Bug report: PfblockerNG add 1.1.1.1 when threat source input is empty



  • At Firewall / pfBlockerNG / Edit / IPv4
    When you add "IPv4 Lists", if the threat source, like http://abc.com/def.txt is an empty file, pfBlockerNG will add an IP 1.1.1.1 to prevent empty input, then it will block cloudflare public DNS 1.1.1.1 , it is very popular now a day, it shouldn't work like this.



  • @securli What is your pfBlockerNG version?
    Unable to reproduce



  • pfBlockerNG 2.1.4_22

    pfsense 2.4.5-RELEASE-p1 (amd64)
    built on Tue Jun 02 17:51:17 EDT 2020
    FreeBSD 11.3-STABLE

    The most interesting is that pfBlockerNG have a message told me that it add 1.1.1.1 to prevent empty, so there must have this function inside pfBlockerNG.


  • LAYER 8 Moderator

    That is the old stable version of pfBNG? Please install the dev version that really isn't that "dev" anymore and a big upgrade to that version. It already has that hardcoded things fixed with a configurable IP that defaults to 127.1.1.7 now so to not make problems with real IPs. I think there's some older thread about that already in how to (manually) fix that in the old stable.



  • @JeGr Thank you very much, this bug is so stupid, it should check the downloaded file is zero or not instead of random block an IP address.


  • LAYER 8 Moderator

    @securli said in Bug report: PfblockerNG add 1.1.1.1 when threat source input is empty:

    @JeGr Thank you very much, this bug is so stupid, it should check the downloaded file is zero or not instead of random block an IP address.

    That's what it does. But pf can't handle empty files/lists so it has to be at least one entry in it, that's why in the old version there was a default value - 1.1.1.1 - long before that IP was made a DNS service by Cloudflare and APNIC. That's why it was changed to 127.1.1.7 per (new) default.


Log in to reply