PfBlocker
-
This package seems not to work with multiple WAN interfaces. When more than 1 inbound interface is selected the firewall rules are only added to the 1 WAN interface.
-
Oi marcello, I got the multiple WAN interfaces working by adding a dummy rule and then starting pfblocker.
One thing I notice is when lists are added they consume RAM but when the list is removed the RAM is not returned.
Obrigado!
-
If you have no rules on inbound interfaces, you are already blocking everything.
The memory usage is controled by freebsd, there is no code to keep lists on memory after apply config is finished.
-
Memory consumed by the system will go inactive when not in use, like when you stop pfblocker or delete tables. That physical memory is still allocated by the OS for a period of time before it's released back into a shared pool.
That memory will return back to the OS after a little.
-
A screencap of 21 hours of spam blocking.
CustomSpamList and CorpSpam are the lists I maintain in response to the spams we get.
Considering this is for less than 10 email accounts I find these numbers appalling.We still have about 10 spams get through each day, mostly sent from compromised Hotmail/Yahoo accounts.
I'm hoping postfix will help me achieve total-spam-free-ness.
-
I have noticed when using some I-Blocklist lists in deny inbound and deny outbound with p2p file formats dns stops working with the machines on my lan side, but when I switch to cidr file formats dns works.
-
P2p lists are converted to cidr format after download. If p2p range generates a network mask bigger then /16, pfBlocker will TRF to find a network cidr for this, What could result on a /12 or /8 network. In this situation, you may have some non blacklisted ips blocked.
Cidr is the recommended format for lists.
-
Hi,
Like the package - great work.
I was just wondering if you plan on creating a report or some king of logs where it breaks down the attacks by country.
The dashboard widget is great as this give it you by region, if you can add the option to break it down by country and source (interface) that would be even better.
This way it will us the ability to see where that attacks are coming from.Regards.
George
-
No plans for that. :(
The continent based alias is there to reduce rules and for easy configuration.All denied rules will be logged if you select this feature but you will need to look for ip country source the same way.
Imagine an alias for each country. You can build these custom lists downloading from countryblock website, but i think you will need a subscription for that.
-
malc0de.com keeps up a realtime list of malware serving IPs addresses.
This list -> http://malc0de.com/bl/IP_Blacklist.txt will autoupdate and works in pfBlocker lists section.
More on malc0de -> http://malc0de.com/dashboard/
malc0de's searchable database -> http://malc0de.com/database/The malware list contains the malicious IP, referenced in the following Webroot blog:
http://blog.webroot.com/2012/01/25/researchers-intercept-a-client-side-exploits-serving-malware-campaign/
That's a good sign it's kept up to date. -
malc0de.com keeps up a realtime list of malware serving IPs addresses.
This list -> http://malc0de.com/bl/IP_Blacklist.txt will autoupdate and works in pfBlocker lists section.
More on malc0de -> http://malc0de.com/dashboard/
malc0de's searchable database -> http://malc0de.com/database/The malware list contains the malicious IP, referenced in the following Webroot blog:
http://blog.webroot.com/2012/01/25/researchers-intercept-a-client-side-exploits-serving-malware-campaign/
That's a good sign it's kept up to date.Thanks for the all the information you have posted.
-
malc0de.com keeps up a realtime list of malware serving IPs addresses.
This list -> http://malc0de.com/bl/IP_Blacklist.txt will autoupdate and works in pfBlocker lists section.
2nd Update: After running this for a while I noticed more unexpected site blocking.
It may only be one or two IP addresses, but it trapped a lot of outgoing packets to media servers.I'm withholding any recommendation until I have the time to study the list - a couple of weeks.
note: The only verified contact I have for malc0de is their Twitter feed.
Thanks.
Update:
I added the lists to pfBlocker last night and found 2 unexpected site blocks.First was web.archive.org. Malc0de's entry is here.
I guess archive.org is caching some malicious files.Second is the IP 72.21.91.19; which is an edgecast address used for video streaming by break.com, wnd.com, brietbart, myspace and others.
A burner app from that IP was flagged for a few days, by ThreatExpert.I whitelisted the 1st IP and sent a synopsis to the Web Archive.
I tweeted a request to Malc0de to delist the 2nd.Meanwhile, I'll keep evaluating.
-
Oi marcello, I got the multiple WAN interfaces working by adding a dummy rule and then starting pfblocker.
One thing I notice is when lists are added they consume RAM but when the list is removed the RAM is not returned.
Obrigado!
Hi,
I have multiple LAN interfaces (I added LAN and my DMZ). When I see the firewall rules of the WAN interface, the pfBlocker rules are present 2 times (the same rules, added two times. Rule 1, Rule 2, Rule 3, Rule 1, Rule 2, Rule 3).Anyway, this do not affect anything, so don't worry…
Ciao,
Michele -
Hi,
I have multiple LAN interfaces (I added LAN and my DMZ). When I see the firewall rules of the WAN interface, the pfBlocker rules are present 2 times (the same rules, added two times. Rule 1, Rule 2, Rule 3, Rule 1, Rule 2, Rule 3).Anyway, this do not affect anything, so don't worry…
I'ts not fixed yet because I never could reproduce this visual issue.
You can also use alias only on action and create rules by rand.
Thanks for feedback. :)
-
I had an error that has been coming up starting this week here and there.
There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfBlockerAds: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded The line in question reads [37]: table <pfblockerads>persist file "/var/db/aliastables/pfBlockerAds.txt"</pfblockerads>I got this error two times and then stopped this morning (same on Monday. it happens two times back to back and then stops). I have the lists set to update once a day, and my snort rules also update every 12 hours which causes pfblocker to reload itself when it refreshes. No other lists that i have set up are having issues (which some are way bigger than this table).
When this happened on Monday, I deleted the table and list in pfblocker. I then re entered it freshly into pfblocker and let the table repopulate. Until today I had no other errors. Do I need to increase any settings for this to go away or is this more of a problem with the info that its pulling.
I got the list from http://www.iblocklist.com/lists.php?fileformat=cidr&archiveformat=gz and the direct link to the adds one is
http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gzAgain, I am using other lists from this site with no issue at all. So any suggestions would be greatly appreciated.
This is running on an old dual Intel Pentium III EB 800 board with two gigs of ram. So wasn't sure if there was a limitation problem. If anyone needs additional information please let me know.
I am on the latest build of PFSENSE and pfblocker btw.
-
The first try is always to increase max_table_entries on system advanced.
Most of Cannot allocate memory errors from /tmp/rules.debug are related to this.
-
The first try is always to increase max_table_entries on system advanced.
Most of Cannot allocate memory from /tmp/rules.debug are related to this.
Ok I will try that and see if that helps. I didnt want to touch anything until i asked. Its just strange, that its been fine for a couple of months with the same tables ect. Then just started happening. Then if i delete the list/table and rebuilt it was fine for a little while. I appreciate the feedback. This evening I will increase it and see if that removes the problem.
-
This evening I will increase it and see if that removes the problem.
It does not affect firewall function at all, you can apply it any time.
-
This evening I will increase it and see if that removes the problem.
It does not affect firewall function at all, you can apply it any time.
Good to know, Thanks. I will not be back at that location until this evening. I just get email notifications when something is working right. :-)
-
Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.
Oh well.. Thanks again for the suggestion.
