IP-Blocklist
-
TommyBoy180: How much trouble would it be to make an IP-Allow list? Doesn't pfSense automatically block all but default anyways? Seems like using an allow list would be less intensive if it was possible.
-
It blocks by rule, not by IP address.
-
Some of you are having issues because of a mistake that was committed. The error has been corrected but you still have the old package running.
Uninstall your package
Reboot your box
Re-install your package.PM me with any errors that you encounter and any specific settings that you have.
I have tested the current package release on a fresh install of 1.2.3 and 1.2.2 and it is working correctly. I also tested unique settings such as Jideels's 'Disable all auto-added VPN rules' setting and the package works fine.Thank you all for your support with this package.
Hopefully version 2 will include scheduled updates and a white-list feature. Keep the suggestions coming!
-
ip blocker don't work with traffic shaper
turn off traffic shaper and enable ip blocker
sorry for my english
-
I tested with traffic shaper enable and the package worked fine. You may have other firewall settings that could be disabling the package. Its really hard to say what is happening without looking at your unique setup. If you want you could send me your pfsense config to my email for further investigation.
-
Mule All I mean is why can't we have the package work the other way around. Would it not be more beneficial than blocking hundreds of thousands of ips? I am just asking a question of logic. I am not asking anyone to make a new package or anything.
-
Version 2 will include a white list feature.
Just remember outbound is usually open/unfiltered on almost all home setups. This is what this package addresses. Its the PeerGuardian2 or PeerBlock alternative for pfsense.
-
Yay….but I dont understand why Tom. To make it more secure, it is better to have the opportunity to block inbound IP's...
Normally it is not an issue with outbound traffic, but more what comes from the outside... I would really muck like to eliminate everything from selected countries.
-
The package stops inbound and outbound traffic in all protocols for the added IP lists.
You can block entire countries with this package. That is one of the main benefits of this package. So if you want to run p2p applications safely or block spam for your email servers, or even block entire countries this is the package for you.
Take a look at some of the public available lists you can use: http://iblocklist.com/lists.php
Remember this package blocks all inbound and outbound traffic on all protocols for the IPs in each list.
-
Thanks Mate!! :) That was exactly what I was looking for….
Looking forward to see if you find the reason for me having trouble getting it to work :)
The package stops inbound and outbound traffic in all protocols for the added IP lists.
You can block entire countries with this package. That is one of the main benefits of this package. So if you want to run p2p applications safely or block spam for your email servers, or even block entire countries this is the package for you.
Take a look at some of the public available lists you can use: http://iblocklist.com/lists.php
Remember this package blocks all inbound and outbound traffic on all protocols for the IPs in each list.
-
Version 2.0 is out!
Version 2.0 fixes several bugs. Some of you that could not get the package working may find that the package will work perfectly on your system.
New features:
White lists are now supported.Changes:
Removed manual IP blocking and replaced with White lists
Fixed a bug where the package would error out due to a large amount of firewall rules (Thank you Supermule!)
Fixed a bug where the package would not start on system boot during rare occasions. -
You are very welcome :) Glad I could help!!
-
Just a note: Package does not work with IE. Then again who uses IE anyway :P.
-
:( I do…...Firefox has problems showing layers on webpages....If I have a transparent webpage with a .jpg background, it doesnt show the background at all.....
IE is also more secure. Therefore I use IE....
-
Opps we don't want to start a FF vs. IE flame war here on this topic.
Just my two cents:
FF: http://secunia.com/advisories/product/28698/
IE:http://secunia.com/advisories/product/21625/Looks like IE has more unpatched bugs and a bigger threat score than FF does. Looks like FF is more secure to me.
-
Sorry…Havent seen the latest bulletins from Secunia :)
I rest my case. ;)
But pls make the package work under IE as well....Just for user friendlyness :D
Opps we don't want to start a FF vs. IE flame war here on this topic.
Just my two cents:
FF: http://secunia.com/advisories/product/28698/
IE:http://secunia.com/advisories/product/21625/Looks like IE has more unpatched bugs and a bigger threat score than FF does. Looks like FF is more secure to me.
-
Nice job! subscribing… ;)
-
The compress lists work well but I tried using this URL http://www.countryipblocks.net/e_country_data/Asia_cidr.txt and could not get it to work. Do they have to be a compressed tarball? I want to block the countries I get the most attacks from.
Wish I could just use this list http://www.countryipblocks.net/e_country_data/North_America_cidr.txt and an allow list but I will take what I can get. Want to block South America, Asia, Russia, and well a lot of others. It just seems like all those IPs would kill my box.
-
The lists can be any format such as .txt, .list, .IPs, and even no extention as long as they are plain text lists. If they are compressed then .gz is the only supported compression.
You list (http://www.countryipblocks.net/e_country_data/Asia_cidr.txt) is not in the correct format. Lists have to be in the PG2 format (Asia:58.16.15.56-58.100.0.100)
For country IPs you can either find countries at http://iblocklist.com/lists.php or make you own list.
I make my own lists at http://gskinner.com/RegExr/
For example I want to convert a .csv of IPs from www.stopforumspam.com to the PG2 format.-
Paste all the IPs in http://gskinner.com/RegExr/
-
Click find a replace, do a find for "\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b" and a replace for "\nIP:$&-$&"
Now that only works for single IP addresses
Since your list (http://www.countryipblocks.net/e_country_data/Asia_cidr.txt) is in CIDR format then you will have to find a script or online application to convert CIDR to IP range.
Here is a link that can help you convert CIDR to IP range: http://www.unix.com/shell-programming-scripting/34301-get-ip-list-cidr-2.html
Once you convert your list to IP range then you have to convert to PG2 format with http://gskinner.com/RegExr/If you are going to use www.countryipblocks.net then download the "IP range" list and convert to PG2 Format
-
-
speaking of iblocklist.com, it's as simple as copying the "http://list.iblocklist.com/?list=bt_level1" to add list url and that's it? or do I have to do it some other way?
-
It is that simple. :)
Just make sure you get the true url. Since the link you posted is a pointer to several mirrors that host that file you need to click that link and then copy the url to paste into the package.
Example: http://list.iblocklist.com/?list=bt_level1 points to http://iblocklist.dbnservers.net/files/bt_level1.gz
So you would paste http://iblocklist.dbnservers.net/files/bt_level1.gz into the package. -
got it! thanks mate ;) This package is very nice.
-
Since your list (http://www.countryipblocks.net/e_country_data/Asia_cidr.txt) is in CIDR format then you will have to find a script or online application to convert CIDR to IP range.
That is a large step backward. CIDR lists are much faster since pf supports them natively, and your app has to translate them back into CIDR lists anyhow. Converting them away from CIDR format will only slow things down.
It should be fairly easy to add support for CIDR lists to your app, or the person who wants to use CIDR lists can just use the URL Table Alias package instead, which currently only does CIDR or IP lists, since that's pf's desired format.
-
I still get this when hitting save/update
Warning: file_get_contents(wlists.txt): failed to open stream: No such file or directory in /usr/local/www/packages/ipblocklist/ipblocklist.php on line 30
-
Since your list (http://www.countryipblocks.net/e_country_data/Asia_cidr.txt) is in CIDR format then you will have to find a script or online application to convert CIDR to IP range.
That is a large step backward. CIDR lists are much faster since pf supports them natively, and your app has to translate them back into CIDR lists anyhow. Converting them away from CIDR format will only slow things down.
It should be fairly easy to add support for CIDR lists to your app, or the person who wants to use CIDR lists can just use the URL Table Alias package instead, which currently only does CIDR or IP lists, since that's pf's desired format.
Jimp,
I completely agree with you. In fact CIDR is supported in pf (edit-I see you pointed that out above). The reason is because my package is specifically written for a specific format, the PG2 format. This PG2 format requires IP address ranges. The package then converts the ranges to CIDR format to import into a pf table.With this being said I know it seems completely backwards to begin with but for those who have wanted PeerGuardian2 or Peer Block at the router level can defiantly appreciate this package and the list format it requires.
My suggestion for those who want to block countries is to first look at iblocklist.com for that country, if they don’t have your country then download the IP range list and convert.
I still get this when hitting save/update
Warning: file_get_contents(wlists.txt): failed to open stream: No such file or directory in /usr/local/www/packages/ipblocklist/ipblocklist.php on line 30
Browse to the Whitelist page, the error will go away.
EDIT2:
If there are enough people out there that would like to see a Country block package, I can make that in a couple hours. Just keep in mind that iblocklist.com has several countries already in the PG2 format and I am sure you can find every country in this format somewhere in the intertubes. -
YES PLEEEEASE!! ;)
-
Haha.
Well I think that's enough for me. Look for the Country Block package here soon.
-
Will this allow me to block all countries except the US?
-
-
I got most of the PG2 packages installed from iblocklist.com except the country ones which didn't come up in .gz format. Reading the previous posts, I went to www.countryipblocks.net and made the "IP Range" for the countries desired and then attempted the gskinner.com which got me all confused. I didn't understand the "find a replace, do a find for… and a replace for..." in reply #53.
This leads me to my question - is there a simple PG2 file that has all the countries in one and then if I were to add individual countries on the whitelist would that override the manual list?
I ask this so that everything is blocked by default unless I were to specifiy otherwise without having to reparse a new list (or add every single country individually) everytime I need to give access to a certain country.
Otherwise this is a really cool package and thank you!
-
Good morning
I just want to block the ip of at least 4 websites ip.. How to do that? What if they will use https?
jigp
1.2.2 pfsense -
Good morning
I just want to block the ip of at least 4 websites ip.. How to do that? What if they will use https?
jigp
1.2.2 pfsenseYou will need to create a small list
Website1:192.168.1.100-192.168.1.100 website2:192.168.1.101-192.168.1.101 website3:192.168.1.102-192.168.1.102 website4:192.168.1.103-192.168.1.103
That list will work perfect. Now just upload the list to a site where you can download and add to the package.
-
Anothe thing: I use my pfsense box to establish adsl connection with isp. Whenever it reconnects, ip-blocklist is disabled because pfsense reloads stuff. Can this be corrected?
-
thanks for the reply, but its about exceptions tom..i have two users.user1 is allowed to access https site2 and https site1 but is not allowed to access https site3..user2 is not allowed to access https site2 and https site3 but allowed to access https site1..i can block http sites but i cannot block https :(..i need to open 443 because i use gmail and other email that uses 443..the sites that im going to block is facebook.com, youtube.com,friendster.com and multiply.com. i already block http using squid..but user will use https, i cannot block https :( please share your knowledge…thanks
jigp
1.2.2 -
Here's a question. I have taken this as straight forward but apparently I'm doing something wrong. I installed the package, added the URLs (with .gz), rebooted, and then "Save/Update" however the status continues to say "NOT running" and even after rebooting.
I did find a post mentiong a possible uninstall/reboot/reinstall/reboot/add .gz URLs/reboot/enable would work but alas it has not. Please verify what I may be doing wrong. Thank you.
-
Use Firefox as a browser….. I did an it worked...
Here's a question. I have taken this as straight forward but apparently I'm doing something wrong. I installed the package, added the URLs (with .gz), rebooted, and then "Save/Update" however the status continues to say "NOT running" and even after rebooting.
I did find a post mentiong a possible uninstall/reboot/reinstall/reboot/add .gz URLs/reboot/enable would work but alas it has not. Please verify what I may be doing wrong. Thank you.
-
Use Firefox as a browser….. I did an it worked...
Hey good idea lol…I normally use Opera and when things don't work I try out IE which seems to be the "overall default" of web designers. Here is what I receive when I used Firefox:
(after a minute and by itself)
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 81 bytes) in /etc/inc/util.inc on line 380(right below "Current Status = NOT running")
/tmp/rules.debug:90: syntax errorI did upgrade my system from 256MB to 768MB even though the above bytes considered 128MB...some allocation somewhere that needs to be set?
-
Use Firefox as a browser….. I did an it worked...
Hey good idea lol…I normally use Opera and when things don't work I try out IE which seems to be the "overall default" of web designers. Here is what I receive when I used Firefox:
(after a minute and by itself)
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 81 bytes) in /etc/inc/util.inc on line 380(right below "Current Status = NOT running")
/tmp/rules.debug:90: syntax errorI did upgrade my system from 256MB to 768MB even though the above bytes considered 128MB...some allocation somewhere that needs to be set?
The Allowed memory error is the webserver hitting a limit set in php.ini. You can increase this limit if you like, however the package will still work properly just let it finish before you refresh the page. In FF you can still see the loading animation in the tab even with that error, wait for that to finish.
Take a look at Cino's post on page 2 http://forum.pfsense.org/index.php/topic,24769.msg130002.html#msg130002
EDIT: You only get this error when you use large lists or a huge collection of lists.
-
The Allowed memory error is the webserver hitting a limit set in php.ini. You can increase this limit if you like, however the package will still work properly just let it finish before you refresh the page. In FF you can still see the loading animation in the tab even with that error, wait for that to finish.
Take a look at Cino's post on page 2 http://forum.pfsense.org/index.php/topic,24769.msg130002.html#msg130002
EDIT: You only get this error when you use large lists or a huge collection of lists.
Gee good point - and the same list. It does say "Fatal error…" and no other text but I'll let it sit for a while and see what happens. How would I go about editing php.ini manually and is it line 380? With 768M of RAM would it be wise to set it to 256M (268435456 bytes)?
-
Edit the memory_limit cvar to 256
ie. memory_limit = 256