Last night pfblocker started blocking my dyndns hosts used for vpn. Where should I start?
-
Around 11pm last night I started getting vpn down messages from my monitoring console. I have a ipsec vpn between home and office both running pfsense, only home FW running pfblockerNG devel 2.1.4.22. I rebooted both sides (which sometimes fixes the probelm) but that didn't do it. I then started poking around and realized then a ping to my dyndns controlled work address from home brought back the redirected virtual ip 10.10.10.1. If I disabled pfblockerNG the pings or nslookups would resolve correctly and the vpn would connect, with pfblocker enabled it would not.
Not wanting to spend the entire night messing around I plugged in an ip address into the vpn settings and called it a night. Now I'm trying to figure out what happened to pfBlockerNG. Any ideas on where to start? I tried whitelisting the domain name, but may have not been doing it correctly. Also, this morning I updated pfBlockerNG to 2.2.5_32. Somehow I got on the devel version after speaking with the author about 100% hit rates displaying (long long ago). I also saw a lot of failed downloads on the lists (last night), so was thinking the upgraded version might have fixed that. So far I'm still getting the blocking, but I'm going to reboot the FW now.
Thanks,
Roveer
-
First thing I would do is look in your reports tab and see which list is blocking it..
-
@johnpoz said in Last night pfblocker started blocking my dyndns hosts used for vpn. Where should I start?:
First thing I would do is look in your reports tab and see which list is blocking it..
First thing I did... Strange thing is, it's not appearing in any of the lists. Right now I only have 2 lists that have blocks and no entries for these domains. I just putty'd into the FW and dropped to a shell and did a "ping domainname.dyndns.org" and it comes back 10.10.10.1 which is the virtual ip I have set in pfBlockerNG If I disable pfBNG and do the same thing it comes back to the public ip of my work host (as it should). Something real funny happening here.
Roveer
-
You want to PM me the domain and I will look to see what list it could be on.
is something dyndns.org or you just using that as placeholder for ddns?
-
Hello!
On Firewall -> pfBlockerNG -> DNSBL do you have TLD enabled?
John
-
I do see what he sent me in PM on a few lists.. mostly dial up spam lists... But there are multiple spam lists in pfblocker that could be blocking it sure..
I don't really know an easy way to query pfblocker for what lists contain what.. Other than looking at the reports and seeing what hit.. @BBcan177 would know the easiest fastest way to track down what is blocking it.. I just paged him, lets see if he is around.
-
Hello!
dyndns.org is listed in Malicious -> BBC_DC2 and maybe others.
You can check with :grep -i dyndns /var/db/pfblockerng/dnsbl/*
at Diagnostics -> Command Prompt. I am not sure how this would cause the OP issue.
dyndns.org is also listed in /usr/local/pkg/pfblockerng/dnsbl_tld, which could be an issue if you have TLD turned on...? This seems more likely to be the problem.
John
-
@serbus said in Last night pfblocker started blocking my dyndns hosts used for vpn. Where should I start?:
Hello!
dyndns.org is listed in Malicious -> BBC_DC2 and maybe others.
You can check with :grep -i dyndns /var/db/pfblockerng/dnsbl/*
at Diagnostics -> Command Prompt. I am not sure how this would cause the OP issue.
dyndns.org is also listed in /usr/local/pkg/pfblockerng/dnsbl_tld, which could be an issue if you have TLD turned on...? This seems more likely to be the problem.
John
I did the grep but it won't let me post the results (says it's a spam message). I got about 10 lines that looked like this
/var/db/pfblockerng/dnsbl/hpHosts_EMD.txt:local-data: "umezawa.dyndns.info 60 IN A 10.10.10.1"
None had my domain name and none has just dyndns.
I added .dyndns.org to both DLSBL whitelist and the TLD whitelist. I had tried the dnsbl whitelist before but I was putting the entire domain name. This time I just put .dyndns.org. Did a reload and it's resolving properly now.
Roveer
-
Hello!
I would recommend reading through all of the dropdown text under the little blue "infoicon" links for the TLD option and all of the whitelist/blacklist options on the pfb -> dnsbl page. There is some great info in there.
John
