HOW CAN I PREVENT MY IP ADDRESS FROM BEING BLACKLISTED USING PFSENSE


  • LAYER 8 Moderator

    And how about stop shouting in CAPS in your topic title? That's hurting my eyes.


  • LAYER 8 Rebel Alliance

    Blacklisted because of CAPS maybe...? 😂

    -Rico



  • Detail "blacklisted " ?!
    By who ?

    pfSense is a router and a firewall.
    By itself, it will connect to some netgate.com servers to check for updates and so on.
    UMHO : Netgate won't blacklist you if you do this to often.

    Try this :
    Disconnect ALL LAN type interfaces. No exception.
    Connect to the system using the console access (the mini USB or, if you have a keyboard and screen, that's fine also).
    Nothing else.
    Keep it like that for a a day, week, or more.
    Then, check if you are "blacklisted" again .... I bet whatever you want that the answer will be : no.
    Because pfSense by itself doesn't send out any traffic if there is no LAN traffic.

    This implies that there is some device" on your LAN(s) that is pissing of some service some where on the net. Just find that device, shut it down, have a talk with the owner and you'll be good.



  • Here is my scenario. I have a public IP address that is connected to router that do NAT to the local area network. but the problem is my network users are not able to access youtube and other sites.I check the IP online and verified that the IP is blackliste. i had to ask my ISP to give me another IP address so that my users can open youtube. Its there anyway i can prevent my IP from being Blacklisted using PFsense firewall?i have already installed pfsense am only stack as in which package can help me achive this...
    Your inputs will be greatly approciated


  • LAYER 8 Global Moderator

    @rsohaya said in HOW CAN I PREVENT MY IP ADDRESS FROM BEING BLACKLISTED USING PFSENSE:

    Its there anyway i can prevent my IP from being Blacklisted

    Yeah don't send traffic that would get you blacklisted. What did the blacklist say the reason for your blacklist?



  • Well, I still advise you to do the test.
    Or : take another router/firewall : your problem stayes the same.

    Remove your "users" from the equitation, and your problem is gone.
    The real issue is : you have some user doing something that pisses of Google.
    Now, normally, Google has the capacity to handle a lot of rubbish, but 'something' on your network is triggering Google's "firewall", and as you might have guessed : Google only sees your WAN IP - not the user's device, so they hit the emergency break : your IP is blacklisted.
    Btw : I'm really curious what one should do to achieve this, but I'm pretty sure it's not normal surfing on Youtube.

    It could also be a simple device with a wrong gmail mail password hammering Google. Up to the network admin (that is you) to correct this.
    Or, as said above, nail down the user who is making Google mad and have talk with him.
    You can find him by using firewall rules on the LAN, some network capturing, etc. I hope you do not have thousands of users ;)

    edit : as @johnpoz : Look up to Google, they will details some what the reason. What did they mention ?
    If not, then look down : your users. It's "network admin time" ^^



  • yes i have a thousand users on my network and to identify which one is sending sparm is abit job than just proventing the bad packet from reaching google or whatever destination'


  • LAYER 8 Moderator

    And how should the firewall know which is a "bad packet"? Google for example is easily pissed off when you use the search index or maps API from a single IP too much and blacklists you (or throws a captcha at you). Nothing pfSense or any other firewall/router can do about that if you/your users get your IP on a blacklist?!


  • LAYER 8 Global Moderator

    There are many reasons to get on a blacklist.. There are many different types of blacklists... Without some details of one or ones you are on - its really not possible for us to help you try and track down who might be doing it.

    If it spam block, then you could look to see which clients are sending traffic out 25, etc. But spam block wouldn't stop you from viewing youtube ;)

    PM me the IP that is on the blacklist, and I will look to see what it says so maybe can point you in direction to get started tracking down the offender(s)


  • LAYER 8 Global Moderator

    I just looked up the IP you talked to the forum with.. And yeah its on some blacklists

    black.jpg

    But this system didn't give exact details... But there are many reasons why might get on it.. Is your IP an open relay?



  • I understand that the 'right' payload can provoke such a situation.
    Upload several times some illegal video on Youtube, and as you can imagine, they won't like that.
    As a mater of fact, when you share your connection with users, there is a need to protect also your LA(s), far more then your WAN's.

    What might help : enforce your user identification : use a portal - and only give out access when you have copy of the user ID (extreme example) - credit card etc . Apply a common rule : you should know who you invite (to use your stuff) .... Anonymous access can really backfire on you.
    Right now, some jackass is playing tricks on you. He/she who is provoking this does probably know very well what she/he is doing.


  • LAYER 8 Global Moderator

    The 2 lists I see his current IP he used to talk to the forum point to him sending spam... I don't see why those would be blocking him from viewing youtube - but I guess this IP is new one, and already show it on couple of lists..


  • LAYER 8 Global Moderator

    @rsohaya said in HOW CAN I PREVENT MY IP ADDRESS FROM BEING BLACKLISTED USING PFSENSE:

    yes i have a thousand users on my network

    Are these your users, I a private network - or are you running some sort of open network, net cafe or something where one can use if they pay sort of network? Or just get on free?



  • The users are in an open network. They are all connected the same switch and the router that has the Blacklisted IP Address.I assume that PFsense has a package you can use to filter out bad traffic going out to the internet. any ideas how i can achieve this in pfsense?
    .



  • @rsohaya This is not possible. pfSense can protect you from spam but not the other way around I would say.



  • @rsohaya You need to figure out what "bad traffic" means - bit torrent, spam email, other stuff using some uncommon ports, then log your outbound traffic to the internet for these users. Analyze the log data, find the offending machine(s), then work from there.

    However, with a thousand users on an open network, you're in quite a pickle. Do these users come and go, on and off the network?

    Jeff


  • LAYER 8 Global Moderator

    @rsohaya said in HOW CAN I PREVENT MY IP ADDRESS FROM BEING BLACKLISTED USING PFSENSE:

    can use to filter out bad traffic

    So you have a magic package ;) that says this is bad? You have some open network - why and the F would you allow 25 out.. .Block that shit... Really the only ports you should allow out your "open" network is 80/443 - and say the other common sending email ports 465, 587 - I would block everything else outbound..

    F them for ftp, and ssh, this is some open network... To be honest you could say only 80/443 is open... Do you other business on your own network.

    If you block 25 outbound - you will stop getting on spammer lists that is for sure.



  • Thanks for your inputs guys.Let me try to block some ports on my network and monitor it for a while to see if the same will happen again.



  • @johnpoz

    simple fix, just implement https://www.ietf.org/rfc/rfc3514.txt :D


  • LAYER 8 Global Moderator

    Haha the evil bit being set - that is a good one... But yeah blocking packets with that bit set would for sure solve all his issues. A feature request should be put in ;)



  • @Mats said in HOW CAN I PREVENT MY IP ADDRESS FROM BEING BLACKLISTED USING PFSENSE:

    @johnpoz

    simple fix, just implement https://www.ietf.org/rfc/rfc3514.txt :D

    Wow! This rates right up there with the invention of the wheel and sliced bread ... 😁. Now thousands of Snort/Suricata rules and millions of IP addresses on pfBlocker IP lists can all be replaced with a single firewall rule looking for and dropping packets with the evil bit set. So simple even a child can do it.


Log in to reply