PfBlocker
-
@ Tommyboy - Thanks for that I did not know to look at the widget.
I am getting the following error with PFblocker now. It reports "out of memory" but RAM usage is only about 53%:
: The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:20: cannot define table pfBlockerLevel1Inbound: Cannot allocate memory /tmp/rules.debug:22: cannot define table pfBlockerLevel1Outbound: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded'
Does anybody know how to remedy this?
-
Getting more errors:
There were error(s) loading the rules: /tmp/rules.debug:20: cannot define table pfBlockerLevel1Inbound: Cannot allocate memory
/tmp/rules.debug:22: cannot define table pfBlockerLevel1Outbound: Cannot allocate memory
/tmp/rules.debug:36: cannot define table pfBlockerPrimaryThreats: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded The line in question reads [20]: table <pfblockerlevel1inbound>persist file "/var/db/aliastables/pfBlockerLevel1Inbound.txt"My router is a laptop router and is not out of memory.</pfblockerlevel1inbound>
-
ipv6kid,
-
Increase even more Firewall Maximum Table Entries
-
clear ipblocklist table in diagnostics-> table
-
check if the value of table-entries in /tmp/rules.debug is the same in Firewall Maximum Table Entries
-
check also if table-entries is declared twice in /tmp/rules.debug
This should correct your errors. Basically what is happening is system variable has set a ceiling on the tables. You can manually override this by changing that value to allow larger tables.
-
-
ipv6kid,
Also check lists description. Level1 ipblocklist includes only 'good' networks.
Blocking a grey list may not be a good choice.
-
First, thanks for the reply. I have set the maximum Firewall tables to 550,000 just to be safe but under Diagnostics > Tables there is no PFblocker drop down selection.
I am still getting memory allocation errors even though I've done all of this and reset the states. Could it be anything else?
-
You said to make sure I didn't have double "table-entries", what if I used the same list to deny inbound and outbound? Would that cause this error?
-
If you need to inbound and outbound rules on same table, choose alias on list action and then create a manual rule in wan and other in lan.
If you still want list1, you may need 1.000.000 or more.
You can't see pfBlocker table because you got erros during apply.
-
Yeah I just noticed some of these lists run into the hundreds of thousands of tables. I am running an old clunky dell laptop from 2003-ish. With only 768 MB of RAM, and when I enabled more states into the 2 million range, RAM usage shot up and it started swapping.
I'm also running SNORT on top of this, so I'm going to need a gateway with more RAM.
It seems to be working without errors now, I've disabled and re-enabled PFblocker… after deleting all the large block lists.
I can now see the pFblocker "tables" under Diagnostics > Tables.
I also think some of these "debug" errors were due to logging being enabled, so if anybody else is still having issues, try disabling that. Where does this even log to anyways? I couldn't find where it was logging to in the console unless it was going directly to system logs.
Thank you very much!
-
FYI,
I'm running Level1, Level2, and Level3 on a system with only 256MB RAM. You don't need more RAM, just increase your Firewall Maximum Table Entries.
marcelloc,
Level1, Level2, and Level3 lists do have 'good' guys in the list but it's an Anti-P2P list. All the IPs have been involved in anti-P2P behavior. That's why I always run Level1 lists at a min. It's actually one of the main reasons why I made IP-Blocklist. -
I use dshield, drop, hijacked etc on Pfsense Box.
I use the level 1, badpeers, etc on Seed Box with PeerBlock.
-
I know it's quite off topic but 'Companies which anti-p2p activity has been seen from' for me means:
Companies that try to detect p2p users, so if you block it, they cant' find your p2p activity.Isn't better using this list to block torrent search like pirate bay?
-
I know it's quite off topic but 'Companies which anti-p2p activity has been seen from' for me means:
Companies that try to detect p2p users, so if you block it, they cant' find your p2p activity.Isn't better using this list to block torrent search like pirate bay?
We're talking about two different things here. This is a bit off topic so I won't go into much detail but basically…
-
If you don't want to get sued for downloading copyrighted material then you block Anti-P2P groups using Level1 among using many other protection techniques
-
If you want to prevent network users from using P2P then you implement Layer7 filtering
Blocking sites like TPB do nothing to prevent P2P traffic from using TPB's trackers. It's moot. That's why Level1 lists has all bad IPs.
I hope this clears it up. -
-
Is it possible to currently use host name block lists with PFblocker?
I'd like to include some known malware URL's. Can that be a feature in an upcoming version?
-
Is it possible to currently use host name block lists with PFblocker?
I'd like to include some known malware URL's. Can that be a feature in an upcoming version?
Host names resolve to IP addresses. You can create your own custom list to be used with pfblocker or try to find a list that meets your needs. There are literally hundreds of lists available for free so I would bet your list is already made for you. Start looking at iblocklist.com
-
I have a problem where the inbound block rule does not get created for the included country lists. I have been installing and testing packages so i have installed havp and snort and uninstalled them and then reinstalled them again, due to trying to identify a problem. Outbound rules can still be created and the alias for both inbound and outbound are fine. But when i select inbound rule deny on the country lists pages it does not create the rule. Even if i stop pfblocker and remove all the lists and readd and then enable pfblocker, it creates the alias and the outbound block but not the rules on wan.
edit: Ok I added a random rule with port 123 on wan and then readded then the lists appeared in the rules and when i changed another country list to inbound deny it showed up. So maybe it is just my rules are not refreshing right and is not related to pfblocker.
-
You need at least one rule created to pfBlocker work on selected interface.
-
Running 2.0-RELEASE (i386) built on Tue Sep 13 17:00:00 EDT 2011 Intel(R) Xeon(TM) CPU 3.06GHz w/ 3gb RAM.
Just loaded and reloaded pfBlocker and I'm finding that if I set outbound to be blocked to spamlist I can still get to India or Russia located sites. Any idea what I might need to do. I have my firewall maximum table entries at 500000.
Thanks.
-
Running 2.0-RELEASE (i386) built on Tue Sep 13 17:00:00 EDT 2011 Intel(R) Xeon(TM) CPU 3.06GHz w/ 3gb RAM.
Just loaded and reloaded pfBlocker and I'm finding that if I set outbound to be blocked to spamlist I can still get to India or Russia located sites. Any idea what I might need to do. I have my firewall maximum table entries at 500000.
Thanks.
What are the sites?
-
194.226.127.34 - http://eng.kremlin.ru
203.199.104.241 - http://www.airindia.inand http://www.prodisney.ru/index.php?page=clones.php
-
Running 2.0-RELEASE (i386) built on Tue Sep 13 17:00:00 EDT 2011 Intel(R) Xeon(TM) CPU 3.06GHz w/ 3gb RAM.
Just loaded and reloaded pfBlocker and I'm finding that if I set outbound to be blocked to spamlist I can still get to India or Russia located sites. Any idea what I might need to do. I have my firewall maximum table entries at 500000.
Thanks.
Are you blocking countries India and Russia or applying a spamlist from ipblocklist?
Enable pfblocker widget. there you can see alias package count hit.
-
I have the spamlist all selected; I was assuming that if the country is in there the entire country would be blocked. Am I wrong?
I will take a look at the widget today.
Thanks!
-
The default way to block spam is inbound as you do not want them to send email to you.
You can also change action to alias only and create a block rule only on inbound smtp connections.
-
If i enable the top spammers alias included in pfblocker on outbound those hostnames you specified are not accessible.
-
If i enable the top spammers alias included in pfblocker on outbound those hostnames you specified are not accessible.
Top spammers is just a shortcut for countries that send many spams.
The best way to block this is changing action to alias only and create an inbound rule denying smtp connections.
-
I chose alias only and set outbound and inbound block; I'm still getting to the sites. The one interesting thing is that before I chose the option block outbound this morning I had it set to block inbound yesterday before I went home and when I loaded the widget this morning it had some packets listed. It doesn't have anything listed right now… I may need to reboot the server; I'll try that later on today.
-
There is no need to reboot, all rules are applied when you save config.
try this:
-
select only one country
-
apply
-
got to diagnostics -> table
-
select alias you applied country
-
check if the websites ip is in any of network CIDRS listed
Just to be sure you understand how rules work.
inbound rules -> applied on source side of wan rules
outbound rules -> applied on destination side of lan rules
Floating rules -> apply rules to block pfsense to reach something -
-
I don't know what is happening, but I just put a specific rule in place of the pfBlocker and the Indian site is still not getting blocked; could it be due to squid?
Thanks!
-
I don't know what is happening, but I just put a specific rule in place of the pfBlocker and the Indian site is still not getting blocked; could it be due to squid?
Thanks!Finally an answer. It's squid. :)
Create the same rule on floating rules.
Squid goes to internet using localhost, so lan rules will not match any squid access.
-
Okay, so question… do I need to have both WAN and LAN selected in the floating rule? I had just one and things seemed to still go through; with both the sites were blocked. I guess it could be that it's cached on my pc here, but I am getting things blocked on another pc with just LAN selected.
Thanks for your help marcelloc!
-
Well, it's time for first release.
pfblocker 1.0 is out. No changes from last beta version.
-
Congratulations! Excellent work marcelloc!
-
Another question… am I supposed to see numbers in the packets column? Mine are blank... Thanks.
-
Another question… am I supposed to see numbers in the packets column? Mine are blank... Thanks.
Numbers will appear only when you have applied rules to aliases pfBlocker creates.
Also post pfsense version and hardware used.
-
Numbers will appear only when you have applied rules to aliases pfBlocker creates.
Also post pfsense version and hardware used.
I have the status showing up and running ver 1.0 pfBlocker on pfSense 2.0 x86; I don't know what else to tell you.
-
I guess the PfBlocker Widget counters are built by scanning the Firewall rule descriptions.
When you use pfBlocker Aliasname in Firewall rules, you have to start the description with pfBlocker Aliasname for the widget to keep track.
in your case "pfBlockerAsia bla bla lba'
however, if you description end with 'rule' it would be recognized as auto generated and removed by pfblocker on save.
I've changed important note for better understanding.
Aliasname something rule will be removed by package.
-
@RonpfS - Thanks for the tip… I would have never figured that out! I at least have 0's showing up now; I'll see if they populate with numbers.
-
Sorry for that. I forgot to include this info in field description.
It will be there in next release.
-
Hey all!
I'm currently am running pfSense RC1 2.0 and Country Block. County Block works perfectly and is very easy to use for a novice like me.
Is pfBlocker as easy to use as County Block to block IPs from specific countries? Are there any documents on-line I can read to learn how to use pfBlocker? I'm upgrading to the latest version of pfSense 2.0 next week and don't want to have any problems.
Unlike everyone else here, I'm not a programming guru. I'm learning, but I have a long way to go!
Thanks! :D
-
Wow - I looked at the screen shots and this is easy to for anyone to use. I'm impressed.
A dumb question - are social networks like Facebook, Twitter, etc? Or is it something else?
-
take a look on ipblocklist website or any other that distribute lists.
If you now socialnetworks ip ranges, you have an option to include in custom list.