traffic getting through pfblocker



  • Hi Everyone,

    I have a weird problem that's got me stumped...

    I'm using pfBlockerNG to block IP addresses I know are hostile. This generally works without issue, but I have an attack underway that isn't being blocked.

    I've added the source network 74.118.138.0/24 to my pfBlocker list and reloaded the rules. That's normally all I need to do. But in this case, traffic is still sneaking by.

    When I look at the pfBlocker IPv4 Custom List, I see the address that I entered, but in the rule display if I hover over the rule that references the list, the pop-up doesn't show the address.

    If I manually add a block rule, traffic is blocked, but for some reason, adding it to the pfblocker list isn't working.

    Other addresses in the same pfblocker list are being blocked.

    Any ideas as to what the cause might be, or steps I could take to troubleshoot/debug the pfblocker component?

    Thanks to you all in advance,
    -Michael


  • Moderator

    When you run a reload its just using the previously downloaded file and will be updated on the next scheduled cron run if this alias falls within that cron time frame.
    With pfBlockerNG-devel, when you add an IP to the customlist, it will be added when you run a Force Update, but that is not the case with the pfBlockerNG version.
    You can alternatively goto the Log Browser tab and delete the file for this alias in the /Deny folder, and then Force Update for it to be added... But would hightly recommend to goto pfBlockerNG-devel which is overall stable and much improved.



  • Thanks for the reply. I found a way to get it to work...

    At the bottom of the Custom Address List, there is a drop-down menu with the option "Update Custom List" -- selecting that item and then forcing an update fixed the issue and the address was correctly blocked.

    What's odd is that I've never had to select that before. I've always just added the address, forced an update and literally watched as no more targeted traffic made it through the firewall.

    I'm not sure what changed, but at least I was able to get it working.

    Thanks again!
    -Michael


Log in to reply