking twitter:
Yup it relies on DNS pointing to your pfSense box and returns a local IP address :(
