uceprotect and pfBlocker
-
Noob here. Whenever I check my logs for unwanted connections, those IPs are listed in dnsbl-1.uceprotect, according to dnslytics.com.
My attempts to add that list with RSYNC failed.How could I achieve to use uceprotect with pfBlockerNG?
-
@bob-dig said in uceprotect and pfBlocker:
RSYNC failed.
Can you access the console, or SSH, option 8, and do
ls -al /usr/local/bin/rsyncMine shows :
ls: /usr/local/bin/rsync: No such file or directoryWhich means /usr/local/pkg/pfblockerng/pfblockerng.inc uses rsync, here :
Line 3187 :
.... if ($format == 'rsync') { $result = exec("/usr/local/bin/rsync --timeout=5 {$list_url} {$file_dwn}.raw"); if ($result == 0) { ....But rsync doesn't exist on your system ....
This solves the issue - for me :
pkg install rsyncNow, things go much better :
(a snip from the forced update log)[ dnsbl3uceprotectnet_v4 ] Downloading update .. completed .. Aggregation Stats: ------------------ Original Final ------------------ 4177 1600 ------------------A note for @BBcan177 : on a default 2.4.5-p1 pfSense there is no rsync.
-
@gertjan said in uceprotect and pfBlocker:
/usr/local/bin/rsync
on 2.5 too
https://redmine.pfsense.org/issues/11152
-
For me it still fails after adding rsync.
PfB_uceprotect_v4 Table IP Address 127.1.7.7
-
See your list.
When you use
rsync will download multiple (all the !) files.
This confuses pfBlocker.Try it out for yourself
SSH into your pfSense and :mkdir test cd test rsync -avz rsync-mirrors.uceprotect.net::RBLDNSD-ALL . ls -alSee your http://www.uceprotect.net/en/index.php?m=6&s=10 - and pick one.
Like rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.netThat works for me.
-
@gertjan Thank you for actual helping me out. Now I can unblock the world again.
-
These feeds will be a good addition to the Mail Server Feeds. There is a commit to add rsync which will be in the next version.
However, these feeds are not compatable as-is. There are comment lines at the top of the feed which are prefixed with a "#" which are ok, but there are lines like these:
$SOA 3600 dnsbl-mirrors.uceprotect.net sonderlocke.fast9.uceprotect.net 2020121204 3600 3600 86400 120 :127.0.0.2: IP $ is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=$ 127.0.0.2 Test Record. UCEPROTECT.NET LEVEL 1 List is active. !127.0.0.1 !10.0.0.0/8 !172.16.0.0/12 !192.168.0.0/16So the IP Regex parser will add these IPs to be blocked. So before these feeds are used, the IP parser needs to be coded to ignore these types of lines, otherwise you will shoot yourself in the foot. Unfortunately, they don't provide a clean txt formatted file.
Will try to get this in the next version.
Note:
They also have these files in the same format (still needs the IP parser fixed) that can be downloaded with cURL without the need for RSYNC:
http://wget-mirrors.uceprotect.net/
-
@bbcan177 That are great news, thank you.
Looking at that table on my pfSense, there are none of these private IP-Ranges in there. Maybe I am just lucky.
-
Old topic but I noticed some problems.
If I use rsync I get an error:
rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.net dnsbl1 [ dnsblOne_v4 ] Downloading update . RSYNC Failed... [ pfB_UCEPROTECTNetwork_v4 - dnsblOne_v4 ] Download FAIL [ 08/5/23 10:14:49 ] Cannot Resolve Host: DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download. The Following List has been REMOVED [ dnsblOne_v4 ]Something is not working as intended, at least I can resolve rsync-mirrors.uceprotect.net without a problem on pfSense.
If I am switching to the WGET-lists, on my two pfSense boxes I get different sized tables. One has 22,402 records, the other has 12,288 records.
If I download the list with the browser, I get roughly 80,000 records.So my guess is, this format is still not compatible with pfBlocker?
But what is up with the first problem I mentioned with rsync?
