PfBlocker



  • On reinstall we always get the Reload status missing alias error: php: : New alert found: # unresolvable dest aliases
    This is because pfBlocker is disabled by default on install.

    if you click ACKNOWLEDGE ALL in the Package Installer window, you ended up with:

    Installation of  FAILED!
    -------------------------
    Installation halted.
    
    

    Everything is fine and working after you enable pfBlocker.



  • @RonpfS:

    On reinstall we always get the Reload status missing alias error: php: : New alert found: # unresolvable dest aliases

    Please, remove custom alias before removing package.
    pfBlocker is just doing what you asked him to do (do not touch my rules).

    @RonpfS:

    if you click ACKNOWLEDGE ALL in the Package Installer window, you ended up with:

    Installation of  FAILED!
    -------------------------
    Installation halted.
    
    

    when you click ACKNOWLEDGE ALL you reload the page, and then get a 'reinstallation' error.

    This is not related to pfBlocker.



  • I've pushed a fix in cron call to check if pfBlocker is enabled or not.

    if you have installed pfBlocker before now + 15 min, reinstall package.



  • Done.
    Everything is running fine.



  • Great news, thanks for your feedback.



  • I'm running on Alix 2D13.
    Installed pfSense-1.2.3-RELEASE-2g-nanobsd.img.gz on a 2GB card.
    Version 2.0-RELEASE (i386) built on Tue Sep 13 18:02:53 EDT 2011
    Platform nanobsd (2g)
    CPU Type Geode(TM) Integrated Processor by AMD PCS
    Uptime 31 days +


    I'm running Peerblocker on a local windows xp machine.
    Is is possible to have a stripped down pfsense server - to do the same job as peerblocker (http://www.peerblock.com/) ?
    (it now has 2.301.808.963 IPs and counting..)

    Or should I look else where ?



  • It seems that peerblocker is another thing and meant for windows.

    Unless you convince a unix knowledgable to port it to unix i do not think you will have much success in that way.



  • @kilko:

    I'm running on Alix 2D13.
    Installed pfSense-1.2.3-RELEASE-2g-nanobsd.img.gz on a 2GB card.
    Version 2.0-RELEASE (i386) built on Tue Sep 13 18:02:53 EDT 2011
    Platform nanobsd (2g)
    CPU Type Geode(TM) Integrated Processor by AMD PCS
    Uptime 31 days +


    I'm running Peerblocker on a local windows xp machine.
    Is is possible to have a stripped down pfsense server - to do the same job as peerblocker (http://www.peerblock.com/) ?
    (it now has 2.301.808.963 IPs and counting..)

    Or should I look else where ?

    pfBlocker does the same job as peerblocker. pfBlocker replaces IP-Blocklist and IP-Blocklist was created to mimic peerblocker. You can use the same lists that you are using in peerblocker and apply them to pfBlocker. This way you get protection not just on a single machine but your entire network.

    pfBlocker is Peerblock for pfsense.



  • We need a way to verify that PfBlocker is downloading lists properly and blocking. It should display the number of IP's being blocked from downloaded lists.



  • @ipv6kid:

    We need a way to verify that PfBlocker is downloading lists properly and blocking. It should display the number of IP's being blocked from downloaded lists.

    There is. Marcello built that into the widget. You can add it on the home page HUD by pressing the '+' button.

    This widget counts the CIDRs currently applied in your tables that pfblocker creates.



  • @ Tommyboy - Thanks for that I did not know to look at the widget.

    I am getting the following error with PFblocker now. It reports "out of memory" but RAM usage is only about 53%:

    : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:20: cannot define table pfBlockerLevel1Inbound: Cannot allocate memory /tmp/rules.debug:22: cannot define table pfBlockerLevel1Outbound: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded'

    Does anybody know how to remedy this?



  • Getting more errors:

    There were error(s) loading the rules: /tmp/rules.debug:20: cannot define table pfBlockerLevel1Inbound: Cannot allocate memory
    /tmp/rules.debug:22: cannot define table pfBlockerLevel1Outbound: Cannot allocate memory
    /tmp/rules.debug:36: cannot define table pfBlockerPrimaryThreats: Cannot allocate memory
    pfctl: Syntax error in config file: pf rules not loaded The line in question reads [20]: table <pfblockerlevel1inbound>persist file "/var/db/aliastables/pfBlockerLevel1Inbound.txt"

    My router is a laptop router and is not out of memory.</pfblockerlevel1inbound>



  • ipv6kid,

    • Increase even more Firewall Maximum Table Entries

    • clear ipblocklist table in diagnostics-> table

    • check if the value of table-entries in /tmp/rules.debug is the same in Firewall Maximum Table Entries

    • check also if table-entries is declared twice in /tmp/rules.debug

    This should correct your errors. Basically what is happening is system variable has set a ceiling on the tables. You can manually override this by changing that value to allow larger tables.



  • ipv6kid,

    Also check lists description. Level1 ipblocklist includes only 'good' networks.

    Blocking a grey list may not be a good choice.



  • First, thanks for the reply. I have set the maximum Firewall tables to 550,000 just to be safe but under Diagnostics > Tables there is no PFblocker drop down selection.

    I am still getting memory allocation errors even though I've done all of this and reset the states. Could it be anything else?



  • You said to make sure I didn't have double "table-entries", what if I used the same list to deny inbound and outbound? Would that cause this error?



  • If you need to inbound and outbound rules on same table, choose alias on list action and then create a manual rule in wan and other in lan.

    If you still want list1, you may need 1.000.000 or more.

    You can't see pfBlocker table because you got erros during apply.



  • Yeah I just noticed some of these lists run into the hundreds of thousands of tables. I am running an old clunky dell laptop from 2003-ish. With only 768 MB of RAM, and when I enabled more states into the 2 million range, RAM usage shot up and it started swapping.

    I'm also running SNORT on top of this, so I'm going to need a gateway with more RAM.

    It seems to be working without errors now, I've disabled and re-enabled PFblocker… after deleting all the large block lists.

    I can now see the pFblocker "tables" under Diagnostics > Tables.

    I also think some of these "debug" errors were due to logging being enabled, so if anybody else is still having issues, try disabling that. Where does this even log to anyways? I couldn't find where it was logging to in the console unless it was going directly to system logs.

    Thank you very much!



  • FYI,

    I'm running Level1, Level2, and Level3 on a system with only 256MB RAM. You don't need more RAM, just increase your Firewall Maximum Table Entries.

    marcelloc,
    Level1, Level2, and Level3 lists do have 'good' guys in the list but it's an Anti-P2P list. All the IPs have been involved in anti-P2P behavior. That's why I always run Level1 lists at a min. It's actually one of the main reasons why I made IP-Blocklist.



  • I use dshield, drop, hijacked etc on Pfsense Box.

    I use the level 1, badpeers, etc on Seed Box with PeerBlock.



  • I know it's quite off topic but 'Companies which anti-p2p activity has been seen from' for me means:
    Companies that try to detect p2p users, so if you block it, they cant' find your p2p activity.

    Isn't better using this list to block torrent search like pirate bay?



  • @marcelloc:

    I know it's quite off topic but 'Companies which anti-p2p activity has been seen from' for me means:
    Companies that try to detect p2p users, so if you block it, they cant' find your p2p activity.

    Isn't better using this list to block torrent search like pirate bay?

    We're talking about two different things here. This is a bit off topic so I won't go into much detail but basically…

    • If you don't want to get sued for downloading copyrighted material then you block Anti-P2P groups using Level1 among using many other protection techniques

    • If you want to prevent network users from using P2P then you implement Layer7 filtering

    Blocking sites like TPB do nothing to prevent P2P traffic from using TPB's trackers. It's moot. That's why Level1 lists has all bad IPs.
    I hope this clears it up.



  • Is it possible to currently use host name block lists with PFblocker?

    I'd like to include some known malware URL's. Can that be a feature in an upcoming version?



  • @ipv6kid:

    Is it possible to currently use host name block lists with PFblocker?

    I'd like to include some known malware URL's. Can that be a feature in an upcoming version?

    Host names resolve to IP addresses. You can create your own custom list to be used with pfblocker or try to find a list that meets your needs. There are literally hundreds of lists available for free so I would bet your list is already made for you. Start looking at iblocklist.com



  • I have a problem where the inbound block rule does not get created for the included country lists. I have been installing and testing packages so i have installed havp and snort and uninstalled them and then reinstalled them again, due to trying to identify a problem. Outbound rules can still be created and the alias for both inbound and outbound are fine. But when i select inbound rule deny on the country lists pages it does not create the rule. Even if i stop pfblocker and remove all the lists and readd and then enable pfblocker, it creates the alias and the outbound block but not the rules on wan.

    edit: Ok I added a random rule with port 123 on wan and then readded then the lists appeared in the rules and when i changed another country list to inbound deny it showed up. So maybe it is just my rules are not refreshing right and is not related to pfblocker.



  • You need at least one rule created to pfBlocker work on selected interface.



  • Running 2.0-RELEASE (i386) built on Tue Sep 13 17:00:00 EDT 2011 Intel(R) Xeon(TM) CPU 3.06GHz w/ 3gb RAM.

    Just loaded and reloaded pfBlocker and I'm finding that if I set outbound to be blocked to spamlist I can still get to India or Russia located sites.  Any idea what I might need to do.  I have my firewall maximum table entries at 500000.

    Thanks.



  • @mentalhemroids:

    Running 2.0-RELEASE (i386) built on Tue Sep 13 17:00:00 EDT 2011 Intel(R) Xeon(TM) CPU 3.06GHz w/ 3gb RAM.

    Just loaded and reloaded pfBlocker and I'm finding that if I set outbound to be blocked to spamlist I can still get to India or Russia located sites.  Any idea what I might need to do.  I have my firewall maximum table entries at 500000.

    Thanks.

    What are the sites?





  • @mentalhemroids:

    Running 2.0-RELEASE (i386) built on Tue Sep 13 17:00:00 EDT 2011 Intel(R) Xeon(TM) CPU 3.06GHz w/ 3gb RAM.

    Just loaded and reloaded pfBlocker and I'm finding that if I set outbound to be blocked to spamlist I can still get to India or Russia located sites.  Any idea what I might need to do.  I have my firewall maximum table entries at 500000.

    Thanks.

    Are you blocking countries India and Russia or applying a spamlist from ipblocklist?

    Enable pfblocker widget. there you can see alias package count hit.



  • @marcelloc

    I have the spamlist all selected; I was assuming that if the country is in there the entire country would be blocked.  Am I wrong?

    I will take a look at the widget today.

    Thanks!



  • The default way to block spam is inbound as you do not want them to send email to you.

    You can also change action to alias only and create a block rule only on inbound smtp connections.



  • If i enable the top spammers alias included in pfblocker on outbound those hostnames you specified are not accessible.



  • @sekular:

    If i enable the top spammers alias included in pfblocker on outbound those hostnames you specified are not accessible.

    Top spammers is just a shortcut for countries that send many spams.

    The best way to block this is changing action to alias only and create an inbound rule denying smtp connections.



  • I chose alias only and set outbound and inbound block; I'm still getting to the sites.  The one interesting thing is that before I chose the option block outbound this morning I had it set to block inbound yesterday before I went home and when I loaded the widget this morning it had some packets listed.  It doesn't have anything listed right now… I may need to reboot the server; I'll try that later on today.



  • There is no need to reboot, all rules are applied when you save config.

    try this:

    • select only one country

    • apply

    • got to diagnostics -> table

    • select alias you applied country

    • check if the websites ip is in any of network CIDRS listed

    Just to be sure you understand how rules work.

    inbound rules -> applied on source side of wan rules
    outbound rules -> applied on destination side of lan rules
    Floating rules -> apply rules to block pfsense to reach something



  • I don't know what is happening, but I just put a specific rule in place of the pfBlocker and the Indian site is still not getting blocked; could it be due to squid?
    Thanks!




  • @mentalhemroids:

    I don't know what is happening, but I just put a specific rule in place of the pfBlocker and the Indian site is still not getting blocked; could it be due to squid?
    Thanks!

    Finally an answer. It's squid.  :)

    Create the same rule on floating rules.

    Squid goes to internet using localhost, so lan rules will not match any squid access.



  • Okay, so question… do I need to have both WAN and LAN selected in the floating rule?  I had just one and things seemed to still go through; with both the sites were blocked.  I guess it could be that it's cached on my pc here, but I am getting things blocked on another pc with just LAN selected.

    Thanks for your help marcelloc!




  • Well, it's time for first release.

    pfblocker 1.0 is out. No changes from last beta version.


Log in to reply