PfBlocker
-
The Country Codes is not being supported any longer and should not be used as it is Out of Date this functionality should be removed from the package. Hopefully pfBlocker will be getting a face lift in pfSense v 2.2.?
-
Hello,
So I just installed pfBlocker and I am trying to find some good ad blocking lists. My comparison list(s) are from AdAway on Android which pulls from the below sites.
http://hosts-file.net/.%5Cad_servers.txt
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts$showintro=0&mimetype=plaintext
http://winhelp2002.mvps.org/hosts.txtThe test site I am using to check the ad blocking is http://extreme.outervision.com/psucalculatorlite.jsp
When using AdAway on Android I don't get any ads along the sides/top of the above site. I tried using the Bluetrack ad list from here http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz but I still get ads on the site.
Can pfblocker use a list of URLs or does it only do IP address? If it only does IP address I guess that is fine, I have made a bash script that will pull the lists from the AdAway sites and convert the URLs into IP address. My only issue with the script I have is I don't know of a way to convert all of the IP addresses into a smaller list of CDIR networks so I have just made each IP into its own network by adding a /32 which I am sure is an awful idea. So if anyone knows how to convert a huge amount of IP addresses into CDIR notation or if there is a way to use URLs with pfblocker can you please let me know. Thanks.
-
Hi w1ll1am,
These lists are all URL and can't be used by pfBlocker.
pfBlocker only accepts the following formats:
Note:
Compressed lists must be in gz format.
Downloaded or local file must have only one network per line and could follows PeerBlock syntax or this below:
Network ranges: 172.16.1.0-172.16.1.255
IP Address: 172.16.1.10
CIDR: 172.16.1.0/24pfBlocker already can accept the IBlock lists without any conversion (as they are in a range format already), but the following will also convert the file which you could link pfBlocker to a local txt file.
The following will download and convert that file to a range acceptable by pfBlocker.
fetch -v -o infile.gz -T 20 ?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz
gunzip infile.gzcat infile | cut -d':' -f2
I posted several lists here:
https://forum.pfsense.org/index.php?topic=73353.msg402927#msg402927
-
Thanks BBcan17. Those lists look good I will use some of them. I managed to get my script to work with the AdAway lists.
I have posted it on paste bin http://pastebin.com/xJYz9qgW
I have also posted the cleaned up list of URLs from those three sites http://pastebin.com/vFbA20CG which will make the script much quicker if you pass it into the script at run time, it will only update newly added sites. Which you could then add the new IP address to the IP list for those URLs as of 5/23 http://pastebin.com/f3kUW3arThere are about 10000 IP address and they seem to be blocking a ton of traffic
I have not tested it a lot but I have noticed some sites that are blocked that shouldn't be like unix.stackexchange.com ( already removed from the pastebin IP list )
please excuse my poor bash code.
![Screenshot - 05232014 - 11:10:29 AM.png](/public/imported_attachments/1/Screenshot - 05232014 - 11:10:29 AM.png)
![Screenshot - 05232014 - 11:10:29 AM.png_thumb](/public/imported_attachments/1/Screenshot - 05232014 - 11:10:29 AM.png_thumb) -
Hi w1ll1am,
Spammers must die! There is also a website called "Phishtank" that has Phishing URL's posted also.
I think you might get some false positives with this method. As some of these hosts are actually hosted by Big ISP's.
These URLs would be better suited for DNS lookup blocking methods (hosts file). Need to find a way to weed out the false positives.
I would like to have this accomplished on my MS Active Directory DNS server so that it can handle all of the workstations it manages and filter out DNS requests to these URLS. It would be a good addition to the DNS Forwarder/BIND etc packages in pfSense also.
I pulled some of the hosts from the first link and ran a Dig command. It shows as Yahoo.
[1]
dig +short ypn-js.overture.com
us.srv.ysm.yahoodns.net.
98.139.225.108[2]
dig +short 13.ptp22.com
50.62.128.39IPVOID shows it being Registered by GoDaddy.
http://www.ipvoid.com/scan/50.62.128.39/[3]
dig +short admeld.comGoogle
173.194.43.97
173.194.43.103
173.194.43.98
173.194.43.105
173.194.43.110
173.194.43.101
173.194.43.99
173.194.43.100
173.194.43.102
173.194.43.96
173.194.43.104http://kb.bothunter.net/ipInfo/nowait.php?IP=173.194.43.97
-
I just made a URL Table Alias with http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt on a 2.1-RELEASE Alix nanoBSD. The table loads into pf with 9252 entries. Used it as source in a block rule on WAN and it works. So the list itself is not bad. And you can easily use it anyway without pfBlocker, just using the ordinary URL Table Alias and Firewall Rules features of pfSense.
I still have this list in my firewall rules. But to date it still has the 9252 IP's so I assume it has never been updated since last year. As I am working on the new thread of JFL (https://forum.pfsense.org/index.php?topic=78062.0), I was wondering, are all instructions in this thread obsolete (so I should also delete this large IP-list?)
-
I have been using pfblocker for over a year now. I consider pfBlocker and Snort combo an essential part of a firewall. PFBlocker successfully removes entire countries such as China removing about 80% of the intrusions and Snort takes care of the rest, and handles exotic things such as detecting port scanning. Ever since, I have had zero problems with real intrusions into my network.
After making intense use of it to also handle my whitelists and blacklists (because it likes to re-order the rules otherwise) I find it convenient that shows me in the dashboard the status and blocks with labels in the firewall log.
I wish though that I could selectively set the logging flag because if I choose logging for black lists, I end up getting the blocked country also.
I do not want to use an alias or to create these rules manually in the rules because I want pfblocker to manage them so I can see this in the dashboard. And it re-orders the rules if it doesn't manage them itself. Also when I have problems I can mass disable all the block rules from pfblocker so I can diagnose who is generating the false positive.
Very simple change I hope.
Thanks,
Kevin -
I have logging enabled in pfBlocker but I never see anything in the system logs even when I see that the pfBlocker widget has blocked some packets. Any idea what I may need to change to remedy this problem?
Also, is there any way to have it persist the stats, e.g. how many packets it blocks? Looks like every time the firewall filter gets reloaded, the pfBlocker widget goes back to showing all 0's for the number of packets it has blocked.
-
logging means that the blocks/rejects will show up in your firewall log, not your system log. If you click on the red/yellow X, it should tell you which rule was triggered.
persist stats would be great but the system grabs the stats directly from the rules in realtime. That is why is why they reset to 0 when your rules are reloaded.
-
Any news on where to find updated lists??
-
Any news on where to find updated lists??
check out this thread https://forum.pfsense.org/index.php?topic=78062.msg426417#msg426417 its a great script but if you prefer to use pfBlocker, you can grab some of the list from it.. Just make sure the list is compilable with pfBlocker
-
I have been using pfblocker for over a year now. I consider pfBlocker and Snort combo an essential part of a firewall. PFBlocker successfully removes entire countries such as China
Hi Kevin,
The Country Database in pfBlocker hasn't been updated for over 2 years now. The data is obsolete. I know they are working on a new service (most likely for paid members) that will provide updates for the Country Lists.
I have written a script that does what pfBlocker does but with a lot of other missing features. You can see more details in the following link:
Its a long forum post, so you need to read all of its posts in their entirety.
https://forum.pfsense.org/index.php?topic=78062.msg426963#msg426963I also wrote a patch for the pfBlocker widget to show when the Alias was last updated and indication of any download failures.
I also write a patch for diag_dns.php which is the "Firewall Log" GUI Screen. This update has the ability to show which Blocklist (Irevelent of the Alias) caused the Block. So even if the Filter Logs clear, you can easily find the IP/Blocklist match. This can also be used from Snort, when you click on the "!" icon which will show you if any of the Snort Alerts are on any of your Blocklists. It will actually show you if any of the IPs are founded in the Alerted IPs Range.
I would recommend that you use "Aliases" as they give you more control than the method that you are currently using.
-
@Hollander:
I just made a URL Table Alias with http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt on a 2.1-RELEASE Alix nanoBSD. The table loads into pf with 9252 entries. Used it as source in a block rule on WAN and it works. So the list itself is not bad. And you can easily use it anyway without pfBlocker, just using the ordinary URL Table Alias and Firewall Rules features of pfSense.
I still have this list in my firewall rules. But to date it still has the 9252 IP's so I assume it has never been updated since last year. As I am working on the new thread of JFL (https://forum.pfsense.org/index.php?topic=78062.0), I was wondering, are all instructions in this thread obsolete (so I should also delete this large IP-list?)
Hi Hollander,
the ET RBN list has been discontinued. Along with the RBN malvertisers list.
Emerging Threats RBN rules.
THIS RULESET HAS BEEN OBSOLETED!! This file is left to simply note this fact.
More information available at doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
-
First of all, pfBlocker is a great package, cheers to the authors! However, it would be very useful (some users already highlighted this) to have more options for "Update frequency". Specifically I would like to see one very short and one longer frequency, like "Every 10 Minutes" and "Once a week". Could you add this?
And just out of curiosity, how is this updating handled, I don't see any crontab entry for pfBlocker?
-
Hi Hollander,
the ET RBN list has been discontinued. Along with the RBN malvertisers list.
Thank you Sir ;D
-
The Country Database in pfBlocker hasn't been updated for over 2 years now. The data is obsolete. I know they are working on a new service (most likely for paid members) that will provide updates for the Country Lists.
I have written a script that does what pfBlocker does but with a lot of other missing features. You can see more details in the following link:
I am prollally stupid once again, BB, but I can't seem to find how to do country blocking with your script. I know it is possible, but have I missed something? I want to block a great deal of countries I consider nothing good to come from ( 8) ;D ). If I overlooked something, could you please point me to the text I must have overlooked?
Thank you ;D
-
@Hollander:
BB, but I can't seem to find how to do country blocking with your script. I know it is possible, but have I missed something? I want to block a great deal of countries I consider nothing good to come from ( 8) ;D ). If I overlooked something, could you please point me to the text I must have overlooked?
Hello Hollander,
First step is to add "unzip" as its a dependency:
pkg_add -r unzip
(See this thread to get 8.3 Package Archive ENV path)
https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084Code from the Script:
441 # ================================================================ 442 443 # MaxMind GeoIP COUNTRY CODE Blocklist (** Installation STEPS **) 444 # 445 # - Package Dependency (UNZIP) as stated above. 446 # - Uncomment "#" the [ countrycode ] line below, save/exit. 447 # - Run this script from the shell [ ./pfiprep killdb ] 448 # which will create the [ countrycode ] config file. 449 # (Don't run the script when CRON is expected to run) 450 # - When the script exits "EDIT" the [ countrycode ] file and 451 # enter "#" infront of the Countries to Whitelist. 452 # - Re-Run the script [ ./pfiprep ] 453 # 454 # - To remove Country Blocking Completely, re-comment [ #countrycode ] 455 # and run from the shell [ ./pfiprep killdb ] or [ ./pfiprep killdb dskip ] 456 # ================================================================ 457 458 # Maxmind GeoIP Country Code - Blocklist Download 459 # 460 # This will only download on the first Tuesday of Each Month 461 # Any changes to the [ Countrycode ] text file will be done at that time. 462 # When the CSV Database is downloaded it will create a [ cccsv.lock ] file 463 # in the $userfolder path to avoid downloading multiple times. If you 464 # want to bypass, delete the [ cccsv.lock ] file. 465 466 header=CountryBlock 467 group=tier10 468 addr=https://geolite.maxmind.com/download/geoip/database/ 469 infile=GeoIPCountryCSV.zip 470 471 #countrycode 472 # ================================================================
( I cleaned up the Text instructions in my Github Gist. So it may not match your existing Script. )
Steps:
- Remove "#" from line 471 ( countrycode ) , and save/exit the script.
- From the "Shell" run [ [b]./pfiprep killdb ]
- This should download the Maxmind Country Code .zip file and automatically extract the .csv country Code Database.
- It will create a file called "countrycode" which is a list of all the countries.
- On First Install, the script will exit and ask you to edit the "countrycode" file.
- Put a "#" infront of the countries to whitelist.
- Save/Exit "countrycode" file.
8.) Re-run the script [ [b]./pfiprep ]
Keep in mind about how the script functions:
-
Block the IPs from the Countries you have Selected (If you enabled Country Blocking Feature)
-
Each additional Blocklist that gets downloaded, the script will check for duplication against all previously downloaded Lists (Including the Country Blocklists) so that you don't add the same Blocked IPs or Ranges that are already on the Masterfile List.
-
Other functionality of the script is "IP Reputation" which looks to see how many Malicious IPs are found in a /24 Range. If the script finds over the "max" variable setting, it will block those particular ranges and remove the individual IPs from each Blocklist. The first Blocklist that contains the "Repeat Offending Range" will get the "x.x.x.0/24" block, while all of the other list have these repeat offenders are removed as the first list is blocking the whole range.
-
If you decide to remove a "Blocklist", it is recommended to refresh the database as you can see from above that all of the Blocklists are essentially tied together to remove duplication and process "IP Reputation".
Refreshing the database can be achieved in two ways:
[ [b]./pfiprep killdb ] This will delete the database and re-download all Blocklists.
or
[ [b]./pfiprep killdb dskip ] Which will kill the database and re-use the existing Download Blocklist Files.
The script will automatically download the Maxmind Country Code Database on the First Tuesday of Each Month. As each Blocklist gets downloaded, it will resync against the updated Country Blocklists as per the schedule settings for each Blocklist. I never considered to perform a [ [b]./pfiprep killdb dskip ] each month, but I think this might be something that I should add to the next version of the script.
At any time, you can edit the "countrycode" file and it will automatically re-configure the Country Blocking at the next scheduled CRON job. (But if you do make changes, I recommend resyncing the database.)
I also added a few additional Blocklists ( from the gist hit the "revision icon" to see the changes)
I hope this is clear. Let me know if you need any more help.
-
Maxmind seems to be a commercial company. Despite the fact their GeoIP files are publicly accessible, is it allowed to just take them? They appear to charge a fee for access to their lists.
-
@KOM:
Maxmind seems to be a commercial company. Despite the fact their GeoIP files are publicly accessible, is it allowed to just take them? They appear to charge a fee for access to their lists.
Yes this is the Free Version of the Maxmind Database that is Updated Once per month. It is 98% accurate for Countries as per their website.
http://dev.maxmind.com/geoip/legacy/geolite/
They have a paid version but you would only need that if you wanted City or other GeoIP data.
-
OK great. Thank you for that. I looked around but didn't see the distinction before I posted. I don't want to take what isn't mine to take, and I admit I'm a little late to this thread.
-
@Hollander:
BB, but I can't seem to find how to do country blocking with your script. I know it is possible, but have I missed something? I want to block a great deal of countries I consider nothing good to come from ( 8) ;D ). If I overlooked something, could you please point me to the text I must have overlooked?
Hello Hollander,
First step is to add "unzip" as its a dependency:
pkg_add -r unzip
(See this thread to get 8.3 Package Archive ENV path)
https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084Code from the Script:
441 # ================================================================ 442 443 # MaxMind GeoIP COUNTRY CODE Blocklist (** Installation STEPS **) 444 # 445 # - Package Dependency (UNZIP) as stated above. 446 # - Uncomment "#" the [ countrycode ] line below, save/exit. 447 # - Run this script from the shell [ ./pfiprep killdb ] 448 # which will create the [ countrycode ] config file. 449 # (Don't run the script when CRON is expected to run) 450 # - When the script exits "EDIT" the [ countrycode ] file and 451 # enter "#" infront of the Countries to Whitelist. 452 # - Re-Run the script [ ./pfiprep ] 453 # 454 # - To remove Country Blocking Completely, re-comment [ #countrycode ] 455 # and run from the shell [ ./pfiprep killdb ] or [ ./pfiprep killdb dskip ] 456 # ================================================================ 457 458 # Maxmind GeoIP Country Code - Blocklist Download 459 # 460 # This will only download on the first Tuesday of Each Month 461 # Any changes to the [ Countrycode ] text file will be done at that time. 462 # When the CSV Database is downloaded it will create a [ cccsv.lock ] file 463 # in the $userfolder path to avoid downloading multiple times. If you 464 # want to bypass, delete the [ cccsv.lock ] file. 465 466 header=CountryBlock 467 group=tier10 468 addr=https://geolite.maxmind.com/download/geoip/database/ 469 infile=GeoIPCountryCSV.zip 470 471 #countrycode 472 # ================================================================
( I cleaned up the Text instructions in my Github Gist. So it may not match your existing Script. )
Steps:
- Remove "#" from line 471 ( countrycode ) , and save/exit the script.
- From the "Shell" run [ [b]./pfiprep killdb ]
- This should download the Maxmind Country Code .zip file and automatically extract the .csv country Code Database.
- It will create a file called "countrycode" which is a list of all the countries.
- On First Install, the script will exit and ask you to edit the "countrycode" file.
- Put a "#" infront of the countries to whitelist.
- Save/Exit "countrycode" file.
8.) Re-run the script [ [b]./pfiprep ]
Keep in mind about how the script functions:
-
Block the IPs from the Countries you have Selected (If you enabled Country Blocking Feature)
-
Each additional Blocklist that gets downloaded, the script will check for duplication against all previously downloaded Lists (Including the Country Blocklists) so that you don't add the same Blocked IPs or Ranges that are already on the Masterfile List.
-
Other functionality of the script is "IP Reputation" which looks to see how many Malicious IPs are found in a /24 Range. If the script finds over the "max" variable setting, it will block those particular ranges and remove the individual IPs from each Blocklist. The first Blocklist that contains the "Repeat Offending Range" will get the "x.x.x.0/24" block, while all of the other list have these repeat offenders are removed as the first list is blocking the whole range.
-
If you decide to remove a "Blocklist", it is recommended to refresh the database as you can see from above that all of the Blocklists are essentially tied together to remove duplication and process "IP Reputation".
Refreshing the database can be achieved in two ways:
[ [b]./pfiprep killdb ] This will delete the database and re-download all Blocklists.
or
[ [b]./pfiprep killdb dskip ] Which will kill the database and re-use the existing Download Blocklist Files.
The script will automatically download the Maxmind Country Code Database on the First Tuesday of Each Month. As each Blocklist gets downloaded, it will resync against the updated Country Blocklists as per the schedule settings for each Blocklist. I never considered to perform a [ [b]./pfiprep killdb dskip ] each month, but I think this might be something that I should add to the next version of the script.
At any time, you can edit the "countrycode" file and it will automatically re-configure the Country Blocking at the next scheduled CRON job. (But if you do make changes, I recommend resyncing the database.)
I also added a few additional Blocklists ( from the gist hit the "revision icon" to see the changes)
I hope this is clear. Let me know if you need any more help.
Thanks BB, you know you are one of my heros on this board, I just hit you with my karma stick again ;D
I will try it, and report back here.
_PS About me learning grep: yes, you are completely right. But: time :-[ Currently I am dividing time between my own job, WIFE complaining ( ;D ), and helping out the poor who are being quite abused by the system in this 'highly developed society we seem to be living in'. Which translates in barely educated, low salary workers, who don't understand all the mumbo-jumbo crap in official letters, being fined hundreds of euros because they underpaid taxes by 2 euros. It seems I can read at least some of these 'government officials' bullshit letters, and as I can't stand injustice, I'm the one writing the legal letters on behalf of my quite illerate co-citizens, which, unfortunately, takes a lot of time.[/i]
I'm now thinking if I am brave enough to execute:
true `yes no`
;D
(This seems to be a dangerous command)._
-
I am running into a problem, BB :-\
- Remove "#" from line 471 ( countrycode ) , and save/exit the script.
- From the "Shell" run [ [b]./pfiprep killdb ]
- This should download the Maxmind Country Code .zip file and automatically extract the .csv country Code Database.
- It will create a file called "countrycode" which is a list of all the countries.
- On First Install, the script will exit and ask you to edit the "countrycode" file.
- Put a "#" infront of the countries to whitelist.
The file is created, but nothing is in it (zero bytes). The script issued this:
[2.1.4-RELEASE][root@112]/home/badips(9): ./pfiprep killdb **** UPDATE PROCESS START - Sat Jul 26 17:13:39 CEST 2014 **** Deleting pfIP Rep Databases. Databases have been Deleted! find: /home/badips/countrycodes: No such file or directory rm: /home/badips/cc_csv.lock: No such file or directory find: /home/badips/GeoIPCountryWhois.csv: No such file or directory rm: /home/badips/cc_csv.lock: No such file or directory looking up geolite.maxmind.com connecting to geolite.maxmind.com:443 SSL connection established using RC4-SHA Certificate subject: /serialNumber=dfgdighiofgiodfiogdiofgdjkfq4Js/C=US/O=*.maxmind.com/OU=GT53364002/OU=See www.rap112sl.com/resources/cps (c)11/OU=Domain Control Validated - Rap112SL(R)/CN=*.maxmind.com Certificate issuer: /C=US/O=GeoTrust, Inc./CN=Rap112SL CA requesting https://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip remote size / mtime: 1444832 / 1404267648 /home/badips/GeoIPCountryCSV.zip 100% of 1410 kB 164 kBps unzip: cannot find or open /home/badipsGeoIPCountryCSV.zip, /home/badipsGeoIPCountryCSV.zip.zip or /home/badipsGeoIPCountryCSV.zip.ZIP. cut: /home/badips/GeoIPCountryWhois.csv: No such file or directory Please edit [ /home/badips/countrycodes ] and comment # the countries to SAFELIST before proceeding with CC Blocking [2.1.4-RELEASE][root@112]/home/badips(10):
(I scrambled that serial number there since I don't know if it should be pasted here).
What should I do?
Thank you ;D
-
Hi Hollander, Looks like I missed a "/",
In pfiprepman, Line 416
** $pathunzip -o $userfolder$infile**
change it to:
$pathunzip -o $userfolder/$infile
Sorry about that.
-
First of all, pfBlocker is a great package, cheers to the authors! However, it would be very useful (some users already highlighted this) to have more options for "Update frequency". Specifically I would like to see one very short and one longer frequency, like "Every 10 Minutes" and "Once a week". Could you add this?
And just out of curiosity, how is this updating handled, I don't see any crontab entry for pfBlocker?
Any comments on this?
Also, I would like to ask you if there is any way to manually update the list? Thanks!
-
First of all, pfBlocker is a great package, cheers to the authors! However, it would be very useful (some users already highlighted this) to have more options for "Update frequency". Specifically I would like to see one very short and one longer frequency, like "Every 10 Minutes" and "Once a week". Could you add this?
And just out of curiosity, how is this updating handled, I don't see any crontab entry for pfBlocker?
Any comments on this?
Also, I would like to ask you if there is any way to manually update the list? Thanks!
When you enable pfBlocker, it creates a cron entry
0 * * * * root /usr/local/bin/php /usr/local/www/pfblocker.php cron
The way pfBlocker works is it looks to see if there is an existing file in the:
/usr/local/pkg/pfblocker (folder) for the Blocklist. If its there, it will reload the existing file. If its not there, it will download the file from the URL you entered for the Blocklist. When the CRON job runs, if the list is scheduled to be updated, that file is deleted so that it will download a new file.
So the only way to do that is to manually delete the Blocklist file in that folder. Unfortunately, the file is named after the MD5 hash of the URL making it a little difficult to see which file belongs to which Blocklist.
You could try running this command from the shell to determine what the md5 Hash is and than seeing if a file exists with that hash.txt and delete it. Than you can click "Save" in pfBlocker which should re-download the new file.
md5 -s 'http://www.spamhaus.org/drop/drop.txt'
MD5 ("http://www.spamhaus.org/drop/drop.txt") = d2278c81b67d798693429e4feb04a83a
http://www.freebsd.org/cgi/man.cgi?query=md5&sektion=1
-
The Country Database in pfBlocker hasn't been updated for over 2 years now. The data is obsolete.
I've been recently looking at this and found we have 2 issues.
One is the out of date IP ranges, which you know about.
The other is a few ISO country codes probably need to be updated.I know they are working on a new service (most likely for paid members) that will provide updates for the Country Lists.
I guess it's been a couple of years since CountryIPBlocks went to pay-for-play.
Back then, marcelloc and I both reached out to the CIPB guy and tried to work out a compromise that would allow pfBlocker to keep updating from CIPB.
CIPB's compromise was that each pfBlocker user would pay CIPB for it's repackaged public data.
That didn't seem like much of a compromise so here we are.Anyhoo:
I've found a source of current country IP data yesterday and wrote a short Bash script to push it into pfBlocker.
It looks good but while cross-checking the data I found pfBlocker has a couple of outdated country (ISO 3166-1 alpha-2) codes.Also - I still want to find+vet a couple more data sources.
I'll post what I come up with and we'll see what everyone thinks.Thanks
-
I've found a source of current country IP data yesterday and wrote a short Bash script to push it into pfBlocker.
It looks good but while cross-checking the data I found pfBlocker has a couple of outdated country (ISO 3166-1 alpha-2) codes.Also - I still want to find+vet a couple more data sources.
I'll post what I come up with and we'll see what everyone thinks.Did you take a look at the Maxmind GeoIP Country List. ~98% accurate.
I have also release a script to utilize country Blocking:
https://forum.pfsense.org/index.php?topic=78062.15Would be interested to see what you have come up with.
Maybe you can PM me a copy? Would also be interested in helping getting it off the ground.
-
Did you take a look at the Maxmind GeoIP Country List. ~98% accurate.
That was the site that had a .CSV file of IPs in ranges, right?
I think I saw somewhere in the thread that pfBlocker will work with ranges - something I didn't know.However, I prefer working w/ CIDR (I'd explain why if anyone cares) and am looking at CIDR sources right now.
I'll give another look at Maxmind GeoIP if my 'Plan A' doesn't work out.
-
Did you take a look at the Maxmind GeoIP Country List. ~98% accurate.
That was the site that had a .CSV file of IPs in ranges, right?
I think I saw somewhere in the thread that pfBlocker will work with ranges - something I didn't know.However, I prefer working w/ CIDR (I'd explain why if anyone cares) and am looking at CIDR sources right now.
I'll give another look at Maxmind GeoIP if my 'Plan A' doesn't work out.
Here is a sample.
Its all in one file, and its not too hard to convert to CIDR and break it down in the XX Country Codes with some grep and awk commands.
"223.255.128.0","223.255.191.255","3758063616","3758079999","HK","Hong Kong"
"223.255.192.0","223.255.223.255","3758080000","3758088191","KR","Korea, Republic of"
"223.255.224.0","223.255.231.255","3758088192","3758090239","ID","Indonesia"
"223.255.232.0","223.255.235.255","3758090240","3758091263","AU","Australia"
"223.255.236.0","223.255.239.255","3758091264","3758092287","CN","China"
"223.255.240.0","223.255.243.255","3758092288","3758093311","HK","Hong Kong"
"223.255.244.0","223.255.247.255","3758093312","3758094335","IN","India"
"223.255.252.0","223.255.253.255","3758095360","3758095871","CN","China"
"223.255.254.0","223.255.254.255","3758095872","3758096127","SG","Singapore"
"223.255.255.0","223.255.255.255","3758096128","3758096383","AU","Australia" -
That was the site that had a .CSV file of IPs in ranges, right?
Here is a sample.
Its all in one file, and its not too hard to convert to CIDR and break it down in the XX Country Codes with some grep and awk commands.
"223.255.128.0","223.255.191.255","3758063616","3758079999","HK","Hong Kong"
"223.255.192.0","223.255.223.255","3758080000","3758088191","KR","Korea, Republic of"
"223.255.224.0","223.255.231.255","3758088192","3758090239","ID","Indonesia"
"223.255.232.0","223.255.235.255","3758090240","3758091263","AU","Australia"
"223.255.236.0","223.255.239.255","3758091264","3758092287","CN","China"Your data source seems more trustworthy than what I've found.
I'll PM you the script to d/l+extract the country IPs into .txt files as soon as I puzzle it out.
-
Hi, does anybody know what triggers the reset of the pfBlocker's dashboard packet count? It would be much more useful if it only cleared when I clear the counter. Right now it just seems to clear the packet count randomly.
Thanks,
Kevin -
anything that reloads your rules/filter will do it. look for check_reload_status: Syncing firewall in your system log
-
HI, for those who want to test an updated country list from a new source before I try to update it on package install, follow these steps on console
cd /usr/local/pkg /usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/Africa_cidr.txt /usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/Asia_cidr.txt /usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/Europe_cidr.txt /usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/North_America_cidr.txt /usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/Oceania_cidr.txt /usr/bin/fetch http://e-sac.siteseguro.ws/pfsense/pfblocker/South_America_cidr.txt php /usr/local/www/pfblocker.php uc
After this, access pfblocker gui and save config again.
You can check applied networks/cidrs on diagnostics -> tables
-
HI, for those who want to test an updated country list from a new source before I try to update it on package install, follow these steps on console
Hi Marcello,
This updates correctly. What is the source of the Country code files if you don't mind sharing?
Thanks.
-
I was just going through some notes on pfblocker. This brought back some memories. I thought I would share with you guys since it's apart of the pfblocker past.
ipblocklist
HOLD - cidr
dashboard HUD
Remove IPFW Flush
Complete - ensure /usr/local/pkg/pf/ .sh is removed
Complete - whitelists on reboot
Complete - logging doesn't stay enabled when you click save/update
Complete - remove unique -u to just unique
Complete - remove warning from GUI
Complete - add lvl1 by default
Complete - change description to use the phrase peerblock
Complete - remove "ipfw -f flush" commands from php and uninstall process.
Complete - setenv PACKAGESITE "ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/" before pkg_add -r "package"
Complete - pkg_add -r p5-NET-CIDR p5-Net-CIDR-0.14 CURRENT
Complete - pkg_add -r perl perl-5.10.1_1 TO perl-5.12.4_2
Complete - don't uninstall perl and p5-cidr-net at uninstallcountryblock
Complete - ensure /usr/local/pkg/pf/ .sh is removed
Complete - update CIDR.php file
Complete - Remove Email
Remove IPFW Flushstrikeback
auto start
auto settings (root user)ideas:
hybrid ipblockist and countryblock. Tab seperate the roles. one package - one stop shop. Name: Layer3 Shield or Layer3 Filter or Security
iplocklist and countryblock redirection on outbound if going to blocked ip's!!!This note is dated 2010!
-
I was just going through some notes on pfblocker. This brought back some memories. I thought I would share with you guys since it's apart of the pfblocker past.
This note is dated 2010!
If you guys are interested I have a working BETA for pfBlocker that incorporates features that lots of us would like to see in a new release of pfBlocker. :)
-
Can't imagine anyone would be intested in that. ;)
Oh wait…. -
Can't imagine anyone would be intested in that. ;)
Oh wait….rofl
I was just going through some notes on pfblocker. This brought back some memories. I thought I would share with you guys since it's apart of the pfblocker past.
This note is dated 2010!
If you guys are interested I have a working BETA for pfBlocker that incorporates features that lots of us would like to see in a new release of pfBlocker. :)
Please share. :-D I would love to see this package get a facelift and some TLC. Besides Snort this is one of the must have packages imo.
-
I was just going through some notes on pfblocker. This brought back some memories. I thought I would share with you guys since it's apart of the pfblocker past.
This note is dated 2010!
/gasp!
-
They say a Picture is worth a 1000 words, so I will post 4 pics.
I have a few fellow members currently helping to Beta test the code. So far so good. I would like to change the behavior of the Rules Creation and the Loading of the Tables in my next round of changes to the pfBlocker Code.
Any programming help would also be appreciated to help expedite the process…. ;)
Link to the pfBlocker (General Tab)
http://imgur.com/h0708WPLink to the pfBlocker (Reputation Tab)
http://imgur.com/9AGK95VLink to the pfBlocker (LISTS Tab)
http://imgur.com/4Wgq4skLink to the pfBlokcer (LOG Tab)
http://imgur.com/SNQ85RT