PfBlocker
-
I have pfBlocker loading a list from the following url:
http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gzI decompressed the .gz to look at it and found text in the following format:
2013-01-21T20:15+0100 78.39.223.180 2013-01-21T20:15+0100 49.202.135.218 2013-01-21T20:15+0100 213.108.75.31 ...
I have 2 systems that handle this list fine.
One other system scrambles the file content - loads nonsense IPs the table - is why I peeked inside the .gzThe thing is, I thought pfBlocker had to have the IP addr/cidrs at the beginning of the line. Looks like I'm wrong.
In what format(s) does pfBlocker need it's IP data?
-
In what format(s) does pfBlocker need it's IP data?
It loks for ip addresses using preg_match, if you can edit it to remove ip date, it may help.
-
It looks for ip addresses using preg_match, if you can edit it to remove ip date, it may help.
The list loads fine on two systems; now I know why.
The system that scrambles the data has 27 lists loaded.
It's probably just reacting to all the abuse I heap upon it.As always, thank you for your insight.
-
The real main issue is even on last update 2.1-BETA1 (today), pfblocker still doesn't comes up as ENABLED.
Everytime after update I need to go there and manually enable myself. ::)
-
Everytime after update I need to go there and manually enable myself. ::)
Pfblocker uninstall script will always disable the service to avoid aliases/rules issues.
It's a feature, not an issue ;)
-
Hi, I added support to insert portlist file. this way peoples can customize installations with pre defined rules from their web sites.
you can deploy port list file with adding #PORT_LIST_PF text to begin of file.
i hope you will include this changes to next release and it will helpful to others.
example port list file: safeports.txt
#PORT_LIST_PF 21#ftp 22#ssh 25#smtp 53#dns 67#dhcp 80#http 110#pop 443#https 587#new smtp 1433#sql server 3306#mysql 3389#rdp
replace bellow code in your /usr/local/pkg/pfblocker.inc
add this function to after pfblocker_Range2CIDR function
function pfblocker_Range2Ports($port_min, $port_max) { #function called without any args if ($port_min == "" || $port_max == "") return ""; #function called with same ip in min and max if ($port_min == $port_max) return $port_min; $bas=intval($port_min); $start_port+=1;//skip first value because its already processed $res=""; $end_port=intval($port_max); for($i=$start_port;$i<=$end_port;$i++) { $res.="$i\n"; } if($res!="") return $res; }
changes begins at "#print $list['aliasname'].$list['action']." ".$alias." ".$row['url']."
";"#print $list['aliasname'].$list['action']." ".$alias." ".$row['url']." "; if ($alias != "pfBlocker" && $list['action'] != "" && $list['action'] != 'Disabled' && $pfblocker_enable == "on") { $isPortList=FALSE; #remove empty lists files if any if (is_array($list['row'])) foreach ($list['row'] as $row) { #print $list['aliasname'].$list['action'].$list['cron']." ".$alias." ".$row['url']."$update_local "; if ($row['url'] != "") { $md5_url = md5($row['url']); if (file_exists($pfbdir."/".$md5_url.".txt")) { $f=file($pfbdir.'/'.$md5_url.'.txt'); ${$alias}.= file_get_contents($pfbdir.'/'.$md5_url.'.txt'); if ($f[0]=="#PORT_LIST_PF\n") { $new_file=${$alias}; $new_file=str_replace("#PORT_LIST_PF\n","",$new_file); $new_file=str_replace("#PORT_LIST_PF ","",$new_file); $isPortList=TRUE; } } else { if ($row['format'] == "gz") $url_list= gzfile($row['url']); else $url_list= file($row['url']); #extract range lists $new_file=""; if (is_array($url_list)) { if ($url_list[0]=="#PORT_LIST_PF\n") { $isPortList=TRUE; $new_file="##PORT_LIST_PF\n"; foreach ($url_list as $line) { # port format 80 if (preg_match("/(\d+)/",$line,$matches)){ ${$alias}.= $matches[1]."\n"; $new_file.= $matches[1]."\n"; } # Port range 20-23 if (preg_match("/(\d+)-(\d+)/",$line,$matches)){ $plist = pfblocker_Range2Ports($matches[1],$matches[2]); if ($plist != ""){ ${$alias}.= $plist; $new_file.= $plist; } } } } else { foreach ($url_list as $line) { # CIDR format 192.168.0.0/16 if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){ ${$alias}.= $matches[1]."\n"; $new_file.= $matches[1]."\n"; } # Single ip addresses if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){ ${$alias}.= $matches[1]."/32\n"; $new_file.= $matches[1]."/32\n"; } # Network range 192.168.0.0-192.168.0.254 if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)){ $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); if ($cidr != ""){ ${$alias}.= $cidr."\n"; $new_file.= $cidr."\n"; } } } } } if ($new_file != "") file_put_contents($pfbdir.'/'.$md5_url.'.txt',$new_file, LOCK_EX); } } } //if($isPortList==TRUE) // echo "$alias port list $new_file"; #check custom network list if (pfb_text_area_decode($list['custom']) != "") ${$alias}.=pfb_text_area_decode($list['custom'])."\n"; #save alias file if not empty if (${$alias} == ""){ unlink_if_exists($pfb_alias_dir.'/'.$alias.'.txt'); } else{ file_put_contents($pfb_alias_dir.'/'.$alias.'.txt',${$alias}, LOCK_EX); file_put_contents($pfsense_alias_dir.'/'.$alias.'.txt',${$alias}, LOCK_EX); #create alias if($isPortList==TRUE) { $new_file=str_replace("#PORT_LIST_PF\n","",$new_file); $new_file=str_replace("#PORT_LIST_PF ","",$new_file); $new_file=str_replace("\n"," ",$new_file); $new_file=trim($new_file); $new_aliases_list[]=$alias; $new_aliases[]=array("name"=> $alias, "url"=> "", "updatefreq"=> "32", "address"=>"$new_file", "descr"=> "pfBlocker user list", "type"=> "port", "detail"=> "DO NOT EDIT THIS ALIAS"); } else { $new_aliases_list[]=$alias; $new_aliases[]=array("name"=> $alias, "url"=> $web_local.'?pfb='.$alias, "updatefreq"=> "32", "address"=>"", "descr"=> "pfBlocker user list", "type"=> "urltable", "detail"=> "DO NOT EDIT THIS ALIAS"); #Create rule if action permits switch($list['action']){ case "Deny_Both": $rule = $base_rule; $rule["type"] = $deny_action_inbound; $rule["descr"]= "$alias auto rule"; $rule["source"]= array("address"=> $alias); $rule["destination"]=array("any"=>""); if ($pfblocker_config['enable_log']) $rule["log"]=""; $deny_inbound[]=$rule; case "Deny_Outbound": $rule = $base_rule; $rule["type"] = $deny_action_outbound; $rule["descr"]= "$alias auto rule"; $rule["source"]=array("any"=>""); $rule["destination"]= array("address"=> $alias); if ($pfblocker_config['enable_log']) $rule["log"]=""; $deny_outbound[]=$rule; break; case "Deny_Inbound": $rule = $base_rule; $rule["type"] = $deny_action_inbound; $rule["descr"]= "$alias auto rule"; $rule["source"]= array("address"=> $alias); $rule["destination"]=array("any"=>""); if ($pfblocker_config['enable_log']) $rule["log"]=""; $deny_inbound[]=$rule; break; case "Permit_Outbound": $rule = $base_rule; $rule["type"] = "pass"; $rule["descr"]= "$alias auto rule"; $rule["source"]=array("any"=>""); $rule["destination"]= array("address"=> $alias); if ($pfblocker_config['enable_log']) $rule["log"]=""; $permit_outbound[]=$rule; break; case "Permit_Inbound": $rule = $base_rule; $rule["type"] = "pass"; $rule["descr"]= "$alias auto rule"; $rule["source"]= array("address"=> $alias); $rule["destination"]=array("any"=>""); if ($pfblocker_config['enable_log']) $rule["log"]=""; $permit_inbound[]=$rule; break; } } } #mark pfctl aliastable for cleanup if (!in_array($alias, $aliases_list)) $aliases_list[]=$alias; } else{ #unlink previous pfblocker alias list if any unlink_if_exists($pfb_alias_dir.'/'.$alias.'.txt'); } } #update pfsense alias table
end at "#update pfsense alias table"
-
So that way Pfblocker only works on specified ports and not on all??
-
No, not like that,
this way you can add port alias to firewall or just block ports
-
this way you can add port alias to firewall or just block ports
On current version, you can use alias only option and create your own rules using, port aliases, connection limit, limiter, etc, etc ,etc.
-
thanks for the great package. have been playing around with it for a couple months now, but just realized something a little odd. i have a few iblocklist and linuxtracker lists, but i've never seen them update (at least the system log doesn't say so). anyone else have the same issue? i know the iblocklist lists are updated weekly at least and linuxtracker used to update his twice a week. any help would be much appreciated.
-
What update frequency did you applied to this list?
Can you install cron package and check if pfblocker schedules are there?
-
the lists (alias only, with corresponding firewall rules) are set to update every day. there seem to be two jobs in cron that relate to this:
0 * * * * root /usr/local/bin/php -q /usr/local/www/pfblocker.php cron
30 12 * * 0,2,4 root /usr/bin/nice -n20 /etc/rc.update_urltablesand here are snippets of the logs that relate to those jobs:
Feb 17 12:30:53 php: : /etc/rc.update_urltables: pfBlockerlevel1 does not need updated.
Feb 17 12:30:53 php: : /etc/rc.update_urltables: pfBlockerNorthAmerica does not need updated.
Feb 17 12:30:53 php: : /etc/rc.update_urltables: Starting URL table alias updates
Feb 17 12:30:01 php: : /etc/rc.update_urltables: Sleeping for 51 seconds.
Feb 17 12:30:01 php: : /etc/rc.update_urltables: Starting up.
Feb 16 23:00:23 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting.
Feb 16 23:00:23 check_reload_status: Reloading filter
Feb 16 23:00:23 check_reload_status: Syncing firewall
Feb 16 23:00:01 php: : Starting pfBlocker sync process.the update_urltables job has never said that a list was updated. and the pfblocker sync has only repeated those four lines every day.
thanks.
-
Hi
I have added the package "Ads" and want to block it, but on this site: http://www.hardwareluxx.de/community/forum.php for example i can see the ads.
Is there a mistake by me, or anythign else?
-
why does pfBlocker set it's rules in LAN instead of WAN? or is it just me? I'm asking because the Ip's that i want to block still connect to my pfSense machine and i want to stop that.
-
why does pfBlocker set it's rules in LAN instead of WAN? or is it just me? I'm asking because the Ip's that i want to block still connect to my pfSense machine and i want to stop that.
pfSense put the rules only into LAN when you choose "deny both" by "List action" in pfBlocker i think.
-
Thanks for all the work!
Once thing i would like to share is my Mobile Broadband UK list as im badly getting targeted by them http://francisuk22.webspace.virginmedia.com/ukmobilebroadband.txt this hopefully will keep the mobile hackers out! (Please note this might only work for UK and Ireland but im just in the middle of getting my webhost up and running so ill share it asap from another webserver.
EE UK (Including: EE, Orange and T-Mobile)
O2 UK
Vodafone UK
3 UKPlease choose "Deny_Inbound" by "List action (Deny Inbound Will deny access from selected lists to your network) as for some reason Google blocked but ill look into this more over the weekend :)
Also malware patrol is a free, automated and user contributed system for checking URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware. The list is available in 29 formats. If you need another format please let us know
http://www.malware.com.br/cgi/submit?action=list
Works but what is it picking up?
Another useful website :) http://www.selectrealsecurity.com/public-block-lists
-
More list's if interested to you
http://www.stopforumspam.com (need to upload to an External webserver)
http://www.nothink.org/honeypots.php (very useful for Malware, SSH, IRC)
http://www.okean.com/thegoods.html (fed up with the amount of spam from Chinese and Korean? This will keep them out!) -
Hi there,
I think I've an issue with pfBlocker, when used with a IPv6 tunnel and a DHCP IPv4 WAN address:
http://forum.pfsense.org/index.php/topic,60146.0.html
Could anyone please offer any thoughts on this?
Many thanks,
Simon
-
one of linuxtracker's lists (alias only, with corresponding firewall rules) is set to update every day.
30 12 * * 0,2,4 root /usr/bin/nice -n20 /etc/rc.update_urltables
Mar 10 12:30:42 php: : /etc/rc.update_urltables: pfBlockerp2p does not need updated.
Mar 10 12:30:42 php: : /etc/rc.update_urltables: Starting URL table alias updates
Mar 10 12:30:01 php: : /etc/rc.update_urltables: Sleeping for 41 seconds.
Mar 10 12:30:01 php: : /etc/rc.update_urltables: Starting up.i ran a few tests with dropbox and some random ip addresses. pfblocker doesnt seem to be updating after it initially pulls the ip's from the list. any ideas? thanks.
-
i ran a few tests with dropbox and some random ip addresses. pfblocker doesnt seem to be updating after it initially pulls the ip's from the list. any ideas? thanks.
IIRC, there is a pfblocker php script for list update running on cron if you define a update schedule.