No IP block list using pfblockerng

asadz · Dec 13, 2022, 5:53 PM

I'm on pf sense version 22.05-RELEASE (amd64) and pfblockerng according to system->packet-manger->available packages as 3.1.0_8

I'm getting logs under the report as "unified" or "alerts" or "dnsbl" but there are no ip_block entries.

Also, note I had to create up_block file since none was present.

Under Firewall->rules-

I tested by manually entering the IP addresses seen on hover on event. See screenshot.

I see the message as I open to "unable to upload", then when I goto Firewall-Pfblockerng->Reports->Alerts

I see no alerts against the browsed IP. I also check the patch
using these steps

ssh into your pfSense

run vi /usr/local/pkg/pfblockerng/pfblockerng.inc

Search for $r = explode(')', $result, 2); and replace it with $r = explode(' ', $result, 2);

Open Status → Services

Hit restart on the pfb_filter service

Theexplode code is no present in the .inc file, so I don't think the patch is valid to me.

The output of pfblockerng shows as
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL

Firewall and/or IDS (Legacy mode only) are not blocking download.

===[ Deny List IP Count=============

16799 total

13802 /var/db/pfblockerng/deny/CINS_army_v4.txt

1481 /var/db/pfblockerng/deny/ET_Block_v4.txt

649 /var/db/pfblockerng/deny/Talos_BL_v4.txt

580 /var/db/pfblockerng/deny/ET_Comp_v4.txt

153 /var/db/pfblockerng/deny/Abuse_Feodo_C2_v4.txt

59 /var/db/pfblockerng/deny/Spamhaus_eDrop_v4.txt

40 /var/db/pfblockerng/deny/Abuse_SSLBL_v4.txt

19 /var/db/pfblockerng/deny/ISC_Block_v4.txt

14 /var/db/pfblockerng/deny/FireHOLLevel1_v4.txt

1 /var/db/pfblockerng/deny/Spamhaus_Drop_v4.txt

1 /var/db/pfblockerng/deny/FireHOLLevel2_v4.txt

Further,under firewall->pfblockerng->alerts under block I get

"Found 0 Alert Entries - Insufficient Alerts found."

NollipfSense · Dec 14, 2022, 4:06 AM

@asadz You will need to go to: Status > System Logs > Firewall to see the blocked IP...that's where pfBlockerNg tells the firewall to log it.

asadz · Dec 14, 2022, 4:40 AM

@nollipfsense Thanks, but no i don't see no block event under that firewall logs, I always thought that ip_block is your file for pfblockerng block events. I can see blocks events under "unfied logs", as color red yet which is strange

asadz · Dec 14, 2022, 4:55 AM

@nollipfsense
I'm looking at
Log/File Path: /var/log/pfblockerng/ip_block.log

asadz · Dec 14, 2022, 5:22 AM

@asadz

As you can see i can see under "unified logs" the blocks of DNS but on highlighted IP Block set there is no IP?

asadz · Dec 14, 2022, 6:35 AM

@asadz also I can see the IP present under
/var/db/pfblockerng/deny/* but why not shown in IP block set?

NollipfSense · Dec 14, 2022, 7:27 PM

@asadz If you click on the Info button, see arrow, it should show the IP you were trying to go to. You don't need to mask you LAN address as no one can get to it.