Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    External Logging / Export of Blocked Ip addresses

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 231 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whiz_kid_uk
      last edited by whiz_kid_uk

      Hey Guys,

      Im fairly new to pfsense, and liking what I see.

      I am using 22.05-RELEASE (amd64) of pfsense+.

      I have almost everything setup as I want however, Im looking at a way of exporting any blocked ip address's. Ideally I want to run it as a cron so that I can either send it via ftp or ssh to another system for checking.

      Currently using snort -- should I be using suricata instead ?

      Anyone done this yet ? Is there a better way of doing what I want (Which is basically exporting of any blocked ip / detail for futher analysis)..

      Thanks in advance, and thanks to all the FAQ's that are posted here !!

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        There is no method for exporting the blocked IP list within the GUI package, but that is something you can do externally using a simple shell script. It would be up to you to write the script and then schedule it via cron.

        Caveat: the method described below is how Legacy Blocking Mode operates. If you are using Inline IPS Mode, then nothing stated below is applicable as that mode uses a completely different process. For Inline IPS Mode, you would have to manually parse the alert log file looking for DROP actions.

        Snort blocks by making a pfSense system call and adding the IP addresses to be blocked to an internal pf (packet filter firewall engine) table called snort2c. There is a built-in hidden firewall rule created by pfSense that blocks all traffic for IP addresses in that table.

        You can use the pfctl utility to dump the contents of the snort2c table. That will be a list of the IP addresses currently being blocked. The documentation for this utility can be found here.

        This is the command you would need in your script:

        /sbin/pfctl -t snort2c -T show

        That command will return a list of IP addresses contained in the table, and those IPs are being blocked by the hidden firewall rule I mentioned previously.

        W 1 Reply Last reply Reply Quote 1
        • W
          whiz_kid_uk @bmeeks
          last edited by

          @bmeeks
          Thank you very much for the detailed resonse ! Perfect exactly what I needed

          Thank you again ! Brilliant help !

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.