Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfblocker blocks 8.8.8.8

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 8 Posters 2.9k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MoonKnight
      last edited by

      Hi,
      It's blocked by this list:
      hxxps://isc.sans.edu/api/sources/attacks/1000/30?text

      You will found it under Firewall ---> pfBlockerNG ---> IP ---> IPv4

      --- 25.07.1 ---
      Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
      Kingston DDR4 2666MHz 16GB ECC
      2 x HyperX Fury SSD 120GB (ZFS-mirror)
      2 x Intel i210 (ports)
      4 x Intel i350 (ports)

      1 Reply Last reply Reply Quote 1
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        that is a horrible list to use... That is anyone reporting anything up.. Its just people uploading their firewall logs..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • Bob.DigB Offline
          Bob.Dig LAYER 8
          last edited by

          Not long ago 1.1.1.1 was blocked by PRI1, so I couldn't use it for outgoing blocking anymore.

          @CiscoX thanks for claryfing it, so I could just disable this one feed.

          @BBcan177 It really shouldn't be part of PRI1 anymore.

          1 Reply Last reply Reply Quote 1
          • RicoR Offline
            Rico LAYER 8 Rebel Alliance
            last edited by

            There is a thread in the correct section. ;-)
            https://forum.netgate.com/topic/157037/isc_1000_30-added-google-dns-8-8-8-8

            -Rico

            1 Reply Last reply Reply Quote 0
            • C Offline
              chrcoluk @johnpoz
              last edited by

              @johnpoz indeed, I guess that list needs demoting from pri1, which is supposed to be the safest set of lists. :)

              pfSense CE 2.8.1

              1 Reply Last reply Reply Quote 1
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                @chrcoluk said in Pfblocker blocks 8.8.8.8:

                which is supposed to be the safest set of lists. :)

                Safe in what sense ;) Safe that sense that you would block possible bad IPs.. You could see pulling in a list of every known IP that has been reported as "bad" could be safe.

                Or safe in the sense that it won't have false entries ;) If that is how you want to use the word, then no including every tom dick and harry IP that anyone reports is bad, is prob not a good idea ;)

                That is not really a block list provided by isc, that is just a feed of IPs gotten through their API.. Just the top 1000 IPs reported? There is no validation of said IPs.. Just what has been reported.. That is asking for problems.. Only lists that are maintained and validated in some way should be used to be honest.. Even when they are wrong entries can be made.. Using some automated list of IPs that have been reported is going to be full of false entries.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                1 Reply Last reply Reply Quote 0
                • C Offline
                  chrcoluk
                  last edited by

                  Safe from false entries of course, the list itself even says it's not a block list, so not sure what it is doing under the pri1 section of pfblockerng.

                  pfSense CE 2.8.1

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Is it listed there.. I only see these under the ISC pri1 list

                    list.png

                    I don't see 8.8.8.8 in any of those..

                    What exact default list is it under? I don't use pfblocker to do any sort of auto rules.. What specific "default" that pfblocker list uses.. Happy to look and see.. There have been a few of these posts.. And not exactly which is the feed that contains this.. Its not under the ISC pr1 feed.

                    Should a list of top 1000 reported IPs be under what is termed a "safe" feed to use (pr1) - I would agree that would be a bad idea. But pfblocker doesn't really have control over what the maintainer of some list might add to its feeds.. It can only lists feeds you can use if you want.

                    And there is a big warning where you pick which lists you want to use
                    "Disclaimer: Use of the Feed(s) below are at your own risk! "

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    Bob.DigB 1 Reply Last reply Reply Quote 0
                    • Bob.DigB Offline
                      Bob.Dig LAYER 8 @johnpoz
                      last edited by Bob.Dig

                      @johnpoz It is or was the already mentioned one and pri1 shouldn't include this.

                      Capture.JPG

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Which pri1 includes this?

                        I do not see any list called ISC_1000_30 on my pri1 lists?

                        lists.png

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        Bob.DigB 1 Reply Last reply Reply Quote 0
                        • Bob.DigB Offline
                          Bob.Dig LAYER 8 @johnpoz
                          last edited by Bob.Dig

                          @johnpoz Then it was finally removed after weeks of havoc. I noticed an update for pfBlocker this morning. Or in other ways, don't know how pfBlocker is handling the feeds.

                          @BBcan177 Thanks! 👍

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Online
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            I am curious if once the feed is removed from the possible PR1 feeds, does it auto remove it from your specific selections, or will users have to make sure they remove it from their selection feeds?

                            I would assume the latter

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            J 1 Reply Last reply Reply Quote 0
                            • J Offline
                              jdeloach @johnpoz
                              last edited by

                              @johnpoz said in Pfblocker blocks 8.8.8.8:

                              I am curious if once the feed is removed from the possible PR1 feeds, does it auto remove it from your specific selections,

                              The answer to that is NO, since pfBlocker downloads/updates from the URL specified for the source website for that list.

                              or will users have to make sure they remove it from their selection feeds?

                              YES. since pfBlocker updates from the URL specified for the source website for that list.

                              Bob.DigB 1 Reply Last reply Reply Quote 0
                              • Bob.DigB Offline
                                Bob.Dig LAYER 8 @jdeloach
                                last edited by Bob.Dig

                                @jdeloach @johnpoz True, just tested it myself. I installed a backup from yesterday, then enabled that list and made updates. After that I installed the update of pfBlocker, but it looked to me, that the "faulty" feed was already gone before that update... but sure not in my installation of pfBlocker, so I had to remove it manually.

                                1 Reply Last reply Reply Quote 0
                                • C Offline
                                  chrcoluk
                                  last edited by chrcoluk

                                  John it is in internet storm centre, but my pfblockerng has an outstanding update so maybe thats why I still see it there, its good if it got moved off it.

                                  pfblockerpri1.png

                                  pfSense CE 2.8.1

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ Online
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by johnpoz

                                    yeah must of changed, because that is no longer the case..

                                    Im running 2.2.5_36 of pfBlockerNG-devel

                                    None of those should really have ever been any sort of feed you could use.. They clearly state they only provide 1 block list.

                                    https://isc.sans.edu/xml.html
                                    Why Should I Not Use the "Top 100" data as blocklist?

                                    Our primary purpose is to collect data for network security research. In order to fullfill this role, we collect data "as is" with little filtering. Filters are applied to the raw data for specific purposes, but we can not delete data from our raw database without compromissing the data integrity.

                                    Our data does include false positives, and we will not remove them. It would make it harder to observe long term trends. If a report is a false positive or not depends to a large extend on the question being asked.

                                    We offer one blocklist, and one blocklist only (https://isc.sans.edu /block.txt). Unlike for our other lists, we will remove IPs from this blocklist if asked to.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    1 Reply Last reply Reply Quote 1
                                    • AKEGECA Offline
                                      AKEGEC
                                      last edited by

                                      I think you should not upgraded your pfblockerng before you install the new pfsense version (like 2.5). 👏

                                      B 1 Reply Last reply Reply Quote 0
                                      • B Offline
                                        bolvar @AKEGEC
                                        last edited by bolvar

                                        @AKEGEC

                                        Hy
                                        Im have not upgraded my pfsense, my pfblocker was not the latest, but now i have upgraded it, and the problem is still exist.2.2.5_36.
                                        The problem still exist, if i unlock the ip, it works for the next cron update...I dont get it why the google dns block is now okay.

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ Online
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          You need to look in your actual aliases.. Once you add a feed to your list, its in your list.. Even if it was removed from possible choices of feeds.

                                          While I am not a pfblocker expert by any means..

                                          I would check say here, and validate that 1000 feed is not being pulled

                                          lists.png

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ johnpoz referenced this topic on
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.