• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Bug: pfBlockerNG-devel 3.2.0_8 not updating blocklist

Scheduled Pinned Locked Moved pfBlockerNG
3 Posts 2 Posters 195 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    muvaminon
    last edited by Aug 14, 2024, 12:17 AM

    Context:
    IP addresses attacking a honeypot are being gathered into blocklists by a custom syslog server. A short blocklist of new attackers is being updated every 20 minutes based on comparison with a long blocklist generated every 2 hours. pfBlockerNG-devel 3.2.0_8 is configured through a user defined feed to download the shortlist from a website every hourly CRON cycle. The generated alias is being used in firewall rules.

    Bug: pfBlockerNG-devel 3.2.0_8 downloaded a first version of the short blocklist but is not downloading subsequent updates. This has been verified though visual comparison of IP addresses. And, pfSense logs…
    [pfBlockerNG] Starting cron process.
    [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload.

    Details:
    Short Blocklist updates overwrite the previous file, updating the file modification date but not the creation date reported by the OS.
    Updated contents can resemble the prior list if there is consolidation of IP addresses in CIDR format due to attacks from adjacent IP addresses. For example 1.234.56.78 may become 1.234.56.78/31

    M 1 Reply Last reply Aug 14, 2024, 12:50 PM Reply Quote 0
    • M
      muvaminon @muvaminon
      last edited by Aug 14, 2024, 12:50 PM

      @muvaminon Here is an update. It turns out that there are two control points for the update interval of alias network lists from pfBlockerNG. The first is Update Frequency in the pfBlockerNG IP/IPv4 settings for the feed, which can be set as short as hourly. The second is in pfSense Firewall/Aliases for the alias, which is set in “URL Table (IPs)” as “/number” with “number" being days with the shortest interval being “/1” meaning 1 day. So, the shortest update interval achievable is 1 day.
      This isn’t good enough for my purpose, which is essentially dynamic blacklisting. Next step is to look more closely at Suricata but so far it also appears to be a “handicapped” product unable to support my use case.

      B 1 Reply Last reply Aug 14, 2024, 9:21 PM Reply Quote 0
      • B
        BBcan177 Moderator @muvaminon
        last edited by Aug 14, 2024, 9:21 PM

        @muvaminon

        The Frequency setting is all that applies to update a feed. The other is a base pfSense setting that is redundant as pfB does the update as needed.

        Also keep in mind that the Update checks the URL timestamp amd if unchanged will skip the download.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received