Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv4 Custom_List entries wrong

    pfBlockerNG
    3
    12
    729
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jrey @manilx
      last edited by

      @manilx

      IF
      the IP is included in another list/range and
      you have de-duplication turned on
      it will get removed from the list. (Already included somewhere else)
      at the end of the process if it is the only IP left on this list, it has to point somewhere. So this address you are seeing is it.

      if you have that option set any you look at the pfblockerng.log for the latest run, in the summary under the Deny List IP Counts, this list is likely listed at the end with 1 IP

      if you add another IP to this list (and it is not already included elsewhere) the summary will still show 1, (even though you had 2 in the list) but this time it will have the IP of the one that is not included on another list.

      M 1 Reply Last reply Reply Quote 0
      • M
        manilx @jrey
        last edited by manilx

        @jrey

        ====================[ Empty Lists w/127.1.7.7 ]==================

        Manual_blocked_IPs_custom_v4.txt
        NVT_BL_v4.txt

        OK! Thx.

        Netgate 8200max

        J 1 Reply Last reply Reply Quote 0
        • J
          jrey @manilx
          last edited by jrey

          @manilx

          That seems different.

          What version are you running?

          Do you have de-duplication enabled?

          I have created a duplicate and in the log I don't have anything for "Empty Lists"
          but in this section of the log
          [ Deny List IP Counts
          . . .
          25 /var/db/pfblockerng/deny/file1.txt
          21 /var/db/pfblockerng/deny/file2.txt
          2 /var/db/pfblockerng/deny/file3.txt
          1 /var/db/pfblockerng/deny/file4.txt

          the last one contains a duplicate of an IP that is already included above pointing at the 127.x.x.x address (so not "empty") but "changed"

          Try and remove the /32 from IP (just leaving the IP) see if that changes anything (it shouldn't really)
          also make sure there are no spaces at the end of the line,
          and the entry on a line by itself (ie you hit return/enter at the end)

          you could enter it like
          #
          IP here
          #

          J 1 Reply Last reply Reply Quote 0
          • J
            jrey @jrey
            last edited by

            @jrey

            I can recreate what you are seeing with the address you provided because, this address 89.248.160.0/20 is already in another list I already have from a downloaded list.

            Because it is the only address in your list I do in fact see this for this case

            ====================[ Empty Lists w/127.1.7.7 ]==================

            testempty_custom_v4.txt

            Then I added another address that I knew would not be included elsewhere to the custom list and now the list no longer considered "empty" but only has the 1 address

            Nothing wrong.

            M S 2 Replies Last reply Reply Quote 0
            • M
              manilx @jrey
              last edited by

              @jrey Great. Thank you for confirming!

              Netgate 8200max

              1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @jrey
                last edited by

                @jrey

                Nothing wrong

                Actually I would suggest there is something wrong… As someone pointed out a while back if a person has ports on their deny entries the dedupe will still pull IPs out of them…even though they would then allow the IPs on some ports. Alias Native will not dedupe, just create aliases to be used in rules.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                M J 2 Replies Last reply Reply Quote 0
                • M
                  manilx @SteveITS
                  last edited by

                  @steveits no ports on any deny rule. Just on the one allow ip one.

                  Netgate 8200max

                  1 Reply Last reply Reply Quote 0
                  • J
                    jrey @SteveITS
                    last edited by jrey

                    @steveits said in IPv4 Custom_List entries wrong:

                    As someone pointed out a while back

                    Actually that may have been me.

                    and correct if The OP needs them to remain in that specific list, to keep that IP tied to a specific Rule, then yes you need to use the Alias type and create the rule. But also as the OP indicated it is a "deny both" so in the case as presented it is working as expected.

                    Thanks for pointing out the additional required step, depending on the actually use case. I didn't get the impression from the OP that it needed to remain on that specific list only, but rather that it just needed be blocked with the deny both

                    All good.
                    JR

                    M S 2 Replies Last reply Reply Quote 0
                    • M
                      manilx @jrey
                      last edited by

                      @jrey from all said I think that having all Alias Native and making my own rules is the best way forward…
                      Just more work 😊

                      Netgate 8200max

                      J 1 Reply Last reply Reply Quote 0
                      • J
                        jrey @manilx
                        last edited by

                        @manilx

                        I actually use a combination, and mostly because I needed to "tweak" the order in the floating rules section for a specific use case requiring some IP's to remain in a specific rule.

                        It's not that much extra work to set up, and it does give you more control.

                        1 Reply Last reply Reply Quote 0
                        • S
                          SteveITS Galactic Empire @jrey
                          last edited by

                          @jrey well then, hello again :)

                          Yeah to be clear it’s not always a problem. One also has to have the dedupe option checked. However it’s not intuitive and potentially dangerous, so I try to call it out.

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote 👍 helpful posts!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.