Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suppressing IP block in CIDRs other than /24 and /32

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 3 Posters 960 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Andrew453
      last edited by

      pfBlockerNG is currently blocking an IP that's in a CIDR /14 entry in one of the blocklists:

      Note: The following IPv4 was blocked:

      Blocked IP:  [ 50.17.92.55 ]
      Evaluated IP:  [ 50.16.0.0/14 ]

      IP Aliasname: [ pfB_iBlockList_v4 ]
      IP Feedname:  [ BadPeers_v4 ]

      I need to whitelist it.

      I understand that pfBlockerNG has a limitation that the suppress lists only work on /24 and /32 (I assume because of the complexity of having to rewrite the lists if, say, you wanted to whitelist an individual IP in that range).

      But I can't see why I couldn't suppress the entire 50.16.0.0/14 entry. In other words, if 50.16.0.0/14 was specified in the suppress list, pfBlockerNG would just remove the entire line when it saw it when parsing the incoming feeds. Is this not possible at the moment?

      I understand I can add a permit alias and an associated firewall rule, but this isn't going to work for me. Positively allowing outbound access to an IP is not the same as removing it from the blocklist. This is because, in my set up, I have half a dozen or so rules (that sit underneath the pfBlocker rules) that determine whether or not an IP address can access the internet (including time based rules etc).

      If I put the whitelist alias rule above the pfBlockerNG rules, it's going to gazump all those other rules.

      johnpozJ RonpfSR 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Andrew453
        last edited by johnpoz

        @andrew453 said in Suppressing IP block in CIDRs other than /24 and /32:

        50.17.92.55

        I am just curious - I don't have an answer to your question sorry. But I am really curious why an Amazon netblock would be listed on badpeers.. That is quite possible to break shit users want to go to ;)

        Organization: Amazon Data Services NoVa (ADSN-1)

        That /14 is
        NetName: AMAZON-EC2-8

        I don't see using such a list that block such huge swaths of the internet that could be used by huge amount of legit uses..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        A 1 Reply Last reply Reply Quote 0
        • A
          Andrew453 @johnpoz
          last edited by

          @johnpoz Yes quite! That's the reason I want to get rid of it. Amazon could be hosting anything. Some of it could be malicious I suppose, but then a lot of legitimate cloud based services are on there too. In my case, it's blocking some of those so I need to suppress it.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Andrew453
            last edited by

            @andrew453 Not clicking to me on why you can not whitelist what you need to allow above the list if you can not remove specific item from the list with a suppression.

            Are you saying that you don't want this list to block it, but you might have others that would? That is really the only thing I can think off off the top of the head why a whitelist wouldn't work.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            A 1 Reply Last reply Reply Quote 0
            • A
              Andrew453 @johnpoz
              last edited by Andrew453

              @johnpoz In my firewall rules, I have the dozen or so pfBlockerNG auto rules corresponding to the feeds (i.e. don't want anything on my network speaking to a blocked IP), followed by half a dozen or so rules that determine what local LAN addresses can reach the internet and when.

              So there'll be some circumstances where local LAN addresses shouldn't be able to access the Internet. So, making up an example, the kids' LAN IPs might only be allowed to access the internet before 7pm.

              If I put a whitelist rule above the pfBlockerNG rules, it will take precedence over those rules. So the kids' IP addresses would be able to access the whitelisted IPs at any time.

              Similarly, if I move the existing half dozen rules governing access of the LAN IPs to the internet before the pfBlockerNG rules, then they wouldn't benefit from the protections against malcious IPs.

              Ideally, I just want to get rid of the overzealous Amazon IP range block by suppressing/removing it completely from the pfBlockerNG feed.

              The only other way to deal with it is basically to create a duplicate set of the half dozen firewall rules again (but applicable only to the whitelisted IPs) and put them above the pfBlockerNG rules. That is a pain to maintain though, as I basically then have each rule twice (the original rule below the pfBlockerNG auto rules, plus the copy specific to the pfBlockerNG whitelist, above the auto rules).

              1 Reply Last reply Reply Quote 0
              • RonpfSR
                RonpfS @Andrew453
                last edited by

                @andrew453 said in Suppressing IP block in CIDRs other than /24 and /32:

                IP Feedname:  [ BadPeers_v4 ]

                Was is the source of this Feed ? Is-it maintained ?

                2.4.5-RELEASE-p1 (amd64)
                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                A 1 Reply Last reply Reply Quote 0
                • A
                  Andrew453 @RonpfS
                  last edited by

                  @ronpfs Looks like it's from here: https://www.iblocklist.com/list?list=cwworuawihqvocglcoss

                  I could just remove this list of course, but it would be useful to know the answer to my question.

                  RonpfSR 1 Reply Last reply Reply Quote 0
                  • RonpfSR
                    RonpfS @Andrew453
                    last edited by RonpfS

                    @andrew453 said in Suppressing IP block in CIDRs other than /24 and /32:

                    https://www.iblocklist.com/list?list=cwworuawihqvocglcoss

                    List of people who have been reported for bad deeds in p2p.

                    This list is for protecting BitTorrent clients. IMHO it could be used on the local machine BitTorrent hosts instead of the Firewall.

                    When Auto-Rules doesn't fit your setup, you can use Alias type with your own FW rules order.

                    2.4.5-RELEASE-p1 (amd64)
                    Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                    Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.