IP Blocking - Is this a bug?



  • Can someone please tell me if this is a bug? Shouldn't any blocked IP be part of a list?

    9f937395-dda1-4942-821d-d6753549203a-image.png


  • Moderator

    @guardian said in IP Blocking - Is this a bug?:

    Can someone please tell me if this is a bug? Shouldn't any blocked IP be part of a list?

    It could be that those IPs are no longer in your blocklists?

    You can confirm with a grep cmd for those IPs:

    grep "198.49.23.144" /var/db/pfblockerng/deny/*
    grep "^198\.49\.23" /var/db/pfblockerng/deny/*
    grep "^198\.49" /var/db/pfblockerng/deny/*
    grep "^198" /var/db/pfblockerng/deny/*
    


  • @BBcan177 said in IP Blocking - Is this a bug?:

    @guardian said in IP Blocking - Is this a bug?:

    Can someone please tell me if this is a bug? Shouldn't any blocked IP be part of a list?

    It could be that those IPs are no longer in your blocklists?

    You can confirm with a grep cmd for those IPs:

    grep "198.49.23.144" /var/db/pfblockerng/deny/*
    grep "^198\.49\.23" /var/db/pfblockerng/deny/*
    grep "^198\.49" /var/db/pfblockerng/deny/*
    grep "^198" /var/db/pfblockerng/deny/*
    

    Thanks for the response. It appears as if they are no longer in the lists... Does that mean that the IP was in a list at the time that was blocked and then an update removed the item from the list? If that is the case, then the list is dynamic recreated every time the page is displayed?


  • Moderator

    @guardian said in IP Blocking - Is this a bug?:

    Thanks for the response. It appears as if they are no longer in the lists... Does that mean that the IP was in a list at the time that was blocked and then an update removed the item from the list? If that is the case, then the list is dynamic recreated every time the page is displayed?

    Yes it seems like the IP is no longer listed if you can't grep for it.
    I have no idea where this list comes from. If you are using a remote source (URL) for this feed, then its managed by that maintainer. If this is your own Feed, then IPs would be added/removed by you.



  • @BBcan177 said in IP Blocking - Is this a bug?:

    @guardian said in IP Blocking - Is this a bug?:

    Thanks for the response. It appears as if they are no longer in the lists... Does that mean that the IP was in a list at the time that was blocked and then an update removed the item from the list? If that is the case, then the list is dynamic recreated every time the page is displayed?

    Yes it seems like the IP is no longer listed if you can't grep for it.
    I have no idea where this list comes from. If you are using a remote source (URL) for this feed, then its managed by that maintainer. If this is your own Feed, then IPs would be added/removed by you.

    Thanks for the reply @BBcan177. So is this a bug? I can understand a list changing, and that's no problem -- am I correct that the list name is not logged when the event occurs?

    Am I correct then that it's just a matter of report not being able to show which list the IP address is in because the list has changed?

    If that is the case then I guess there is no issue. I rebooted the firewall just in case as I saw something in the daily log report that I didn't like - every interface on em1 did:

    May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode disabled
    followed by
    May 1 05:35:01 pfsense kernel: em1.X: promiscuous mode enabled


  • Moderator

    @guardian said in IP Blocking - Is this a bug?:

    Thanks for the reply @BBcan177. So is this a bug? I can understand a list changing, and that's no problem -- am I correct that the list name is not logged when the event occurs?
    Am I correct then that it's just a matter of report not being able to show which list the IP address is in because the list has changed?

    When you refresh the Alerts tab in pfBlockerNG, it checks to see if the IP is still listed in the /var/db/pfblockerng/deny/ folder. If it doesn't find the IP, it will report as "No Match".
    What gets added/removed in the Feed (URL) is not managed by the package. IPs are being added/removed all the time by the Feed Maintainers.


Log in to reply