pfblockerng-devel error: Unknown Not listed!
Can somebody explain, pls, why I get Unknown Not listed in this case:
# grep 22.214.171.124 /var/db/pfblockerng/* -r /var/db/pfblockerng/deny/CINS_army_v4.txt:126.96.36.199 /var/db/pfblockerng/mastercat:188.8.131.52 /var/db/pfblockerng/masterfile:CINS_army_v4 184.108.40.206 /var/db/pfblockerng/original/CINS_army_v4.orig:220.127.116.11
Why if this IP is not listed, it's still getting blocked?
Is there a description of what all of those files/folders under /var/db/pfblockerng/ are intended for?
Thanks in advance!
PS The old thread was https://forum.netgate.com/topic/131939/pfblockerng-error-unknown-not-listed
PPS pfBlockerng-devel 2.2.5_27
Are you saying you wanted to go to that address and it were blocked? To me intuitively, it seems that the IP address belongs to a GeoIP list of known bad actors but not to a DNSBL feed...so; the IP address will never resolve to a domain name. It seems that you'll need to wait for BBcan177 to explain further!
RonpfS last edited by RonpfS
grep 18.104.22.168 /var/db/pfblockerng/*
Unknow Not Listed normally occur when a IP has been removed and no longer present in /var/db/pfblockerng/deny/*.txt. It can also happen when a Update is running that the file is being rebuilt.
Example my cron start at 14:15:00, the IP table was being built around 14:20:24 :
Line 10238: Dec 8 14:19:38,1770009444,xl0,WAN,block,4,6,TCP-S,22.214.171.124,AAA.BBB.CCC.DDD,40887,56027,in,RO,pfB_PRI2_v4,126.96.36.199/24,PRI2_Alienvault_v4,Unknown,wan,| 35606 | IPDONNEROLEG | Donner Oleg Alexeevich |,+ Line 10244: Dec 8 14:20:24,1770009444,xl0,WAN,block,4,6,TCP-S,188.8.131.52,AAA.BBB.CCC.DDD,40887,47202,in,RO,pfB_PRI2_v4,Unknown,Unknown,Unknown,wan,| 35606 | IPDONNEROLEG | Donner Oleg Alexeevich |,+ Line 10248: Dec 8 14:21:32,1770009444,xl0,WAN,block,4,6,TCP-S,184.108.40.206,AAA.BBB.CCC.DDD,40887,59847,in,RO,pfB_PRI2_v4,220.127.116.11/24,PRI2_Alienvault_v4,Unknown,wan,| 35606 | IPDONNEROLEG | Donner Oleg Alexeevich |,+
Also when searching for IP in /var/db/pfblockerng, you should maybe search for networks instead of hosts : grep 113.1.135. /var/db/pfblockerng/*
Oh, so, somehow, somewhere, pfBlockerNG has a list of IP's that doesn't belong to any list and is active and blocking them...in your case 18.104.22.168!
RonpfS last edited by RonpfS
During the update process, the FW continue blocking as per the FW rules and Aliases.
Update fetch the URLs, gather IP data, does De-Duplication, CIDR Aggregation, Suppression etc, it re-creates the /var/dg/pfblockerng/deny/*.txt and some other files.
At the End of the IP phase, it Update the Aliases for the IP tables in /var/db/aliastables/, reload as per the log
===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload Updating: pfB_PRI1_v4 444 addresses added.1073 addresses deleted. Updating: pfB_PRI2_v4 79 addresses added.23 addresses deleted. Updating: pfB_PRI3_v4 494 addresses added.455 addresses deleted. Updating: pfB_PRI4_v4 388 addresses added.31 addresses deleted. Updating: pfB_PRI5_v4 no changes. Updating: pfB_Abuse_PS_v4 no changes. Updating: pfB_PFB_Whitelist_v4 no changes. Updating: pfB_DNSBLIP_v4 413 addresses added.76 addresses deleted.
So during the Update process, if a pfblockerNG FW rules is triggered, (still using the Alias present before the Update started), pfBlockerNG firewall filter service , try to find the feed and update /var/log/pfblockerng/ip_block.log.
So there is always a window of time when some files go missing from /var/db/pfblockerNG/deny/*.txt, the service will then report the feed as Not listed
Thank you very much, @RonpfS !
Can you pls shed some light on the purpose of other files/folders under /var/db/pfblockerng?