Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to troubleshoot false positive from feed?

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 2 Posters 601 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cipherwar
      last edited by

      I am getting a false positive from a PRI4 feed. One of the feeds is blocking access to Arstechnica. It is showing up in the firewall log as shown. How can I determine exactly which feed in the PRI4 group contains the 3.20.147.38 address? I'd rather just disable the feed than whitelist. Does the number (1770009754) have any significance?
      Screen Shot 2020-04-07 at 11.31.44 AM.jpg

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        Go to Firewall/pfBlockerNG/IP, scroll a bit down and check the IPV4 Suppression functionality. Another way to handle false positives is within the Reports Dashboard (Firewall/pfBlockerNG/Reports/Alerts). Here you can filter for source / destination IP-Addresses and whitelist them by adding an Address either to a permit rule (which must be before the deny rule) or by adding IPs to the suppression list.

        Read the context help on the pfBlockerNG Menus and look for mouse-over information. The how-to use documentation is pretty well build in.

        C 1 Reply Last reply Reply Quote 0
        • C
          cipherwar @A Former User
          last edited by cipherwar

          @Artes Thank you. I solved it by "brute force" I downloaded the lists and did a grep on them to identify the list causing the issue. Thank you for the "suppression list" pointer. Didn't realize that was the way to whitelist ips. Probably should be called IPv4 Whitelist?? Thanks again.

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by

            It's because the term "whitelist" is used for anther way to make exceptions:

            24f44bb2-1083-4b3c-be02-560a37615795-grafik.png

            As I wrote, take a look at the report tab of pfb - it makes life easy when it's necessary to handle false positives.

            C 1 Reply Last reply Reply Quote 0
            • C
              cipherwar @A Former User
              last edited by

              @Artes Yup just checked that out. Thanks again.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.