pfBlockerNG Not Working?

Spyderturbo007

I think my pfBlocker stopped working on the IP blocking side. My last block shows as July 4th. The first thing that tells me is that I need to check this more often. With that said, I'd love to get it working again.

I'm not even sure where to start. I remember watching a YouTube video to set it up and it shows some blocks from when I installed my Netgate 2100, but nothing since about a month after installation.

It looks like DNSBL is working as I show blocks from the GeoIP blocking I have turned on, but the IP appears blank. I'm not even sure where to start troubleshooting.

I found a log named error.log which has a few of these messages, which may or may not have anything to do with the issue. The most recent is from 9/7/22. The other thing I noticed is that my Netgate shows an IPV6 address from Comcast, but I don't know if that has any effect on pfBlockerNG.

Thanks for the help. I feel naked now that I know this especially since I have a few ports open to get to my Emby server.

[ pfB_PRI1_v4 - Abuse_Feodo_C2_v4 ] Download FAIL [ 09/7/22 02:02:17 ]
Firewall and/or IDS (Legacy mode only) are not blocking download.

SteveITS

@spyderturbo007 DNSBL and GeoIP are not related. DNSBL blocks based on domain name.

If you go to the pfB/Feeds tab you can click on the feed name to try to download it (Abuse_Feodo_C2). Since you mention GeoIP are you allowing .ch/Switzerland for the list?

Does pfblockerng.log show any errors updating?

How did you set up blocking? Did you add block rules on WAN? Usually I want finer control so I set it up to use Alias Native and then use those aliases in whatever rules I want.

Spyderturbo007

@steveits said in pfBlockerNG Not Working?:

@spyderturbo007 DNSBL and GeoIP are not related. DNSBL blocks based on domain name.

If you go to the pfB/Feeds tab you can click on the feed name to try to download it (Abuse_Feodo_C2). Since you mention GeoIP are you allowing .ch/Switzerland for the list?

Does pfblockerng.log show any errors updating?

How did you set up blocking? Did you add block rules on WAN? Usually I want finer control so I set it up to use Alias Native and then use those aliases in whatever rules I want.

I am able to download the .txt files if I click on the feed name. I tested a few and can download the lists.

I didn't setup the WAN rules, they were created automatically. I have one named pfB_PRI1_v4 auto rule that sits above my allow rules..

I searched for the word Error in the log since it's almost 14,000 lines long and it came up 3 times. They were all related to trying to download a list. For example:

[ Talos_BL_v4 ]
( md5 feed ) . 500 Internal Server Error
Failed to download Feed for md5 comparison! Update skipped

There just aren't any blocks since July, which doesn't make any sense to me.

SteveITS

@spyderturbo007 Are you expecting GeoIP blocks (i.e. regular firewall rule) or DNSBL blocks (logged in pfBlocker)?

What version of pfSense? There was a bug due to a logging change in pfSense with 22.05. https://redmine.pfsense.org/issues/13156

Spyderturbo007

@steveits Thanks for your help!

To be honest, I'm not sure what I'm expecting. I just remember seeing blocks in the log previously, but I have to admit, I haven't looked in months. I was just assuming that with all the people scanning for open ports, something would have hit my WAN address since July.

When I opened ip_block.log previously, I would see entries like these rather frequently.

Jul 4 20:02:46,1770009616,mvneta0,WAN,block,4,6,TCP-S,194.26.29.86,xx.xxx.xxx.xxx,57299,6804,in,RU,pfB_Top_v4,194.26.29.0/24,RU_v4,Unknown,wan,null,+

Jul 4 20:02:54,1770009933,mvneta0,WAN,block,4,6,TCP-S,81.17.22.117,xx.xxx.xxx.xxx,40127,7000,in,CH,pfB_Europe_v4,81.17.16.0/20,CH_v4,hostedby.privatelayer.com,wan,null,+

Jul 4 20:03:11,1770009616,mvneta0,WAN,block,4,6,TCP-S,193.201.8.21,xx.xxx.xxx.xxx,57235,1070,in,RU,pfB_Top_v4,193.201.8.0/23,RU_v4,Unknown,wan,null,+

It is 22.05-RELEASE. So maybe it's working but just not logging?

SteveITS

@spyderturbo007 said in pfBlockerNG Not Working?:

It is 22.05-RELEASE. So maybe it's working but just not logging?

Sounds like that bug yes. The change/fix in that redmine should fix it.

There’s a _5 version of pfBlocker for 2.6 so one might assume that’s coming shortly for 22.05…