disable reverse lookups (PTR) and some odd dns
-
I have pfblockerNG installed (and DNSBL disabled). I send all DNS to another host. The pfblocker is doing a fine job getting hourly threat lists and I can see various hosts in the reports.
I would like to eliminate the reverse lookups. I think all of these are hosts sending me packets and I get hundreds of them for each address. Many of them have no PTR record (making it a pointless lookup) and in case the other end is coorrelating, I don't want them to use my reverse lookup for any sort of recon or statistics.
I have not found a way to turn this off. So, I could use some direction if this is possible.
Additionally, pfsense is making a lot of repeat lookups when doing something ordinarly like looking up threat feeds. For instance...
2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
2023-04-14 16:15:01 A www.spamhaus.org (cache)
2023-04-14 16:15:01 [CNAME] www.spamhaus.org (cache)
2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
2023-04-14 16:15:01 A www.spamhaus.org (cache)
2023-04-14 16:15:01 [CNAME] www.spamhaus.org (cache)
2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
2023-04-14 16:15:01 A www.spamhaus.org (cache)
2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
2023-04-14 16:15:01 A www.spamhaus.org (cache)
2023-04-14 16:15:01 [CNAME] www.spamhaus.org (cache)
2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
2023-04-14 16:15:01 A www.spamhaus.org (answered)
2023-04-14 16:15:01 [CNAME] www.spamhaus.org (answered)
2023-04-14 16:15:01 AAAA www.spamhaus.org (answered)
2023-04-14 16:15:01 A www.spamhaus.org (answered)It looks like it is requesting the same thing 4x without waiting for a reply.
In this particular case it looked up www.spamhaus.org 470 times in 24 hours when it sure seems like 48 (or 72) would be appropriate. And each threat feed has 100s of lookups (most are in the 400s) with snort being the only outlier at 124.
I was just wondering if someone could explain these numbers to me (and possibly help me tune them down).
Thank you.
pfsense version 2.6.0
pfBlockerNG version 3.2.0_4 -
I hoped there was a configuration setting in pfblocker to disable reverse lookups and repeat lookups, but it has been a while since I posted to the forums and there have been no replies, so I assume there is not.
I created a workaround because I enjoy tinkering, but, unless you have my same use case, there is no reason to take this route. Please just stick with PFBlocker.
That said, I uninstalled pfblocker and did the following...
[1] get the priority 1 threat lists
[2] normalize the output and put it on a webserver
[3] use a pfsense firewall alias and fetch it as a URL table [gui]
[4] update this to hourly on pfsense cron [cli]
[5] change the file time hourly [cli]
[6] create firewall rules to block using this alias [gui]NOTE: I used a debian linux machine for steps 1-2 (because I already had it generating other URL lists and it was just easier to do it there). Steps 3-6 are done on the pfsense.
I had fun doing it and I learned a few things about how pfsense works in the process. If you want the details of how I did it in case you need to do something similar, then read on. Otherwise, this forum post is probably done.
Cheers
[STEP 1] script 1 (feedlist-fetch.sh)
#!/bin/bash # start in the right place cd /home/donutjustice/PFSENSE-scripts/quietblocker/ # get the lists curl -s https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt > ips-feodo.txt curl -s https://sslbl.abuse.ch/blacklist/sslipblacklist.txt > ips-sslbl.txt curl -s https://cinsarmy.com/list/ci-badguys.txt > ips-cinsarmy.txt curl -s https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt > ips-ET-emerging.txt curl -s https://rules.emergingthreats.net/blockrules/compromised-ips.txt > ips-ET-compromised.txt curl -s https://isc.sans.edu/block.txt > ips-isc-block.txt curl -s https://www.spamhaus.org/drop/drop.txt > ips-spamhaus-drop.txt curl -s https://www.spamhaus.org/drop/edrop.txt > ips-spamhaus-edrop.txt curl -L -s https://talosintelligence.com/documents/ip-blacklist > ips-talos.txt[STEP 2] script 2 (quietblocker.sh)
#!/bin/bash # # threat feed data cleanup # copy to web server # # grab data from all the lists cd /home/donutjustice/PFSENSE-scripts/quietblocker/ `/home/donutjustice/PFSENSE-scripts/quietblocker/feedlist-fetch.sh` sleep 35 # cleanup the output cat ips-cinsarmy.txt > BUILD.txt cat ips-ET-compromised.txt >> BUILD.txt cat ips-talos.txt >> BUILD.txt grep -v \# ips-ET-emerging.txt >> BUILD.txt grep -v \# ips-feodo.txt >> BUILD.txt grep -v \# ips-sslbl.txt >> BUILD.txt grep -v '^;' ips-spamhaus-drop.txt | cut -d\; -f1 >> BUILD.txt grep -v '^;' ips-spamhaus-edrop.txt| cut -d\; -f1 >> BUILD.txt grep -v \# ips-isc-block.txt | awk -F '\t' '{ print $1 "/24" }' >> BUILD.txt # move it to the local webserver cat BUILD.txt | sort -u > /var/www/html/quietblocker/quietblocker.htmlThis script is run hourly on the debian box. It runs 5 minutes before pfsense grabs the URL to ensure the threatlist is fresh.
The local crontab looks like this:
25 * * * * /home/donutjustice/PFSENSE-scripts/quietblocker/quietblocker.sh[STEP 3] In the gui set pfsense firewall alias to fetch the URL. I named mine "quietblocker" (relevant in step 5 where this becomes quietblocker.txt. If you name yours something different, just make sure it matches in step 5.) and the URL looks like this
http://10.1.1.100/quietblocker/quietblocker.html /1[STEP 4] ssh to pfsense and edit /etc/crontab
EDIT the "urltables" line from a 12 to a *. It should look like this
30 * * * * root /usr/bin/nice -n20 /etc/rc.update_urltables[STEP 5] keep editing /etc/crontab (just like step 4)
ADD a new crontab line (I suggest below the urltables). It should look like this.
35 * * * * root /usr/bin/touch -t 1001011230 /var/db/aliastables/quietblocker.txtThis step is necessary because the urltables script checks the timestamp on the file and won't update anything less than 1 day old. This just changes the date, so it is always old enough. I preferred this method to monkeying with the urltables script.
[STEP 6] Now create firewall rules to meet your needs using this firewall alias.