pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS
-
Awhile back I found an issue w/ CURL UserAgent vs Cloudflare that protects the Talos feed. https://forum.netgate.com/topic/143035/feed-update-issue-talos/9
This causes the Talos feed (aka Snort blocklist / blacklist) to fail to download with a cryptic "Firewall and/or IDS are not blocking download." error.
[ snort_bl2 ] Downloading update [ 03/06/21 15:39:07 ] .. 403 Forbidden [ pfB_snort_bl - snort_bl2 ] Download FAIL Firewall and/or IDS are not blocking download. The Following list has been REMOVED [ snort_bl2 ]The recent pfBlockernNG's from the 2.1 series (2.1.4_23 for pfSense 2.4.5 & 2.1.4_25 for pfSense 2.5.0) have a regression that brought back the circa 2015 Chrome version 43 useragent string that causes Cloudflare to block the request due to outdated web browser.
Additionally I also detailed that the "empty list" function's use of 1.1.1.1 as a place holder breaks the use of Cloudflare DNS if you've got the empty list set to block both ways.
Curiously 1.1.1.1 is still used in empty lists to this day despite Cloudflare DNS' wide spread adoption, especially in this community as they're a premier DoH / DoT provider.
My suggestion is to use the RFC 5737 compliant 192.0.2.0 instead of 1.1.1.1. 192.0.2.0 is an unroutable reserved for documentation, and seems ideal for this use as it's outside the normal RFC 1918 private ranges.
The attached diff file fixes both issues, and applies cleanly to both _23 and _25. This Patch changes the 1.1.1.1 instances to 192.0.2.0. Additionally this simply updates the useragent from Chrome 43 to Chrome 89, in my personal use I set the useragent to plain 'curl', which also works.
To apply this diff,
- scp/sftp this file to your pfsense box, I place it in /root (root's home directory).
- ssh to your pfsense box, and select option 8 for Shell
- at the shell type the following command:
patch -p0 < pfblockerng_2.1.4_23.diff- type exit to leave the shell, this will return you to the menu
- from the menu select option 16 for Restart PHP-FPM
- from the menu select option 0 to disconnect from ssh
Note: Restart PHP-FPM doesn't seem necessary anymore, but I still do it just-in-case.
The output should look like this:
Hmm... Looks like a new-style context diff to me... The text leading up to this was: -------------------------- |*** /usr/local/pkg/pfblockerng/pfblockerng.sh.orig Mon Mar 30 21:19:43 2020 |--- /usr/local/pkg/pfblockerng/pfblockerng.sh Mon Mar 30 21:21:50 2020 -------------------------- Patching file /usr/local/pkg/pfblockerng/pfblockerng.sh using Plan A... Hunk #1 succeeded at 115. Hunk #2 succeeded at 989. Hmm... The next patch looks like a new-style context diff to me... The text leading up to this was: -------------------------- |*** /usr/local/pkg/pfblockerng/pfblockerng.inc.orig Mon Mar 30 21:19:35 2020 |--- /usr/local/pkg/pfblockerng/pfblockerng.inc Mon Mar 30 21:20:44 2020 -------------------------- Patching file /usr/local/pkg/pfblockerng/pfblockerng.inc using Plan A... Hunk #1 succeeded at 733. Hunk #2 succeeded at 3792. Hunk #3 succeeded at 4071. Hunk #4 succeeded at 4482. Hmm... The next patch looks like a new-style context diff to me... The text leading up to this was: -------------------------- |*** /usr/local/pkg/pfblockerng/pfblockerng.inc.orig Sat Mar 6 09:53:00 2021 |--- /usr/local/pkg/pfblockerng/pfblockerng.inc Sat Mar 6 09:49:45 2021 -------------------------- Patching file /usr/local/pkg/pfblockerng/pfblockerng.inc using Plan A... Hunk #1 succeeded at 115. doneedit: renamed file to _23
-
@neoaeon said in pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS:
My suggestion is to use the RFC 5737 compliant 192.0.2.0 instead of 1.1.1.1. 1
Hi,
we start this at the beginning
one.one.one.one + DoT - same thing like thatBTW:
yes, the suggested version is according to the package maintainer @BBcan177
pfblockerNG - develhttps://www.patreon.com/pfBlockerNG
+++edit:
this is not your version -
Upgrade to pfBlockerNG-devel where these are both addressed already.
-
@bbcan177 said in pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS:
Upgrade to pfBlockerNG-devel where these are both addressed already.
Understood.
However, please understand the 2.1x series is still alive and being maintained and due to it's lack of -devel tag is recognized as the stable production version.
Additionally, any site still on 2.4.5-p1 waiting for the release after major (e.g. 2.5.0-p1/2.5.1) isn't going to run -devel anything
. -
@neoaeon said in pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS:
Understood.
However, please understand the 2.1x series is still alive and being maintainedHey Bro,
this is not relevant
the non-DEVEL version is not actively maintainedplease switch to DEVEL
Hey @BBcan177 , why don't you run out older versions?
I read some stupid explanation about this (old version pfBlocker) somewhere, but is it?Cats bury it so they can't see it!
(You know what I mean if you have a cat) -
@daddygo said in pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS:
Hey Bro,
this is not relevant
the non-DEVEL version is not actively maintained
please switch to DEVEL
Hey @BBcan177 , why don't you run out older versions?
I read some stupid explanation about this (old version pfBlocker) somewhere, but is it?There are so many moving parts that Its hard to find the right window to push devel -> stable.... Lets see how it goes over the next few months.
-
@bbcan177 said in pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS:
There are so many moving parts that Its hard to find the right window to push devel -> stable.... Lets see how it goes over the next few months.
Hey....
.... so you're saying what you haven't so far?
I think and in my experience the DEVEL is fit, but is that not clear?so what do you recommend write here, pls
BTW:
many get lost in the jungle
-
@daddygo said in pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS:
Hey Bro,
this is not relevantDespite my desire to not feed trolls, I'll bite
I disagree.
the non-DEVEL version is not actively maintained
Wrong.
https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-pfBlockerNG
please switch to DEVEL
Nah, I'll keep providing support to anyone who wants to use the current production version.
Hey @BBcan177 , why don't you run out older versions?
I read some stupid explanation about this (old version pfBlocker) somewhere, but is it?In spite of your lack of tact, you may have a point there.
@BBcan177, we emailed offline almost 3 years ago, while you were private beta-ing the 3 series. Apologies I never got around to providing feedback.
I provided a similar patch back then that was rejected.
I still maintain IMHO the use of 1.1.1.1 is and was inappropriate, in defiance of established practice and RFC, and unjustifiable to continue. Most especially in the face of the current landscape where 1.1.1.1 went from obscurity and common example language to top destination in the time between then and now. https://en.wikipedia.org/wiki/1.1.1.1#Prior_usage_of_the_IP_address
It's been quite awhile since you've been pushing folks away from the 2 series, why isn't 2.1x -legacy or something so 3.0 can drop the -devel tag?
I see your post below; Even absent dropping the -devel tag, -legacy could help in your endeavors to distance from the 2 series. Or even switching the 3 series to -current or something.
FYI, in nearly any regulated environment the presence of development code / developer tools on a production box is a finding. That -devel tag is begging to get anyone in Industrial, Energy, Healthcare, Finance, Government, etc smacked on their next vulnerability assessment.
-
@neoaeon said in pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS:
I see your post below; Even absent dropping the -devel tag, -legacy could help in your endeavors to distance from the 2 series. Or even switching the 3 series to -current or something.
FYI, in nearly any regulated environment the presence of development code / developer tools on a production box is a finding. That -devel tag is begging to get anyone in Industrial, Energy, Healthcare, Finance, Government, etc smacked on their next vulnerability assessment.I hear you, and this is just one of many items that have changed in devel which should be committed to Release.
But understand that I do this all on my free own time. Developing and supporting the package is like a full time job.
Devel will become the next Release. Its just a timing issue with all the other flux that has taken place in its development. I try my best to support and develop this package on my own. Its a lot of work and I have carved out more time for my family as time is not limitless.
Pull Requests are always welcome.
Lets see how it goes over the next few months.
"Experience is something you don't get until just after you need it."
Website: http://pfBlockerNG.com
Twitter: @BBcan177Â #pfBlockerNG
Reddit: https://www.reddit.com/r/pfBlockerNG/new/ -
@bbcan177 said in pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS:
Its a lot of work and I have carved out more time for my family as time is not limitless.
I feel ya man, that's one of the only silver linings to this pandemic, more telework leading to increasing work/life balance. I wish you the best of luck on that front!
Pull Requests are always welcome.
I'm firmly on the Ops side these days, been a minute since I did anything more than play with git. But I'll take a look.
-
@bbcan177 said in pfBlockerNG 2.1x - fix for Talos feed and Cloudflare 1.1.1.1 DNS:
> I hear youMan, I'm with you, you communicate poorly, these people believe in you, so in nothing else. OPEN SOURCE
