pfBlockerNG suppresion list, where to find?
-
I noticed a lot of errors for the DNS requests in my network. Did some digging and finally found out that someone managed to get 1.1.1.1 on the ICS_1000_30 list
From the "reports - alerts" I added the ip to the whitelisting (black plus sign, option 1 "suppress the ip"). Now 1.1.1.1 is working again. In the "reports - alerts" there is now a trashbin next to the 1.1.1.1 log rule. It states the ip is in the ip suppression list.
I was curious where this suppression list was kept, so I looked around and the closest I could find is the alias "pfBlockerNGSuppress" (firewall / aliases / ip). However, that list is completely empty.
Is there another list or place I can find the ips I have suppressed?
I want to add a few ips there myself so that even in case they get blacklisted, at least my DNS keeps working (like 1.0.0.1, 8.8.8.8, and my providers dns servers) -
Getting stranger, they are blocked again. According to the rule it should be suppressed but clearly it was blocked.
I now manually added the ips to the alias and did a "update - reload -all) and now it is working again.
===[ Suppression Stats ]=================================== List Pre Suppress Master ----------------------------------------------------------- BinaryDefence_IPs_v4 1445 1445 67583 Suppression ET_Block_IP_Ranges_v4: 1.1.1.0/24 (Excluding: 1.1.1.1/32) ET_Block_IP_Ranges_v4 995 994 67837 ET_Compromised_IPs_v4 450 450 67837 ISC_1000_30_v4 451 450 67836So the alias "pfBlockerNGSuppress" was apparently the right place to add them, only when I added it from the reports it did not show up there and was not working again a little later