Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site being blocked by pfB_Top_v4 rule; whitelists not working.

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 4 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      November
      last edited by

      nslookup for handbrake.fr comes back with a valid IP. ping of the IP addr doesn't respond.

      I've added .handbrake.fr to DNSBL -> Custom Domain Whitelist and 46.0.0.0-46.255.255.255 to IPv4 -> Whitelist -> Custom Address(es).

      I'm also seeing nothing in pfblockerng.log.

      Please let me know what else I can try to troubleshoot this issue.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Site being blocked by pfB_Top_v4 rule;

        Did you have a look at the "pfB_Top_v4" file ?
        I could find :

        ...
        pfB_Top_v4 46.0.0.0/16
        pfB_Top_v4 46.102.107.0/24
        pfB_Top_v4 46.102.251.0/25
        ...
        

        None of these networks can make " 46.105.55.28" fit.

        Is the IP (network) listed in another feed ?
        If not, it will be hard to whitelist something that isn't listed in the first place : the blocking reason is else where.

        Btw :
        [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ping 46.105.55.28
        PING 46.105.55.28 (46.105.55.28): 56 data bytes
        64 bytes from 46.105.55.28: icmp_seq=0 ttl=50 time=23.091 ms
        64 bytes from 46.105.55.28: icmp_seq=1 ttl=50 time=23.262 ms
        64 bytes from 46.105.55.28: icmp_seq=2 ttl=50 time=22.838 ms

        I guess 46.105.55.28 blocked your IP, at least for ping requests ...

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • N
          November
          last edited by

          How do I go about viewing the entire file? Sorry if this is a Kindergarten-level question. I'm new to all this.

          Might there be some other reason pfSense is reporting that as the reason the site is being blocked?

          Also, if I don't go through the firewall, I'm able to get to the site.

          But even after disabling THE pfB_Top_v4 rule, I'm still unable to get to that site.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by Gertjan

            As said, nothing is blocked on your side.
            It 'their' side - or the way from you to there.

            Try another connection like your phone data - and you will be able to connect.
            True ?

            edit :

            @November said in Site being blocked by pfB_Top_v4 rule; whitelists not working.:

            Also, if I don't go through the firewall, I'm able to get to the site.

            Then the easy one is : remove pfNlockerNG, - do a reboot to be sure, and you'll be fine.
            pfSense does not block.

            Btw : if you

            ping 46.105.55.2
            

            then the DNS isn't even used.

            I can ping just fine to them. I'm using pfBlocker-NG with the same feed as you.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • N
              November
              last edited by

              Yes, if I use my phone data connection, I can get through. And if I turn off the pfB_Top_v4 rule, I can also get through.

              If they're blocking me or something on the way from me to them is blocking me, why is it if I disable the rule I'm able to get through? And if the rule isn't involved in this, why is pfSense reporting the following:

              Jul 9 15:10:11	LAN	pfB_Top_v4
              (1770011752)	TCP-S		192.168.1.100:41138
              46.105.55.28:443
              vm4.handbrake.fr
              FR	Country
              

              Please, these aren't rhetorical questions. I would really like to gain better and deeper understanding of what's going on here.

              What tools might I shed more light on what's happening?

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @November
                last edited by bmeeks

                @November said in Site being blocked by pfB_Top_v4 rule; whitelists not working.:

                Yes, if I use my phone data connection, I can get through. And if I turn off the pfB_Top_v4 rule, I can also get through.

                If they're blocking me or something on the way from me to them is blocking me, why is it if I disable the rule I'm able to get through? And if the rule isn't involved in this, why is pfSense reporting the following:

                Jul 9 15:10:11	LAN	pfB_Top_v4
                (1770011752)	TCP-S		192.168.1.100:41138
                46.105.55.28:443
                vm4.handbrake.fr
                FR	Country
                

                Please, these aren't rhetorical questions. I would really like to gain better and deeper understanding of what's going on here.

                What tools might I shed more light on what's happening?

                Your testing with your phone's data connection, and then disabling the pfB_Top_v4 list, indicates to me that most definitely that pfB_Top_v4 list contains that IP address. Most likely it is contained within a defined netblock in that list. You will need to open up that list and search all the 46.x.x.x addresses in it either using command-line tools such as grep or by opening the file directly in an editor. I'm not a pfBlocker user, but if I recall correctly from posts by other users, the IP lists are not necessarily in numerical order. So search thoroughly the entire file.

                GertjanG 1 Reply Last reply Reply Quote 1
                • S
                  serbus
                  last edited by

                  Hello!

                  I think that pfB_Top_v4 is part of the GeoIP (not DNSBL) system in pfb. Check in Firewall -> pfBlockerNG -> IP -> GeoIP -> Top Spammers and make sure that France is not selected as one of the top spammers.
                  Under Firewall -> pfBlockerNG -> IP is an IPv4_Suppression section that might whitelist IPs.

                  John

                  Lex parsimoniae

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by bmeeks

                    While tools like pfBlockerNG can be very useful, some of the IP lists folks choose to use with it can be rather broad in what they block. Couple that with the fact some of the lists are poorly maintained, and you have a set of conditions that can frequently lead to unintended blocking of legitimate sites.

                    So users need to carefully review the lists they choose to use. Personally I am not a fan of large-scale blocking of netblocks, but others have a different view and to each his own. It is a rather frequent occurence of users breaking their Internet in some fashion with the use of either large numbers of "bad IP" lists they find on the web or using a VPN for privacy and running into the automatic blocks of a number of VPN provider netblocks by major sites (especially streaming services).

                    1 Reply Last reply Reply Quote 1
                    • N
                      November
                      last edited by

                      <aha-moment/> Yes, of course! That's one thing that I was missing! That must be why the whitelists I've been trying have been having no effect.

                      I had set up this rule to block both incoming and outgoing traffic. Since the list is for top spammers, I've allowed outgoing traffic to go through.

                      Thanks so much for the info that got things to click for me!

                      1 Reply Last reply Reply Quote 0
                      • S
                        serbus
                        last edited by

                        Hello!

                        Commands I have found helpful. Assumes you have a maxmind key, feeds selected/updated, etc...
                        Run from shell or DiagCommandPrompt...

                        Check to see what country an IP is listed in :

                        grep "^46.105.*" /usr/local/share/GeoIP/cc/*
                        

                        Check to see which installed lists an IP is in :

                        grep "^46.105.*" /var/db/pfblockerng/deny/*
                        grep "^46.105.*" /var/db/aliastables/*
                        

                        Check to see if a domain is listed in an installed dnsbl feed :

                        grep "handbrake" /var/db/pfblockerng/dnsbl/*
                        

                        I am sure there are others...

                        John

                        Lex parsimoniae

                        1 Reply Last reply Reply Quote 1
                        • GertjanG
                          Gertjan @bmeeks
                          last edited by

                          @bmeeks said in Site being blocked by pfB_Top_v4 rule; whitelists not working.:

                          by opening the file directly in an editor.

                          As I said above, open the file and check.
                          pfBlocker has a Firewall > pfBlockerNG > Log Browser option where you can see every (any !) file used by pfBlockerNG.
                          Hitting Ctrl-F (poor man's grep) for "46.1" did give two results for me, but not the network I was looking for.

                          75288615-fc18-4171-bf40-d922bf2fb160-image.png

                          This :

                          @serbus said in Site being blocked by pfB_Top_v4 rule; whitelists not working.:

                          I think that pfB_Top_v4 is part of the GeoIP (not DNSBL) system in pfb. Check in Firewall -> pfBlockerNG -> IP -> GeoIP -> Top Spammers and make sure that France is not selected as one of the top spammers.

                          answers one of my own questions : where does "pfB_Top_v4" come from - as I started to think that this list isn't identical for us all.
                          Of course : it's build from GeoIP data !

                          This :
                          [grep "^46.105." /usr/local/share/GeoIP/cc/](link url)
                          returns, among others

                          /usr/local/share/GeoIP/cc/FR_v4.txt:46.105.0.0/18
                          

                          right away - and a lot more.
                          I still could find a network match for 46.105.55..... - but, because I'm living in France, I do not (not) have FR checked in the GeoIP selection - didn't know they could spam over here, as we have laws that say that that isn't allowed ... ( ;) )

                          edit : I'm getting to old for this ?
                          I actually "own" (rent for live) a 46.105.x.y IP ( 46.105.79.38 to be exact) it's my own family name domain name IP ...... (me banning my haed early in the morning). Back then, it wasn't really known to be in "France" - Google said it was based ine the ... US. That changed.
                          I'm off selecting FR in the GeoIP lists .. see if I'm about to blacklist myself ....

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.