Pfsense blocking api.particle.io

no1089 · Jan 20, 2020, 8:50 PM

Hi,

I am a developer support engineer with particle.io.
Over the last week, we have received multiple reports of users using pfsense as their firewall that then blocks our API - api.particle.io.
According to https://twitter.com/NetgateUSA/status/1219356751658651650 pfsense does not implement blocking natively.
We have traced another source of blocking (pi-hole.net) to an aggregate list (https://github.com/StevenBlack/hosts) that uses adaway (https://github.com/AdAway/AdAway) as the source. We are in the process of trying to get them to unblock us.

Could pfsense be referencing this same list on an extension to block ads? Any ideas?

Kind regards,
Chris

NogBadTheBad · Jan 20, 2020, 9:20 PM

PfBlocker:-

no1089 · Jan 20, 2020, 9:00 PM

Hi Andy!

Thank you! That is exactly what I need. I am glad that Adaway is the only source - we were worried that more lists might be involved.

I appreciate you looking this up.

We have no idea why our api was targeted

NogBadTheBad · Jan 20, 2020, 9:13 PM

Short term your users could add api.particle.io to the DNSBL whitelist via

Firewall -> pfBlockerNG -> DNSBL -> DNSBL Whitelist

jdeloach · Jan 20, 2020, 9:18 PM

@no1089

If the folks running pfblockerng package on their pfsense firewall machines have the "TLD" function enabled in DNSBL, the ".io" in your domain name could also trigger a block on the users machines. Also there is a TLD block list that could also cause your domain to be blocked.

no1089 · Jan 20, 2020, 9:22 PM

@NogBadTheBad Thank you - we are advising users to do just that.
@jdeloach why would .io trigger a block? Is this TLD considered a nuisance?

It seems Adaway is the only source of our block - currently trying to get them to remove it.

NogBadTheBad · Jan 20, 2020, 9:32 PM

@no1089

You can register blahblahblah.io quite cheaply $90, blahblahblah.tk is even worse it's free.

https://en.wikipedia.org/wiki/.io

https://en.wikipedia.org/wiki/.tk

Some of the IDS rules go as far as blocking .tk DNS lookups, not that this would cause you issues.

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a .tk domain - Likely Hostile"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|tk|00|"; fast_pattern; nocase; distance:0; content:!"|03|www|06|google|02|tk"; metadata: former_category DNS; classtype:bad-unknown; sid:2012811; rev:4; metadata:created_at 2011_05_15, updated_at 2019_09_28;)

no1089 · Jan 21, 2020, 8:45 AM

@NogBadTheBad $90 is a lot more expensive than most TLDs, so I don't understand why that would be a reason to block an entire TLD.

Ouch, glad I don't have any .tk domains then!