PfBlocker
-
I believe that I have a problem with pfblocker, but I'm not entirely sure. I am running inside of ESXi 5.5 and the blocked packets counters never show anything. I have the same setup that I had when I was running on bare metal, which would show the number of blocked packets per group increasing every day.
My basic setup:
ESXi 5.5
Wan using e1000 without passthrough (Supermicro AOC-SG-i2 with Intel 82575EB chipset)
Lan using e1000, also without passthrough (Same dual-port AOC-SG-i2 card as wan, different port of course)Installed packages:
pfblocker
snort
mailreport
rrd summaryAll group lists set up in pfblocker as aliases.
Firewall rules set up to block incoming from wan using these settings:
block, wan interface, ipv4, any protocol, source alias (eg pfblockerAfrica), any destinationI have ipv6 turned off in settings>advanced>networking.
I can successfully block and pass packets by adding different firewall rules to lan rules.
I have tried the wan rules both as standard wan and as floating (to enable instant blocking on match and eliminate the need to continue processing those packets.) Neither setting shows the blocked packet number increasing at all.
This may be related or not, but my Snort shows several alerts but no blocked IPs. I am using the settings as listed by jflsakfja in this post -> http://forum.pfsense.org/index.php/topic,64674.msg356959.html#msg356959 I would almost immediately get two blocked in snort, one had to do with ipv6 encapsulation and I can't recall what the other one was… some potential corporate policy violation that would always show up in the first two blocked violations.
As I was just going over my setup again in ESXi to see if I had any more relevant information to share, I may have stumbled on the problem. The wan vswitch/vm port group did not have promiscuous mode set. I have changed that and will see if that fixes it. If not, does anybody have any ideas of other things to check?
-
So, is this an issue with pfBlocker or do we need to make Chris and Jim aware of the WAN rules problem?
If you do not have any rule on wan, you do not need deny rules from pblocker as you are already blocking all inbound traffic.
There is no wan rule problem. :)
So, if the lights are off you don't need to turn them off… but if you put a broken bulb in the socket then you can turn them off...
Ok, I don't understand... but its working so thats what matters.Thanks,
RickSo if you dont have any rules enabled in pfsense on the wan interface (as in opening ports ) it is always blocking all traffic by default so pf blocker isnt going to add any extra protection. The only benefit there is to add a lan rule to block outbound traffic… ( I do this as well with adds and sites known to be malicious etc )...
If you have rules (ports open etc) then pfblocker comes in very handy in blocking traffic on those ports/rules. For example mail server.. Keeps alot of spam out or for websites alot of unnecessary traffic. I dont have people in certain countries now trying to run scripts all day long on my web servers or ftp....
-
OH, sorry if my post seemed off course…. I do understand how the pfBlocker works and works well once it's all configured.
I still think there is some sort of anomaly if you install pfBlocker on a clean slate.
I created a dummy rule (as suggested in an earlier post) and disabled it before I ever saved it. So, is it really a rule or just a place holder? A tickler to open the door for the rules to populate? I'm not complaining but rather trying to see if there is something in the system that could be "fixed/tweaked" so that future users don't encounter this issue.Having been a systems analyst for too many years, old ways die hard.
Rick
-
If you do not have any rule on wan, you do not need deny rules from pblocker as you are already blocking all inbound traffic.
Maybe I add this info on next package update.
-
Hello Marcello,
is it possible to activate a list for a specific service?
I will explain it better…
I need to block connections to my email server so only to port 25 from PCs that usually are infected by Trojans.
I am currently using PFBlocker but it blocks all the traffic I can't specify a port.
If would be possible to specify a destination IP and/or port would be great.
Thanks in advance,
Marco
P.S. I guess you'll answer me to create an alias and use it in my custom rule but If you could add it straight in the
list wizard I guess would be perfect anyway:) -
is it possible to activate a list for a specific service?
P.S. I guess you'll answer me to create an alias and use it in my custom rule but If you could add it straight in the
list wizard I guess would be perfect anyway:)for now, only via alias and custom rules :)
-
Hello marcelloc & tommyboy180, thanks for pfBlocker. There used to be a Windows iblocklist manager over a decade ago(!) ; )
I was testing the pfBlocker package and I went only so far as almost adding a custom iBlocklist. Unfortunately the maximum list update interval is 24 hours (only). iBlocklist has recently begun restricting update interval themselves. Besides, shouldn't we make fair use of free resources like iblocklist and more…
-
Thanks so much for this package. It really saves us from a lot of spam!!
That being said, who would I report issues to. Until yesterday we were able to send email to an Hurricane Electric subscriber. Now the ip is being blocked. After adding the individual IP address for the smtp server into the "Lists" section/tab and selecting allow outbound, now we are able to communicate once again.
All that to say, which forum moderate the ipblocker list to have that range re-identified. I have us as an allowed range, but for some reason, at least, this one range is being id as not us.
Thanks
Daniel
-
Marcello or anyone with a good idea,
I am pulling my hair out over one new (to me) LIST.http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
I've created, combined, deleted and used dozens of lists, both gz and txt, and had no issues. I can get THIS list built in pfBlocker but it never populates in rules, alias or in the dashboard widget. I've looked around the logs and not seen anything (good chance I'm looking in the wrong place). I know its a big list but some of yours are sizeable too. Per a discussion around snort on another thread I even bumped up my "Firewall Max Tables" and "Firewall Max Tables Entries". I'm running a 64bit copy of 2.1 with 4G memory that is only about 24% used.
I've made it a standalone rule, I've tried it in "deny" and "alias only" modes; neither way works. I've included it in another list under a single alias. Random selection of IPs from this list never make it into the tables. I've not had any problems with any other lists. I can get to THIS list from any browser behind the router/UTM so access through the network doesn't seem to be an issue. Any ideas? Am I missing something?
TIA,
Rick -
Bump!
OK, so I've tried other avenues and just can't get this list to build correctly. It shows in the list of "Lists" but just doesn't seem to go beyond that. I've killed off every other "added" list and started new with this one. All others build accordingly, this one just does nothing.
-
I"ve checked every log I can find but don't see any errors relating to this. Does anyone know exactly where an error would post if it is being logged?
-
could there be a corrupt marker somewhere that I need to kill? where would that be?
Thanks for any help or ideas?
Rick
Edit: had the time today so on the advice of two others I completely removed pfBlocker. Removed its files/directories. Reinstalled the whole package. Rebuilt all the lists I wanted under the lists tab… some txt, some gz. Every list rebuilt fine except this @#$$&#^ Russian Business Networks list. Unless someone has an idea, I'm going to throw in the towel on this one and just go with the RBN rules under SNORT. Marcello? Tommyboy?
Add: Does anyone have a confirmed instance of this list actually working?? -
-
I for one can't get the mentioned list to work. I've posted a php error related to the list on this thread when pfSense 2.1 was still in beta and it was showing the php error that occurs with said list.
-
Hi, got exactly the same problem, since a long ago, tried everything but this list http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt never loaded. This morning found this list http://rules.emergingthreats.net/blockrules/rbn-ips.txt that loads flawlessy. In my opinion it is quite the same listing. Try it.
-
I just made a URL Table Alias with http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt on a 2.1-RELEASE Alix nanoBSD. The table loads into pf with 9252 entries. Used it as source in a block rule on WAN and it works. So the list itself is not bad. And you can easily use it anyway without pfBlocker, just using the ordinary URL Table Alias and Firewall Rules features of pfSense.
-
I just made a URL Table Alias with http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt on a 2.1-RELEASE Alix nanoBSD. The table loads into pf with 9252 entries. Used it as source in a block rule on WAN and it works. So the list itself is not bad. And you can easily use it anyway without pfBlocker, just using the ordinary URL Table Alias and Firewall Rules features of pfSense.
Probably a stupid question (you are used to that coming from me by now ;D) but what actually is the added value of pfBlocker, given that obviously you can do the same that does without it, given your comment.
-
I can run this to see what happens getting the files:
$url_list1 = file("http://rules.emergingthreats.net/blockrules/rbn-ips.txt"); var_dump(count($url_list1)); $url_list2 = file("http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt"); var_dump(count($url_list2));
and I get:
int(9194) Warning: file(http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/exec.php(246) : eval()'d code on line 7 int(1)
rbn-ips.txt is fetched OK by PHP into an array of 9194 entries.
RussianBusinessNetworkIPs.txt does not come, something blocking it from being read with PHP file()Additional info: If I change pfblocker.inc sync_package_pfblocker() to use the function download_file() from pfsense-utils.inc, downloading it first to a local file then letting the rest of the code parse a local copy, then it works. So the code in /etc/inc/pfsense-utils.inc:download_file() is able to download the list OK, getting 9251 entries.
Maybe pfblocker should use download_file() rather than PHP file()?
(That would need testing against a bunch of things people are using - some other list download might break???) -
Hi, got exactly the same problem, since a long ago, tried everything but this list http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt never loaded. This morning found this list http://rules.emergingthreats.net/blockrules/rbn-ips.txt that loads flawlessy. In my opinion it is quite the same listing. Try it.
Thanks! had no problem getting this one to load either. Looking at the site, at least this one seems more current as well. It's just a couple weeks old, not 2 years. I had brought the offend file local so I randomly picked about 30 addresses and they were in both so I'll hope the slightly lower line item count is because of newer data.
Rick
-
using pfblocker for the list management allows you to enter all the lists in a single alias. This is not possible for the regular aliases (url + url table). It's either many small lists, or one huge list, with those.
I'll start using http://rules.emergingthreats.net/blockrules/rbn-ips.txt since it causes fewer problems with people. Thanks for the info. Expect the update to come with the next blueprint update.
EDIT: Just checked and http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/emerging-rbn-malvertisers.txt should be http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt, so it's 2 upcoming updates to the blueprint.
As far as I can remember those 2 were chosen because of lack of the rules.emergingthreats.net lists. -
@jflsakfja:
using pfblocker for the list management allows you to enter all the lists in a single alias. This is not possible for the regular aliases (url + url table). It's either many small lists, or one huge list, with those.
I'll start using http://rules.emergingthreats.net/blockrules/rbn-ips.txt since it causes fewer problems with people. Thanks for the info. Expect the update to come with the next blueprint update.
EDIT: Just checked and http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/emerging-rbn-malvertisers.txt should be http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt, so it's 2 upcoming updates to the blueprint.
As far as I can remember those 2 were chosen because of lack of the rules.emergingthreats.net lists.Don't know your name so I'll just use the first two initials and say thanks JF!! (significant if you're a Phillip Dick fan… and how can you follow BOHP and not be a Dick fan)
One request; If possible and not too much hassle, could you somehow highlight the changes from your last blueprint?
I must say, since switching over to your method and using the rules to do pfblocker's work, even with more rules active under SNORT, system is much faster AND using much less memory. Which, made it possible to commit more memory to Squid which helps even more!
Thanks,
Rick -
I'm interested in the country-blocking abilities of pfBlocker.
I've got assets that are 99.99% of the time only accessed from within my country. So, I've added a rule with my country as the block list, then inverted the match so any traffic from OUTSIDE the country is dropped. Seems to work well enough, but can someone comment as to:
-
Where does pfBlocker gets its IPs from?
-
How often does pfBlocker update its IP list?
-
What is the likelihood that an IP range will be assigned to a country but won't be picked up by pfBlocker?
-
-
I'm interested in the country-blocking abilities of pfBlocker.
I've got assets that are 99.99% of the time only accessed from within my country. So, I've added a rule with my country as the block list, then inverted the match so any traffic from OUTSIDE the country is dropped. Seems to work well enough, but can someone comment as to:
-
Where does pfBlocker gets its IPs from?
-
How often does pfBlocker update its IP list?
-
What is the likelihood that an IP range will be assigned to a country but won't be picked up by pfBlocker?
1/ Here - The lists are 2 years old. ::)
2/ Never, the lists have gone commercial quite some time ago.
3/ Pretty high, given the above.All the country-based stuff should have been removed altogether from the package quite some time ago, useless.
-