Troublesome IP getting though pfBlocker
-
This is an interesting dilemma: I'm currently on 24.11-RELEASE (amd64) and I use pfBlocker NG. I set up a custom IP list to block bots from hammering a Minecraft Server I run. For over a year now, all the troublesome IP's were effectively blocked from reaching the Minecraft server using a custom IP list in pfBlocker. Recently, however, according to my server logs, IP 154.213.192.15 successfully hits the Minecraft server's front door (They can't log in as they are not whitelisted on the server). I have added this IP to the custom IP list in pfBlocker and I even tried adding the IP as a firewall rule. Still, somehow, it gets through. Any idea how that IP can bypass pfBlocker and a firewall rule?
-
@FrankZappa I would use a regular alias for that, not pfBlocker. I think, I have seen similar before.
-
@Bob-Dig Thanks Bob-Dig. How do I set up an alias for this IP?
-
@Bob-Dig while for IP aliases can be used sure, there is no reason a pfblocker alias can not be used as aliases - I use a few of them and they work just fine.
@FrankZappa can we see your rule and pfblocker setup for this alias.. Have you validated that IP is in the table created, under diagnostics you can view the table of the alias.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@FrankZappa said in Troublesome IP getting though pfBlocker:
How do I set up an alias for this IP?
You make the alias and the rule yourself. For that alias I would use bulk import.
-
@johnpoz said in Troublesome IP getting though pfBlocker:
I use a few of them and they work just fine.
I think I have seen problems with that custom-list before in pfBlocker. So I wouldn't use it for lists I source 100% manually anyway.
-
@johnpoz Johnpoz, you seem to have found the issue. Here's my pfBlocker setup below. I checked the IP table under diagnostics, and the troublesome IP is NOT there (although it's in my custom IP list). It should be where the red arrow is pointed. I wonder why that's happening?
-
@FrankZappa that is not how I would do aliases - those are rules not aliases.. See my example above where they are set as just native aliases. then you create your own rules using those.
But yeah if the IP is not in the table - then no it wouldn't be blocked.
But as mentioned by @Bob-Dig if your just doing a list of IPs - you can just use the built in alias feature of pfsense. I use pfblocker for aliases because mine pull IPs from other sources, etc. Or use country IPs, etc.
-
@johnpoz Thanks. Why do you suppose all the other IP's from the custom list show up in the table, but not that one IP?
-
@FrankZappa that is a very good question.. maybe a space before or after, maybe it just hasn't been update - you have it what set to weekly?
You could try forcing an update and see if that populates the table.
-
@johnpoz I've done the force update many times, to no avail. So I took a look at changing my list to Alias Native (vice deny inbound). To be clear; I only need to change it to Alias Native and that IP list will be blocked?
-
@johnpoz Ok, I fixed it (Thanks johnpoz and Bob.Dig). I deleted the custom IP list, saved it empty, reloaded the list of IP's on the custom list, saved it, updated it and now the IP shows up in the Diagnostics Table. Fixed! Not sure why it wouldn't take before, but as johnpoz stated it may have been a space or some kind of glitch with that IP.
So now you guys have me wondering what the difference is between an Alias Native list, or just leaving the setting as deny inbound on my list for pfBlocker? I dont understand what the "Alias Native" option does. Thanks. -
@FrankZappa alias native doesn't create a firewall rule - the way you have it set pfblocker would actually create the rule for you. I personally am not a fan of that - I will create my rules thank you very much ;)
When you use alias native its just that an aliases - you would have to create the rule and how you want to use the alias in the rule or port forward, etc..
Both are valid ways to get the task done.. But I don't like things auto messing with my rules - maybe order gets changed, maybe I want to move the order around myself and don't want to have something alter that on its own, etc.
-
@johnpoz Thanks johnpoz. Forgive my ignorance but I don't see where I can create a rule to block the ip's on the custom list. How does a block rule reference the list?
-
@FrankZappa when you set it to alias native there will be an alias created..
-
@johnpoz Got it. Many thanks.
