PfBlocker
-
I'm looking forward to trying the new package, when you'll add configurable update frequency.
Maybe today.
I'll also check ips without netmask to be able to include dshield.org lists compatibility.
-
Did you tried to reaply pfBlocker config, after increasing Firewall Maximum Table Entries to 1000000?
It seems that your change in "Firewall Maximum Table Entries" value did not take effect.
Cannot allocate memory pfctl: Syntax error in config file error is exactly what happens when "Firewall Maximum Table Entries" is lower then applied table size.
EDIT
Last package update was about 08 hours ago without version changing, so try to reinstall package to be sure you are on latest version.Double checked Maximum Table Entries in /System/Advanced/Firewall-NAT, uninstalled and reinstalled package, even rebooted box, still same error. Only other packages running are Snort, Unbound and Cron.
-
I'm looking forward to trying the new package, when you'll add configurable update frequency.
I'm currently using a couple of shell scripts, to add pf tables of unwanted IPs to pfsense, e.g.
http://www.spamhaus.org/drop/drop.lasso
DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny subset of the SBL designed for use by firewalls and routing equipment.http://feeds.dshield.org/top10-2.txt
DShield's current Most Active Attacking IPs
(Same data as is used on DShield.org Top 10 Most Wanted.)
0 = IP Address, 1 = Resolved domain of IP Addresswhich are both updated on a daily basis.
iblocklist.com has a the DROP list from spamhaus.org URL: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p&archiveformat=gz
iblocklist.com also has the dshield list from Bluetack URL: http://list.iblocklist.com/?list=bt_dshield&fileformat=p2p&archiveformat=gz
iblocklist.com has many lists in p2p format.
-
@onhel:
Double checked Maximum Table Entries in /System/Advanced/Firewall-NAT, uninstalled and reinstalled package, even rebooted box, still same error. Only other packages running are Snort, Unbound and Cron.
send me your lists in PM. I'll try on my vm.
-
Great, I look forward to it.
Actually, I think pfsense would benefit from an enhanced aliastable feature, that would maintain (collect data, process, store) IP ranges of interest as text files in CIDR-notation fomat in /var/db/aliastables and load them into pf tables.
Those would include the usual IP black-list sources (e.g. Spamhaus' drop.lasso, DShield etc), country IP ranges (though I personally don't favor the practice of blocking entire countries) but also IP ranges of popular sites (Amazon EC2, Facebook, Google, Hotmail, SAP) to be black-listed or white-listed.
I think it's a feature that will be increasingly asked for, as more companies move to SaaS http://en.wikipedia.org/wiki/Software_as_a_service provider
In fact I recently suggested it Feature #1901: Maintain IP range tables for popular Internet sites having that in mind.
-
Great, I look forward to it.
Actually, I think pfsense would benefit from an enhanced aliastable feature, that would maintain (collect data, process, store) IP ranges of interest as text files in CIDR-notation fomat in /var/db/aliastables and load them into pf tables.
Those would include the usual IP black-list sources (e.g. Spamhaus' drop.lasso, DShield etc), country IP ranges (though I personally don't favor the practice of blocking entire countries) but also IP ranges of popular sites (Amazon EC2, Facebook, Google, Hotmail, SAP) to be black-listed or white-listed.
I think it's a feature that will be increasingly asked for, as more companies move to SaaS http://en.wikipedia.org/wiki/Software_as_a_service provider
In fact I recently suggested it Feature #1901: Maintain IP range tables for popular Internet sites having that in mind.
Isn't this the main feature of pfBlocker lists??
-
Isn't this the main feature of pfBlocker lists??
Yup. Exactly.
dhatz,
iblocklist.com has all those lists you asked for and more. p2p is a widely used format and is incredibly popular across many websites.…Actually, I think pfsense would benefit from an enhanced aliastable feature, that would maintain (collect data, process, store) IP ranges of interest as text files in CIDR-notation fomat in /var/db/aliastables and load them into pf tables….
That is exactly what is working in pfblocker right now!
….Those would include the usual IP black-list sources (e.g. Spamhaus' drop.lasso, DShield etc), country IP ranges (though I personally don't favor the practice of blocking entire countries) but also IP ranges of popular sites (Amazon EC2, Facebook, Google, Hotmail, SAP) to be black-listed or white-listed….
That is exactly what the ipblocklist feature does in pfblocker. Your lists just have to follow p2p format which iblocklist.com has for the lists that you want!
pfblocker gives users more power when it comes to blocking IP ranges (country sources and list sources), whitelisting IP ranges (country sources and list sources), whitelisting popular IPs of sites like Google, Hotmail, etc, and are updated frequently by the list maintainer.
pfblocker already does everything that you are asking for! -
Well, I haven't tried it yet, but given the name pfBlocker I assumed it was mainly about blocking :D
PS: How "safe" is list.iblocklist.com as a source (site security, DNS hijacking, GPG signing etc) ?
-
Well, I haven't tried it yet, but given the name pfBlocker I assumed it was mainly about blocking :D
lol, so you're asking for features without even testing the software? Thanks.
-
Well, I haven't tried it yet, but given the name pfBlocker I assumed it was mainly about blocking :D
PS: How "safe" is list.iblocklist.com as a source (site security, DNS hijacking, GPG signing etc) ?
I will follow Johnnybe suggestion and increase pfBlocker description for better understanding.
-
-
Well, I haven't tried it yet, but given the name pfBlocker I assumed it was mainly about blocking :D
PS: How "safe" is list.iblocklist.com as a source (site security, DNS hijacking, GPG signing etc) ?
I will follow Johnnybe suggestion and increase pfBlocker description for better understanding.
Sounds good. Do it… do it. Thanks. ;D
-
php: : There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table pfBlockerInbound: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [18]: table <pfblockerinbound> persist file "/var/db/aliastables/pfBlockerInbound.txt" Oct 30 02:11:29 php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table pfBlockerInbound: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded The line in question reads [18]: table <pfblockerinbound> persist file "/var/db/aliastables/pfBlockerInbound.txt" Oct 30 02:11:26 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:18: cannot define table pfBlockerInbound: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded'</pfblockerinbound></pfblockerinbound>I seems to be a table hard limit. Even when setting Firewall Maximum Table Entries higher then 900000, pfctl fails to apply tables larger then this value.EDIT:
There is no hard limit.
I found two issues:-
pfsense Firewall Maximum Table Entries option may require to be 2x table size applied. I'm checking this.
-
To increase a table in pfctl, you must kill it to free old table used and create a new one. patch applied to pfBlocker
pfBlocker 0.1.4 will include these fixes.
-
-
@onhel:
PM sent, thank you.
Take a look on description of lists you selected. Level1 list from iblocklist is not nasty.
List Information
List name: level1
Author: Bluetack
Author's website: bluetack.co.uk
Author's description:
Companies or organizations who are clearly involved with trying to stop filesharing.
Companies which anti-p2p activity has been seen from.
Companies that produce or have a strong financial interest in copyrighted material.
Government ranges or companies that have a strong financial interest in doing work for governments.
Legal industry ranges.
IPs or ranges of ISPs from which anti-p2p activity has been observed. -
Just want to confirm that the current version has resolved the problem that I reported in the country block thread.
I am still unable to deselect a country from the country lists. Once I have clicked in to a list I am unable to select none. If you could add a blank line that does not apply any list that could resolve it. Maybe that problem is browser specific?
-
I am still unable to deselect a country from the country lists. Once I have clicked in to a list I am unable to select none. If you could add a blank line that does not apply any list that could resolve it. Maybe that problem is browser specific?
Just hold CTRL and then unselect country.
-
Just curious – what is actually the point of this? Would not the default block rule just drop packets from these IPs anyway, unless they were in answer to something you requested in the first place.
Why would you be talking to these IPs in the first place, so other than say not logging this traffic Im not quite grasping the point of this package other than say something like running p2p software and you don't want to connect to any of these IPs, etc.
-
Just curious – what is actually the point of this? Would not the default block rule just drop packets from these IPs anyway, unless they were in answer to something you requested in the first place.
Why would you be talking to these IPs in the first place, so other than say not logging this traffic Im not quite grasping the point of this package other than say something like running p2p software and you don't want to connect to any of these IPs, etc.
Lets say you run an email relay or have a website but you constantly get SPAMd or your website constantly gets hit by bad IPs. What can you do to block them all? Nothing really unless you take all your time and dedicate it to blocking each individual IP AFTER something was done.
What if you run a hotel or an open AP but you don't want people to visit mass sites or use p2p that is encrypted that gets past any layer7 filter.Basically the uses and abilities of this package are endless. This package has it all and will help network admins secure their network even easier.
I have a user that works at a nuclear research facility. He uses countryblock to avoid other countries from corporate espionage. After using countryblock to block countries they don't have any business with their network attacks immediately dropped significantly. The benefits of this package is outstanding for admins all around the world.
-
version 0.1.4 is almost done.
some fixes and new gui options will be included for even more control on lists.
-
Yeah that dawned on me after I posted ;) If your running any sort of service that is open to the public, email/web/ntpd/ftp/etc then yeah it makes sense.. Might have to give it a test run, what would be nice is if it logged hits to this rule in a different log vs just firewall log so could see what kind of traffic getting from the bad IPs – for curiosity sake.
I don't really run anything open to the public other than p2p and ntpd (pool.ntp member) My ssh and openvpn access is locked down to require cert, etc. So no issue with bruteforce and and have linux box that runs sshd blocking IPs on 4 bad attempts anyway to keep the logs from filling up.
-
If possible could you add in block lists for the following hostile lists:
- Russian Business Network (bad), dshield and botnet CnCs - http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
- Compromised hosts - rules.emergingthreats.net/blockrules/compromised-ips.txt
- Russian business network malvertisers - http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
- Ciarmy list - http://ciarmy.com/
I blocked these inbound and outbound on my firewall already by linking a URL alias to these lists so it downloads them and then put that Alias in a block all traffic to and from on LAN & WAN interfaces and that stops my network talking to these IPs.
It would be nice though to have a tool where I could say click to block them and it will put the correct block in the firewall. You can get seperate lists for Dshield, RBN etc. I think this would help extend lots of blocking capabilities of bad hosts, malware command and control servers, bad servers distributing malware etc to normal users.
-
If possible could you add in block lists for the following hostile lists:
- Russian Business Network (bad), dshield and botnet CnCs - http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
- Compromised hosts - rules.emergingthreats.net/blockrules/compromised-ips.txt
- Russian business network malvertisers - http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
- Ciarmy list - http://ciarmy.com/
I blocked these inbound and outbound on my firewall already by linking a URL alias to these lists so it downloads them and then put that Alias in a block all traffic to and from on LAN & WAN interfaces and that stops my network talking to these IPs.
It would be nice though to have a tool where I could say click to block them and it will put the correct block in the firewall. You can get seperate lists for Dshield, RBN etc. I think this would help extend lots of blocking capabilities of bad hosts, malware command and control servers, bad servers distributing malware etc to normal users.
It will be in version 0.1.4. these lists has only single ips.
-
The first one (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt) is a mix of single IPs and CIDR, apparently discrete lists concatenated one after another.
-
The first one (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt) is a mix of single IPs and CIDR, apparently discrete lists concatenated one after another.
That list seems to be a combination of some lists on iblocklist.com. It looks like it's already available in a format that pfblocker could use in version 1.3.
Check iblocklist.com for any lists that you want. I'm guessing chances are it's there. -
interesting package !
can I use all list with an Alix box ? (AMD Geode / 256 MB RAM), I use 37% of RAM on my system.
-
pfBlocker version 1.4 is out.
Main improvements:
-
Url Lists now has it's own tab and many new options, including reading local files instead of urls
-
Each continent as well top spammers has it's own alias and rule action.
-
pfBlocker now reads CIDR, ips and network rages on files/urls.
-
More intuitive way to choose action in lists.
-
More control checks to avoid pfctrl error messages
I will wait feedback about these changes and stability before coding update frequency lists.
We are almost there.
-
-
just updated to new version and there is a problem with widget
enabling it will cause other widgets (not all) not to be displayed (ex : interface statistics)
-
Congratulations guys! :)
This looks like an outstanding package. Genuinely useful.Steve
-
just updated to new version and there is a problem with widget
enabling it will cause other widgets (not all) not to be displayed (ex : interface statistics)
I will take a look.EDIT
Fixed. Reinstall package in about 15 minutes to get fixed widget file.
-
nice work!!! its working nicely on my 2.1-dev box
-
After a reboot, I did receive an error alert but the list still loaded:
There were error(s) loading the rules: /tmp/rules.debug:21: cannot load "/var/db/aliastables/pfBlockerTopSpammers.txt": No such file or directory /tmp/rules.debug:23: cannot load "/var/db/aliastablespfBlockerBadGuys.txt": No such file or directory pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [21]: table <pfblockertopspammers>persist file "/var/db/aliastables/pfBlockerTopSpammers.txt"</pfblockertopspammers> -
This happens when pfBlocker is running While filter reloads. Boot is one of these cases.
This is not a big deal as pfBlocker call filter reload when finish.
-
I figured it would be normal but wanted to share just in-case
-
I would recommend you to detect that you are at boot phase and do not don anything.
I generally do not like that packages call filter_configure() but rather would like packages to go and use pfctl themselves and exploit the anchors, though it needs more familiarity with pfctl.
-
just updated to new version and there is a problem with widget
enabling it will cause other widgets (not all) not to be displayed (ex : interface statistics)
I will take a look.EDIT
Fixed. Reinstall package in about 15 minutes to get fixed widget file.
thx, I confirm that it works now !
-
@ermal:
I would recommend you to detect that you are at boot phase and do not don anything.
OK, I will find a way.
@ermal:
I generally do not like that packages call filter_configure() but rather would like packages to go and use pfctl themselves and exploit the anchors, though it needs more familiarity with pfctl.
The first generation of this package (countryblock) was editing /tmp/rules.debug. cmd asked tommyboy to change the way package apply rules.
The fist idea to improve stability was using pfsense 2.0 native options to edit rules. So current version of pfblocker create aliases, rules and then apply with filter_configure(). This was the best way I found to apply rules when users saves pfBlocker's conf. -
Great package. I have installed the latest version and I am wondering what happened to the deny inbound/outbound option? There are cases where you may block traffic to and from these countries (like countries which both do a lot of attacks, spam etc and host a lot of malware you do not want your users contacting. Is it possible to put that back in please? Thank you
-
Re-Installed 0.1.4 working fine
one detail … Package Info link still points to Country Block http://forum.pfsense.org/index.php/topic,25732.0.html -
I try to update very large blocklist and I get error:
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 10106374 bytes) in /usr/local/pkg/pfblocker.inc on line 248
Same list work with IP-blocklist.
And after I put some smaller bloclist I get another error:
php: : There were error(s) loading the rules: /tmp/rules.debug:21: cannot define table pfBlockerblocklist: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [21]: table <pfblockerblocklist>persist file "/var/db/aliastables/pfBlockerblocklist.txt"</pfblockerblocklist>
-
Great package. I have installed the latest version and I am wondering what happened to the deny inbound/outbound option? There are cases where you may block traffic to and from these countries (like countries which both do a lot of attacks, spam etc and host a lot of malware you do not want your users contacting.
In special cases, you can choose alias only option and create your own rule using alias pfBlocker created.
You can also add this list into two aliases and block inbound one and block outbound other.
Is it possible to put that back in please?
Not sure but I'll take a note.
