Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Creating My Own IP4 Deny List Within PFB

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 4 Posters 2.3k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LPD7L Offline
      LPD7 @johnpoz
      last edited by

      @johnpoz
      Thanks for that John. Just by way of education, how would I find all the numbers associated with a domain? I found https://ipinfo.io which had the AS# you mentioned and seems if I input an IP it will provide the AS# is there a way (hoping) where I can input the domain name and get a complete list?

      Intelligence is not a substitute for common sense.
      Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
      Putting legacy equipment into service and out of landfills.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • LPD7L Offline
        LPD7 @stephenw10
        last edited by

        @stephenw10
        So if I filter one or two AS's it should be enough to break it to the point where it becomes unusable?

        Intelligence is not a substitute for common sense.
        Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
        Putting legacy equipment into service and out of landfills.

        1 Reply Last reply Reply Quote 0
        • stephenw10S Online
          stephenw10 Netgate Administrator
          last edited by

          Yup, that has been my experience with other sites like Netflix and Facebook.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator @LPD7
            last edited by johnpoz

            @lpd7 said in Creating My Own IP4 Deny List Within PFB:

            find all the numbers associated with a domain?

            Can entail some detective work to be sure. For example you have www.domain.com, while easy enough to look up that IP.. And from that IP get the ASN that IP is part of, so any other IPs in that ASN.

            But what if this company using domain.com also hosts their backend stuff for their services of CDNnetwork, or OtherCompany, etc. etc..

            So while you might be able to block some of their front end stuff they host on ASN1, but they could providing their whole software or system using ASN2, and ASNX, etc.

            The more global and complex a system might be, the harder it can be to block or find all the possible IPblocks being used to host that system on a global scale. Don't forget IPv6 as well - that would be completely different ASNs

            And don't forget if you start blocking CDNnetworkX ASN, you could end up blocking other stuff hosted there that you didn't want to block.

            If it was me, I would just block on dns - don't allow clients to use external dns. Blocking doh can come with its own headaches, but easier than trying to block a huge list of IPs service might use, and some of these ip ranges these days quite often shared with other services you might not want to block.. Most everything these days is hosted of very large CDNs (content delivery network)..

            Blocking those can be very problematic when comes to stuff you want to work, now not working.

            Prob easier to just find the fqdn client is trying to access to get it to said service, and block those via dns.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.