How to troubleshoot false positive from feed?



  • I am getting a false positive from a PRI4 feed. One of the feeds is blocking access to Arstechnica. It is showing up in the firewall log as shown. How can I determine exactly which feed in the PRI4 group contains the 3.20.147.38 address? I'd rather just disable the feed than whitelist. Does the number (1770009754) have any significance?
    Screen Shot 2020-04-07 at 11.31.44 AM.jpg



  • Go to Firewall/pfBlockerNG/IP, scroll a bit down and check the IPV4 Suppression functionality. Another way to handle false positives is within the Reports Dashboard (Firewall/pfBlockerNG/Reports/Alerts). Here you can filter for source / destination IP-Addresses and whitelist them by adding an Address either to a permit rule (which must be before the deny rule) or by adding IPs to the suppression list.

    Read the context help on the pfBlockerNG Menus and look for mouse-over information. The how-to use documentation is pretty well build in.



  • @Artes Thank you. I solved it by "brute force" I downloaded the lists and did a grep on them to identify the list causing the issue. Thank you for the "suppression list" pointer. Didn't realize that was the way to whitelist ips. Probably should be called IPv4 Whitelist?? Thanks again.



  • It's because the term "whitelist" is used for anther way to make exceptions:

    24f44bb2-1083-4b3c-be02-560a37615795-grafik.png

    As I wrote, take a look at the report tab of pfb - it makes life easy when it's necessary to handle false positives.



  • @Artes Yup just checked that out. Thanks again.


Log in to reply