Site being blocked by pfB_Top_v4 rule; whitelists not working.

November

nslookup for handbrake.fr comes back with a valid IP. ping of the IP addr doesn't respond.

I've added .handbrake.fr to DNSBL -> Custom Domain Whitelist and 46.0.0.0-46.255.255.255 to IPv4 -> Whitelist -> Custom Address(es).

I'm also seeing nothing in pfblockerng.log.

Please let me know what else I can try to troubleshoot this issue.

Gertjan

Site being blocked by pfB_Top_v4 rule;

Did you have a look at the "pfB_Top_v4" file ?
I could find :

...
pfB_Top_v4 46.0.0.0/16
pfB_Top_v4 46.102.107.0/24
pfB_Top_v4 46.102.251.0/25
...

None of these networks can make " 46.105.55.28" fit.

Is the IP (network) listed in another feed ?
If not, it will be hard to whitelist something that isn't listed in the first place : the blocking reason is else where.

Btw :
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ping 46.105.55.28
PING 46.105.55.28 (46.105.55.28): 56 data bytes
64 bytes from 46.105.55.28: icmp_seq=0 ttl=50 time=23.091 ms
64 bytes from 46.105.55.28: icmp_seq=1 ttl=50 time=23.262 ms
64 bytes from 46.105.55.28: icmp_seq=2 ttl=50 time=22.838 ms

I guess 46.105.55.28 blocked your IP, at least for ping requests ...

November

How do I go about viewing the entire file? Sorry if this is a Kindergarten-level question. I'm new to all this.

Might there be some other reason pfSense is reporting that as the reason the site is being blocked?

Also, if I don't go through the firewall, I'm able to get to the site.

But even after disabling THE pfB_Top_v4 rule, I'm still unable to get to that site.

Gertjan

As said, nothing is blocked on your side.
It 'their' side - or the way from you to there.

Try another connection like your phone data - and you will be able to connect.
True ?

edit :

@November said in Site being blocked by pfB_Top_v4 rule; whitelists not working.:

Also, if I don't go through the firewall, I'm able to get to the site.

Then the easy one is : remove pfNlockerNG, - do a reboot to be sure, and you'll be fine.
pfSense does not block.

Btw : if you

ping 46.105.55.2

then the DNS isn't even used.

I can ping just fine to them. I'm using pfBlocker-NG with the same feed as you.

November

Yes, if I use my phone data connection, I can get through. And if I turn off the pfB_Top_v4 rule, I can also get through.

If they're blocking me or something on the way from me to them is blocking me, why is it if I disable the rule I'm able to get through? And if the rule isn't involved in this, why is pfSense reporting the following:

Jul 9 15:10:11	LAN	pfB_Top_v4
(1770011752)	TCP-S		192.168.1.100:41138
46.105.55.28:443
vm4.handbrake.fr
FR	Country

Please, these aren't rhetorical questions. I would really like to gain better and deeper understanding of what's going on here.

What tools might I shed more light on what's happening?

bmeeks

@November said in Site being blocked by pfB_Top_v4 rule; whitelists not working.:

Yes, if I use my phone data connection, I can get through. And if I turn off the pfB_Top_v4 rule, I can also get through.

If they're blocking me or something on the way from me to them is blocking me, why is it if I disable the rule I'm able to get through? And if the rule isn't involved in this, why is pfSense reporting the following:

Jul 9 15:10:11	LAN	pfB_Top_v4
(1770011752)	TCP-S		192.168.1.100:41138
46.105.55.28:443
vm4.handbrake.fr
FR	Country

Please, these aren't rhetorical questions. I would really like to gain better and deeper understanding of what's going on here.

What tools might I shed more light on what's happening?

Your testing with your phone's data connection, and then disabling the pfB_Top_v4 list, indicates to me that most definitely that pfB_Top_v4 list contains that IP address. Most likely it is contained within a defined netblock in that list. You will need to open up that list and search all the 46.x.x.x addresses in it either using command-line tools such as grep or by opening the file directly in an editor. I'm not a pfBlocker user, but if I recall correctly from posts by other users, the IP lists are not necessarily in numerical order. So search thoroughly the entire file.

serbus

Hello!

I think that pfB_Top_v4 is part of the GeoIP (not DNSBL) system in pfb. Check in Firewall -> pfBlockerNG -> IP -> GeoIP -> Top Spammers and make sure that France is not selected as one of the top spammers.
Under Firewall -> pfBlockerNG -> IP is an IPv4_Suppression section that might whitelist IPs.

John

bmeeks

While tools like pfBlockerNG can be very useful, some of the IP lists folks choose to use with it can be rather broad in what they block. Couple that with the fact some of the lists are poorly maintained, and you have a set of conditions that can frequently lead to unintended blocking of legitimate sites.

So users need to carefully review the lists they choose to use. Personally I am not a fan of large-scale blocking of netblocks, but others have a different view and to each his own. It is a rather frequent occurence of users breaking their Internet in some fashion with the use of either large numbers of "bad IP" lists they find on the web or using a VPN for privacy and running into the automatic blocks of a number of VPN provider netblocks by major sites (especially streaming services).

November

<aha-moment/> Yes, of course! That's one thing that I was missing! That must be why the whitelists I've been trying have been having no effect.

I had set up this rule to block both incoming and outgoing traffic. Since the list is for top spammers, I've allowed outgoing traffic to go through.

Thanks so much for the info that got things to click for me!

serbus

Hello!

Commands I have found helpful. Assumes you have a maxmind key, feeds selected/updated, etc...
Run from shell or DiagCommandPrompt...

Check to see what country an IP is listed in :

grep "^46.105.*" /usr/local/share/GeoIP/cc/*

Check to see which installed lists an IP is in :

grep "^46.105.*" /var/db/pfblockerng/deny/*
grep "^46.105.*" /var/db/aliastables/*

Check to see if a domain is listed in an installed dnsbl feed :

grep "handbrake" /var/db/pfblockerng/dnsbl/*

I am sure there are others...

John

Gertjan

@bmeeks said in Site being blocked by pfB_Top_v4 rule; whitelists not working.:

by opening the file directly in an editor.

As I said above, open the file and check.
pfBlocker has a Firewall > pfBlockerNG > Log Browser option where you can see every (any !) file used by pfBlockerNG.
Hitting Ctrl-F (poor man's grep) for "46.1" did give two results for me, but not the network I was looking for.

This :

@serbus said in Site being blocked by pfB_Top_v4 rule; whitelists not working.:

I think that pfB_Top_v4 is part of the GeoIP (not DNSBL) system in pfb. Check in Firewall -> pfBlockerNG -> IP -> GeoIP -> Top Spammers and make sure that France is not selected as one of the top spammers.

answers one of my own questions : where does "pfB_Top_v4" come from - as I started to think that this list isn't identical for us all.
Of course : it's build from GeoIP data !

This :
[grep "^46.105." /usr/local/share/GeoIP/cc/](link url)
returns, among others

/usr/local/share/GeoIP/cc/FR_v4.txt:46.105.0.0/18

right away - and a lot more.
I still could find a network match for 46.105.55..... - but, because I'm living in France, I do not (not) have FR checked in the GeoIP selection - didn't know they could spam over here, as we have laws that say that that isn't allowed ... ( ;) )

edit : I'm getting to old for this ?
I actually "own" (rent for live) a 46.105.x.y IP ( 46.105.79.38 to be exact) it's my own family name domain name IP ...... (me banning my haed early in the morning). Back then, it wasn't really known to be in "France" - Google said it was based ine the ... US. That changed.
I'm off selecting FR in the GeoIP lists .. see if I'm about to blacklist myself ....