uceprotect and pfBlocker

Bob.Dig

Noob here. Whenever I check my logs for unwanted connections, those IPs are listed in dnsbl-1.uceprotect, according to dnslytics.com.
My attempts to add that list with RSYNC failed.

How could I achieve to use uceprotect with pfBlockerNG?

Gertjan

@bob-dig said in uceprotect and pfBlocker:

RSYNC failed.

Can you access the console, or SSH, option 8, and do

ls -al /usr/local/bin/rsync

Mine shows :

ls: /usr/local/bin/rsync: No such file or directory

Which means /usr/local/pkg/pfblockerng/pfblockerng.inc uses rsync, here :

Line 3187 :

....
	if ($format == 'rsync') {
		$result = exec("/usr/local/bin/rsync --timeout=5 {$list_url} {$file_dwn}.raw");
		if ($result == 0) {
....

But rsync doesn't exist on your system ....

This solves the issue - for me :

pkg install rsync

Now, things go much better :
(a snip from the forced update log)

[ dnsbl3uceprotectnet_v4 ]	 Downloading update .. completed ..

  Aggregation Stats:
  ------------------
  Original Final      
  ------------------
  4177     1600       
  ------------------

A note for @BBcan177 : on a default 2.4.5-p1 pfSense there is no rsync.

viktor_g

@gertjan said in uceprotect and pfBlocker:

/usr/local/bin/rsync

on 2.5 too

https://redmine.pfsense.org/issues/11152

Bob.Dig

For me it still fails after adding rsync.

PfB_uceprotect_v4 Table
IP Address 	
127.1.7.7 

Gertjan

See your list.
When you use

rsync will download multiple (all the !) files.
This confuses pfBlocker.

Try it out for yourself
SSH into your pfSense and :

mkdir test
cd test
rsync -avz rsync-mirrors.uceprotect.net::RBLDNSD-ALL .
ls -al

See your http://www.uceprotect.net/en/index.php?m=6&s=10 - and pick one.
Like rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.net

That works for me.

Bob.Dig

@gertjan Thank you for actual helping me out. Now I can unblock the world again.

BBcan177

@bob-dig

These feeds will be a good addition to the Mail Server Feeds. There is a commit to add rsync which will be in the next version.

However, these feeds are not compatable as-is. There are comment lines at the top of the feed which are prefixed with a "#" which are ok, but there are lines like these:

$SOA 3600 dnsbl-mirrors.uceprotect.net sonderlocke.fast9.uceprotect.net 2020121204 3600 3600 86400 120
:127.0.0.2: IP $ is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=$
127.0.0.2  Test Record. UCEPROTECT.NET LEVEL 1 List is active.
!127.0.0.1
!10.0.0.0/8
!172.16.0.0/12
!192.168.0.0/16

So the IP Regex parser will add these IPs to be blocked. So before these feeds are used, the IP parser needs to be coded to ignore these types of lines, otherwise you will shoot yourself in the foot. Unfortunately, they don't provide a clean txt formatted file.

Will try to get this in the next version.

Note:

They also have these files in the same format (still needs the IP parser fixed) that can be downloaded with cURL without the need for RSYNC:

http://wget-mirrors.uceprotect.net/

Bob.Dig

@bbcan177 That are great news, thank you.

Looking at that table on my pfSense, there are none of these private IP-Ranges in there. Maybe I am just lucky.

Spoiler

Bob.Dig

Old topic but I noticed some problems.

If I use rsync I get an error:

rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.net
dnsbl1
[ dnsblOne_v4 ]			 Downloading update .
 RSYNC Failed...
[ pfB_UCEPROTECTNetwork_v4 - dnsblOne_v4 ] Download FAIL [ 08/5/23 10:14:49 ]
Cannot Resolve Host:  DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download.
The Following List has been REMOVED [ dnsblOne_v4 ]

Something is not working as intended, at least I can resolve rsync-mirrors.uceprotect.net without a problem on pfSense.

If I am switching to the WGET-lists, on my two pfSense boxes I get different sized tables. One has 22,402 records, the other has 12,288 records.
If I download the list with the browser, I get roughly 80,000 records.

So my guess is, this format is still not compatible with pfBlocker?

But what is up with the first problem I mentioned with rsync?