Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfblocker blocks 8.8.8.8

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 8 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bolvar
      last edited by

      Hy
      A few days ago i cannot ping 8.8.8.8 from out network.When i listed the fw blocked pacakges i see that pfblocker rule block the ping.
      Dns_hiba.PNG

      Why could this happend?
      Thanks for the help!
      bolvar

      AKEGECA 1 Reply Last reply Reply Quote 0
      • AKEGECA
        AKEGEC @bolvar
        last edited by

        @bolvar , this happens when cron source updated their block ip addresses lists. What you can do to unblocked it, press [+] button next to 8.8.8.8.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          @AKEGEC said in Pfblocker blocks 8.8.8.8:

          press [+] button next to 8.8.8.8

          That is not really a good solution.. And also doing so you would also need to make sure its above your pfblocker rule.

          The correct solution is to remove it from pfblocker block list. Not sure what list would block one of the most popular dns IPs on the planet? That makes no sense.

          Until that list owner fixes their list, which I would assume would be soon - after the massive amounts of complaints prob getting.. Would be to whitelist it in pfblocker.

          If your going to use an easy rule to allow it, you will need to make sure its above any automatic rules you have setup in pfblocker adding which default to being on the very top of the rules. So evaluated first.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          C 1 Reply Last reply Reply Quote 0
          • M
            MoonKnight
            last edited by

            Hi,
            It's blocked by this list:
            hxxps://isc.sans.edu/api/sources/attacks/1000/30?text

            You will found it under Firewall ---> pfBlockerNG ---> IP ---> IPv4

            --- 24.11 ---
            Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
            Kingston DDR4 2666MHz 16GB ECC
            2 x HyperX Fury SSD 120GB (ZFS-mirror)
            2 x Intel i210 (ports)
            4 x Intel i350 (ports)

            1 Reply Last reply Reply Quote 1
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              that is a horrible list to use... That is anyone reporting anything up.. Its just people uploading their firewall logs..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • Bob.DigB
                Bob.Dig LAYER 8
                last edited by

                Not long ago 1.1.1.1 was blocked by PRI1, so I couldn't use it for outgoing blocking anymore.

                @CiscoX thanks for claryfing it, so I could just disable this one feed.

                @BBcan177 It really shouldn't be part of PRI1 anymore.

                1 Reply Last reply Reply Quote 1
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  There is a thread in the correct section. ;-)
                  https://forum.netgate.com/topic/157037/isc_1000_30-added-google-dns-8-8-8-8

                  -Rico

                  1 Reply Last reply Reply Quote 0
                  • C
                    chrcoluk @johnpoz
                    last edited by

                    @johnpoz indeed, I guess that list needs demoting from pri1, which is supposed to be the safest set of lists. :)

                    pfSense CE 2.7.2

                    1 Reply Last reply Reply Quote 1
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      @chrcoluk said in Pfblocker blocks 8.8.8.8:

                      which is supposed to be the safest set of lists. :)

                      Safe in what sense ;) Safe that sense that you would block possible bad IPs.. You could see pulling in a list of every known IP that has been reported as "bad" could be safe.

                      Or safe in the sense that it won't have false entries ;) If that is how you want to use the word, then no including every tom dick and harry IP that anyone reports is bad, is prob not a good idea ;)

                      That is not really a block list provided by isc, that is just a feed of IPs gotten through their API.. Just the top 1000 IPs reported? There is no validation of said IPs.. Just what has been reported.. That is asking for problems.. Only lists that are maintained and validated in some way should be used to be honest.. Even when they are wrong entries can be made.. Using some automated list of IPs that have been reported is going to be full of false entries.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • C
                        chrcoluk
                        last edited by

                        Safe from false entries of course, the list itself even says it's not a block list, so not sure what it is doing under the pri1 section of pfblockerng.

                        pfSense CE 2.7.2

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          Is it listed there.. I only see these under the ISC pri1 list

                          list.png

                          I don't see 8.8.8.8 in any of those..

                          What exact default list is it under? I don't use pfblocker to do any sort of auto rules.. What specific "default" that pfblocker list uses.. Happy to look and see.. There have been a few of these posts.. And not exactly which is the feed that contains this.. Its not under the ISC pr1 feed.

                          Should a list of top 1000 reported IPs be under what is termed a "safe" feed to use (pr1) - I would agree that would be a bad idea. But pfblocker doesn't really have control over what the maintainer of some list might add to its feeds.. It can only lists feeds you can use if you want.

                          And there is a big warning where you pick which lists you want to use
                          "Disclaimer: Use of the Feed(s) below are at your own risk! "

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          Bob.DigB 1 Reply Last reply Reply Quote 0
                          • Bob.DigB
                            Bob.Dig LAYER 8 @johnpoz
                            last edited by Bob.Dig

                            @johnpoz It is or was the already mentioned one and pri1 shouldn't include this.

                            Capture.JPG

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Which pri1 includes this?

                              I do not see any list called ISC_1000_30 on my pri1 lists?

                              lists.png

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              Bob.DigB 1 Reply Last reply Reply Quote 0
                              • Bob.DigB
                                Bob.Dig LAYER 8 @johnpoz
                                last edited by Bob.Dig

                                @johnpoz Then it was finally removed after weeks of havoc. I noticed an update for pfBlocker this morning. Or in other ways, don't know how pfBlocker is handling the feeds.

                                @BBcan177 Thanks! 👍

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by johnpoz

                                  I am curious if once the feed is removed from the possible PR1 feeds, does it auto remove it from your specific selections, or will users have to make sure they remove it from their selection feeds?

                                  I would assume the latter

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  J 1 Reply Last reply Reply Quote 0
                                  • J
                                    jdeloach @johnpoz
                                    last edited by

                                    @johnpoz said in Pfblocker blocks 8.8.8.8:

                                    I am curious if once the feed is removed from the possible PR1 feeds, does it auto remove it from your specific selections,

                                    The answer to that is NO, since pfBlocker downloads/updates from the URL specified for the source website for that list.

                                    or will users have to make sure they remove it from their selection feeds?

                                    YES. since pfBlocker updates from the URL specified for the source website for that list.

                                    Bob.DigB 1 Reply Last reply Reply Quote 0
                                    • Bob.DigB
                                      Bob.Dig LAYER 8 @jdeloach
                                      last edited by Bob.Dig

                                      @jdeloach @johnpoz True, just tested it myself. I installed a backup from yesterday, then enabled that list and made updates. After that I installed the update of pfBlocker, but it looked to me, that the "faulty" feed was already gone before that update... but sure not in my installation of pfBlocker, so I had to remove it manually.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        chrcoluk
                                        last edited by chrcoluk

                                        John it is in internet storm centre, but my pfblockerng has an outstanding update so maybe thats why I still see it there, its good if it got moved off it.

                                        pfblockerpri1.png

                                        pfSense CE 2.7.2

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by johnpoz

                                          yeah must of changed, because that is no longer the case..

                                          Im running 2.2.5_36 of pfBlockerNG-devel

                                          None of those should really have ever been any sort of feed you could use.. They clearly state they only provide 1 block list.

                                          https://isc.sans.edu/xml.html
                                          Why Should I Not Use the "Top 100" data as blocklist?

                                          Our primary purpose is to collect data for network security research. In order to fullfill this role, we collect data "as is" with little filtering. Filters are applied to the raw data for specific purposes, but we can not delete data from our raw database without compromissing the data integrity.

                                          Our data does include false positives, and we will not remove them. It would make it harder to observe long term trends. If a report is a false positive or not depends to a large extend on the question being asked.

                                          We offer one blocklist, and one blocklist only (https://isc.sans.edu /block.txt). Unlike for our other lists, we will remove IPs from this blocklist if asked to.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                          1 Reply Last reply Reply Quote 1
                                          • AKEGECA
                                            AKEGEC
                                            last edited by

                                            I think you should not upgraded your pfblockerng before you install the new pfsense version (like 2.5). 👏

                                            B 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.