IP source definition feed excludes RFC1918 IPs, Suppression setting is disabled.
-
Fairly inexperienced with pfBlockerNG, apologies if this is an obvious user error. Issues are observed on pfBlockerNG (2.1.4_25) and pfBlockerNG-devel (3.0.0_15).
Environment is a reasonably complex cybersecurity lab. All hosts are RFC1918 spread across multiple subnets. On a Linux host behind a 1:1 NAT on the pfSense, I am running a very basic honeypot that logs any IP connecting to a specified port and outputs the IPs (one per line no formatting), to a web page that is specified as an IPv4 Source Definition for pfBlockerNG.
pfBlockerNG Update tab shows:
[ BLOCK_v4 ] Downloading update .. 200 OK. completed .. [ pfB_BLOCK_v4 ] No IPs found! Ensure only IP based Feeds are used! ]All of the IPs in the honeypot feed are RFC1918 addresses. If I manually insert a couple of public IP addresses, pfBlockerNG picks those up and filters the rest. E.g.:
Updating: pfB_BLOCK_v4 2 addresses added.2 addresses deleted. ===[ FINAL Processing ]===================================== [ Original IP count ] [ 288 ] [ Final IP Count ] [ 2 ]Autogenerated rule "pfB_BLOCK_v4" shows only the 2 public IPs that were unfiltered from the feed. I've double checked that IP Configuration-->Suppression is DISABLED and that there is no odd formatting or whitespace issues in the feed file. pfSense console can curl the IP block list without issues.
My objective is to parse/load all IPs (private and public) in the IPv4 Source Definition feed.
Hoping I am missing something obvious, any suggestions much appreciated!