PfBlocker

bman212121

Anyone else having problems with lists?

For some reason when PFBlocker is bringing in a list from a text file, it's making up it's own entries. Using the list for qwest ISP

Here is a copy paste of my current text file:


Qwest:67.40.0.0-67.42.255.255
Qwest:155.70.0.0-155.70.255.255
Qwest:205.168.0.0-205.171.255.255
Qwest:204.147.80.0-204.147.95.255
Qwest:71.208.0.0-71.223.255.255
Qwest:208.44.0.0-208.47.255.255
Qwest:66.77.0.0-66.77.255.255
Qwest:216.206.0.0-216.207.255.255
Qwest:71.32.0.0-71.39.255.255
Qwest:206.81.192.0-206.81.223.255
Qwest:206.196.128.0-206.196.159.255
Qwest:63.224.0.0-63.231.255.255
Qwest:65.112.0.0-65.127.255.255
Qwest:63.144.0.0-63.151.255.255
Qwest:63.152.0.0-63.159.255.255
Qwest:63.232.0.0-63.239.255.255
Qwest:209.3.0.0-209.3.255.255
Qwest:209.45.128.0-209.45.255.255
Qwest:209.180.0.0-209.181.255.255
Qwest:209.201.0.0-209.201.127.255
Qwest:209.211.0.0-209.211.255.255
Qwest:216.111.0.0-216.111.255.255
Qwest:216.160.0.0-216.161.255.255
Qwest:207.108.0.0-207.109.255.255
Qwest:207.159.64.0-207.159.127.255
Qwest:207.224.0.0-207.225.255.255
Qwest:206.80.192.0-206.80.223.255
Qwest:205.215.192.0-205.215.223.255
Qwest:204.245.64.0-204.245.127.255
Qwest:204.131.0.0-204.134.255.255
Qwest:204.98.0.0-204.98.255.255
Qwest:204.26.64.0-204.26.127.255
Qwest:199.117.0.0-199.117.255.255
Qwest:198.36.128.0-198.36.255.255
Qwest:198.186.195.0-198.186.198.255
Qwest:198.233.0.0-198.233.255.255
Qwest:198.243.0.0-198.243.255.255
Qwest:192.104.175.0-192.104.180.255
Qwest:192.41.239.0-192.41.243.255
Qwest:168.103.0.0-168.103.255.255
Qwest:151.116.0.0-151.119.255.255
Qwest:150.159.0.0-150.159.255.255
Qwest:148.155.0.0-148.158.255.255
Qwest:144.163.0.0-144.163.255.255
Qwest:137.106.0.0-137.107.255.255
Qwest:130.13.0.0-130.13.255.255
Qwest:75.160.0.0-75.175.255.255
Qwest:72.164.0.0-72.166.255.255
Qwest:70.56.0.0-70.59.255.255
Qwest:68.176.0.0-68.177.255.255
Qwest:69.8.192.0-69.8.255.255
Qwest:67.0.0.0-67.7.255.255
Qwest:67.12.0.0-67.14.159.255
Qwest:67.128.0.0-67.135.255.255
Qwest:67.144.0.0-67.148.255.255
Qwest:66.86.0.0-66.86.255.255
Qwest:65.128.0.0-65.159.255.255
Qwest:65.100.0.0-65.103.255.255
Qwest:97.112.0.0-97.127.255.255
Qwest:174.16.0.0-174.31.255.255

Here is what PFBlocker sets for the table:


130.13.0.0/16	 
130.200.0.0/14	 
130.224.0.0/12	 
131.0.0.0/11	 
132.154.0.0/16	 
132.172.0.0/16	 
134.0.0.0/13	 
134.24.0.0/14	 
134.80.0.0/14	 
135.0.0.0/13	 
135.32.0.0/13	 
137.96.0.0/15	 
137.106.0.0/15	 
138.17.128.0/18	 
140.112.0.0/14	 
142.64.0.0/13	 
143.160.0.0/12	 
144.163.0.0/16	 
145.72.0.0/14	 
148.152.0.0/14	 
150.159.0.0/16	 
151.64.0.0/12	 
151.116.0.0/14	 
155.70.0.0/16	 
162.11.72.96/28	 
168.103.0.0/16	 
174.16.0.0/12	 
192.41.232.0/21	 
192.104.168.0/21	 
194.224.0.0/12	 
198.36.128.0/17	 
198.186.192.0/22	 
198.233.0.0/16	 
198.243.0.0/16	 
199.117.0.0/16	 
204.26.64.0/18	 
204.98.0.0/16	 
204.128.0.0/14	 
204.147.80.0/20	 
204.245.64.0/18	 
205.168.0.0/14	 
205.215.192.0/19	 
206.80.192.0/19	 
206.81.192.0/19	 
206.196.128.0/19	 
207.108.0.0/15	 
207.159.64.0/18	 
207.224.0.0/15	 
208.44.0.0/14	 
209.3.0.0/16	 
209.45.128.0/17	 
209.180.0.0/15	 
209.201.0.0/17	 
209.211.0.0/16	 
216.111.0.0/16	 
216.160.0.0/15	 
216.206.0.0/15	 
254.64.0.0/13	 
254.96.0.0/13	 
255.128.0.0/13	 
255.160.0.0/13

I've looked over the list a few times and can't find any typos. One of the ranges includes dell.com

143.160.0.0/12

No where is that defined in the list, but somehow it ends up in the table.

I took a small chunk of the file and it looks like PFBlocker isn't correctly pulling in any of the addresses with only 2 digits in them.

I'm not running 2.0 release yet… but I'm not sure if that would have anything to do with this.

hankjrfan00

I am getting this in the System Log. Any ideas?


php: : The command '/usr/local/pkg/pf/IP-Blocklist.sh start' returned exit code '2', the output was 'not running root: IP-Blocklist was found not running 0 table 
deleted. 0 table deleted. rm: /tmp/rules.debug.tmp: No such file or directory /usr/local/pkg/pf/IP-Blocklist.sh: cannot create /usr/local/www/packages/ipblocklist
/errorOUT.txt: No such file or directory rm: /tmp/rules.debug.tmp: No such file or directory 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 cat: /usr/local/www/packages/ipblocklist/interfaces.txt: No such file or directory 93 94 95 96 97 98 99 100 101 
102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 
139 140 141 142 143 144 145 146 147 rm: /usr/local/www/pac

pfsense1.png_thumb

marcelloc

Bman2121,
When you pass a range, pfBlocker will find a CIDR that matches it.
I saw in your list a realy large range( > /16).
Change this list to a CIDR format and see what happens.

marcelloc

hankjrfan00,

It's related to ip-blocklist package.
If you had removed it, maybe you need to delete this remaining script.

'/usr/local/pkg/pf/IP-Blocklist.sh start'

Also look for ipblocklist scripts in /usr/local/etc/rc.d

hankjrfan00

@marcelloc:

hankjrfan00,

It's related to ip-blocklist package.
If you had removed it, maybe you need to delete this remaining script.

'/usr/local/pkg/pf/IP-Blocklist.sh start'

Also look for ipblocklist scripts in /usr/local/etc/rc.d

Thanks! Removing '/usr/local/pkg/pf/IP-Blocklist.sh' seems to have fixed the problem!

RonpfS

Ran into problems today, rules were not applied correctly … anyhow.
I removed pfblocker for my test, but the tables were still there.
The widget was also complaining
I removed /var/db/aliastables/pfBblocker* but I can still see them in Diagnositic: Table !

How to remove them?

So I reinstalled pfBlocker, create a table with the same name, with no list, nothing happenned.
I added a list, the table was recreated ... fine ;o)
I I renamed it to the second table, table is renamed ok.
Now I delete the table ... nothing happens, table still present
I disabled pfBlocker, all the tables were gone :D
I enabled pfBlocker, the old tables were finaly gone.

So I created another table, I deleted it but the table remain available until your click Save in Firewall: pfBlocker: General
Do we need a Save or Apply changes button under Firewall: pfBlocker: Lists?

RonpfS

How/where could I apply a pfBlocker list to filter inbound traffic on a NAT-PMP port created by miniupnpd?

marcelloc

@RonpfS:

How/where could I apply a pfBlocker list to filter inbound traffic on a NAT-PMP port created by miniupnpd?

Try first on floating rules and go testing access with tcpdump on console.

ipv6kid

Found a few good pfBlocker compatible blocklists:

I am specifically worried about Malware.

formats: txt

Known AD server IPs:
http://pgl.yoyo.org/adservers/iplist.php?ipformat=peerblock&showintro=0&mimetype=plaintext
Main page: http://pgl.yoyo.org/adservers/

Malcode (anti-malware):
http://malc0de.com/bl/IP_Blacklist.txt

AMaDa C&C IP Blocklist:
http://amada.abuse.ch/blocklist.php?download=ipblocklist

abuse.ch ZeuS IP blocklist:
http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist

Sucuri Security Malware Scanning IPs:
http://tools.sucuri.net/blacklist/MS-iplist.txt
CI Army Malicious IP List:
http://www.ciarmy.com/list/ci-badguys.txt

Russian Business Network:
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

marcelloc

Thanks for your contribution.

Do you know how often its Updated?

ipv6kid

I don't know how often the advertising blacklist is updated, it doesn't seem to be very effective. I'm the "cup half full" type of person so I block those IP's anyways.

As to the known malware IP's, I believe from looking at the commented-out time stamp within the files they look to be updated daily.

ipv6kid

Can somebody please tell me why PFblocker widget isn't showing all my block lists as being blocked?

Specifically the Russian Business Network Malverisers IP list is working however their CI Army list is not…. but the IP lists are of the same structure.

Working: http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt

Not working or showing on Pfblocker widget: http://www.ciarmy.com/list/ci-badguys.txt

Please help!

marcelloc

Check first in diagnostics tables if this list was filled up.

Then check rule description for this alias rule.

ipv6kid

@marcelloc:

Check first in diagnostics tables if this list was filled up.

Then check rule description for this alias rule.

Can you please explain this in further detail? I don't see alias rules for these lists, shouldn't they have been automatically made?

Bummer

The pfBlocker is great! It's easy to use and very effective! Thank you!

I have 2 dumb questions.

I have Russia blocked but need to allow for the access to my network from the IP 213.238.8.10. I looked up the CiDR for it. How do I enter the IP to allow it past the Russia block list?

CIDR results for 213.238.8.10
213.238.8.10/32 = 213.238.8.10 through 213.238.8.10 [1 IP - Single IP]
213.238.8.10/31 = 213.238.8.10 through 213.238.8.11 [2 IPs]
213.238.8.8/30 = 213.238.8.8 through 213.238.8.11 [4 IPs]
213.238.8.8/29 = 213.238.8.8 through 213.238.8.15 [8 IPs]
213.238.8.0/28 = 213.238.8.0 through 213.238.8.15 [16 IPs]
213.238.8.0/27 = 213.238.8.0 through 213.238.8.31 [32 IPs]
213.238.8.0/26 = 213.238.8.0 through 213.238.8.63 [64 IPs]
213.238.8.0/25 = 213.238.8.0 through 213.238.8.127 [128 IPs]
213.238.8.0/24 = 213.238.8.0 through 213.238.8.255 [256 IPs - Class C]
213.238.8.0/23 = 213.238.8.0 through 213.238.9.255 [512 IPs]
213.238.8.0/22 = 213.238.8.0 through 213.238.11.255 [1024 IPs]
213.238.8.0/21 = 213.238.8.0 through 213.238.15.255 [2048 IPs]
213.238.0.0/20 = 213.238.0.0 through 213.238.15.255 [4096 IPs]
213.238.0.0/19 = 213.238.0.0 through 213.238.31.255 [8192 IPs]
213.238.0.0/18 = 213.238.0.0 through 213.238.63.255 [16384 IPs]
213.238.0.0/17 = 213.238.0.0 through 213.238.127.255 [32768 IPs]
213.238.0.0/16 = 213.238.0.0 through 213.238.255.255 [65536 IPs - Class B]
213.238.0.0/15 = 213.238.0.0 through 213.239.255.255 [131072 IPs]
213.236.0.0/14 = 213.236.0.0 through 213.239.255.255 [262144 IPs]
213.232.0.0/13 = 213.232.0.0 through 213.239.255.255 [524288 IPs]
213.224.0.0/12 = 213.224.0.0 through 213.239.255.255 [1048576 IPs]
213.224.0.0/11 = 213.224.0.0 through 213.255.255.255 [2097152 IPs]
213.192.0.0/10 = 213.192.0.0 through 213.255.255.255 [4194304 IPs]
213.128.0.0/9 = 213.128.0.0 through 213.255.255.255 [8388608 IPs]
213.0.0.0/8 = 213.0.0.0 through 213.255.255.255 [16777216 IPs - Class A]
212.0.0.0/7 = 212.0.0.0 through 213.255.255.255 [33554432 IPs]
212.0.0.0/6 = 212.0.0.0 through 215.255.255.255 [67108864 IPs]
208.0.0.0/5 = 208.0.0.0 through 215.255.255.255 [134217728 IPs]
208.0.0.0/4 = 208.0.0.0 through 223.255.255.255 [268435456 IPs]
192.0.0.0/3 = 192.0.0.0 through 223.255.255.255 [536870912 IPs]
192.0.0.0/2 = 192.0.0.0 through 255.255.255.255 [1073741824 IPs]
128.0.0.0/1 = 128.0.0.0 through 255.255.255.255 [2147483648 IPs]

I would like to go view the stats of what is blocked by pfBlocker. I saw your screen capture at the beginning of the pfBlocker forum. Where or how do I access this?

Again, great work!

grazman

@hankjrfan00:

I am getting this in the System Log. Any ideas?
php: : The command '/usr/local/pkg/pf/IP-Blocklist.sh start' returned exit code '2', the output was 'not running root: IP-Blocklist was found not running 0 table 
deleted. 0 table deleted. rm: /tmp/rules.debug.tmp: No such file or directory /usr/local/pkg/pf/IP-Blocklist.sh: cannot create /usr/local/www/packages/ipblocklist
/errorOUT.txt: No such file or directory rm: /tmp/rules.debug.tmp: No such file or directory 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 cat: /usr/local/www/packages/ipblocklist/interfaces.txt: No such file or directory 93 94 95 96 97 98 99 100 101 
102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 
139 140 141 142 143 144 145 146 147 rm: /usr/local/www/pac
I might make the suggestion that pfblocker uninstall runs a script to clean it out of the packages directory (and any directories it leaves behind there). While one could go to do this manually (especially if you had country block before), it makes more sense to remove the scripts and files it creates there so a reinstall will keep this type of thing from happening.

If not a BIG FAT STICKY that tells people what they need to do would probably keep these types of messages from having to be posted.

Essentially, manually remove:

/usr/local/www/packages/pfblock* and the other two related directories, especially the one with the startup script. It doesn't unintall cleanly or reinstall cleanly.

marcelloc

Grazman,

It's related to ip-blocklist package.
If you had removed it, maybe you need to delete this remaining script.

'/usr/local/pkg/pf/IP-Blocklist.sh'

Also look for ipblocklist scripts in /usr/local/etc/rc.d

marcelloc

The pfBlocker is great! It's easy to use and very effective! Thank you!

I have 2 dumb questions.

I have Russia blocked but need to allow for the access to my network from the IP 213.238.8.10. I looked up the CiDR for it. How do I enter the IP to allow it past the Russia block list?

Create a new list, choose action allow inbound and paste your networks in custom list.

Bummer

So you're saying my new list will over ride the other lists by default?

Also, what format to I put the IPs in? Is it listed as below?

213.238.8.10/32

Sorry to be so stupid on this.

Thanks!

marcelloc

whitelist(allow) rules are applied before blacklists(deny).

the custom list is in CIDR format, so if its only one ip address 213.238.8.10/32 is fine.