Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bug: pfBlockerNG-devel 3.2.0_8 not updating blocklist

    pfBlockerNG
    2
    3
    143
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      muvaminon
      last edited by

      Context:
      IP addresses attacking a honeypot are being gathered into blocklists by a custom syslog server. A short blocklist of new attackers is being updated every 20 minutes based on comparison with a long blocklist generated every 2 hours. pfBlockerNG-devel 3.2.0_8 is configured through a user defined feed to download the shortlist from a website every hourly CRON cycle. The generated alias is being used in firewall rules.

      Bug: pfBlockerNG-devel 3.2.0_8 downloaded a first version of the short blocklist but is not downloading subsequent updates. This has been verified though visual comparison of IP addresses. And, pfSense logs…
      [pfBlockerNG] Starting cron process.
      [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload.

      Details:
      Short Blocklist updates overwrite the previous file, updating the file modification date but not the creation date reported by the OS.
      Updated contents can resemble the prior list if there is consolidation of IP addresses in CIDR format due to attacks from adjacent IP addresses. For example 1.234.56.78 may become 1.234.56.78/31

      M 1 Reply Last reply Reply Quote 0
      • M
        muvaminon @muvaminon
        last edited by

        @muvaminon Here is an update. It turns out that there are two control points for the update interval of alias network lists from pfBlockerNG. The first is Update Frequency in the pfBlockerNG IP/IPv4 settings for the feed, which can be set as short as hourly. The second is in pfSense Firewall/Aliases for the alias, which is set in “URL Table (IPs)” as “/number” with “number" being days with the shortest interval being “/1” meaning 1 day. So, the shortest update interval achievable is 1 day.
        This isn’t good enough for my purpose, which is essentially dynamic blacklisting. Next step is to look more closely at Suricata but so far it also appears to be a “handicapped” product unable to support my use case.

        BBcan177B 1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator @muvaminon
          last edited by

          @muvaminon

          The Frequency setting is all that applies to update a feed. The other is a base pfSense setting that is redundant as pfB does the update as needed.

          Also keep in mind that the Update checks the URL timestamp amd if unchanged will skip the download.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.