Costom Lists For Firewall Rules
-
Greetings,
I am running pfSense 2.1 w/ pfBlocker. I have a number of hosting provider IP's that are pounding some of my web sites with Wordpress hacks, injection attempts and relentless scraping. Almost nobody should be browsing from hosting provider IP's but it is possible that someone may be running a legitimate VPS based mail server. As a result I would like to create a custom list of IP's to block from my web site but not my mail server. Something like this
My list of IP's to block
Last updated 2013-11-26
paininthebutt.com
1.1.1.0/24
2.2.2.0/24
100.100.100.1-100.100.100.5anotherpain.com
66.66.0.0/16
222.222.222.1-222.222.222.127would be perfect. When I create a blank Firewall Rule I do not see a way to designate a list as a source and when I create a custom list in pfBlocker it blocks all ports. If I manually change the pfBlocker rule to 80/443 it automatically reverts back to all ports. Could someone please tell me if there is an elegant way to create custom lists (that can hopefully be commented) for use in Firewall Rules? Or alternatively a way to make an exception to the pfBlocker rules so these hosts can be allowed through on port 25?
HF,
S. -
Dang. :(
S.
-
If your list is not very long, then just make an ordinary Alias for it - you can put a comment on each entry. Otherwise use the URL Alias tab and put the data in a file that you serve out. Then the alias can have bucketloads of entries in the file. You can use the alias in rules in combination with port numbers to block or pass. I don't think you have to use pfBlocker for this kind of local list.
-
Not sure how your using pfblocker, I just use it in alias mode and then use the alias to block countries, etc.
If you want to use the pfblocker interface, just set your list to alias only, and then you can put in your networks right there. And then just use that alias in your rule to block those sources from what ports you want to block them from, etc
-
Hey Phil & John,
Thanks for the replies… after a fair bit of fiddling I eventually figured out how to use aliases.
Much appreciated,
S. -
It seems there is more…
I created a text file with a list of CIDR ranges and placed it on a web server. Then created a URL Alias that points to the text file. Then created a rule that uses the Alias. It seems to be working so far.
If I add a new CIDR range to the file, I was expecting that the Alias would update at 12:30 when cron runs /etc/rc.update_urltables but it doesn't seem to add the new range to the "hover list". The System/General logs say that it "does not need updated" even though I have modified the file. If I manually run /etc/rc.update_urltables via shell I get the same result. However, if I go to the alias page and change any field and hit save I get my Alias updated (which can be seen by an updated "hover list").
What does pfSense do to evaluate whether the URL based list has changed or not?S.
-
Does anybody know of any documentation that describes how firewall aliases work? Specifically how to make updates function?
S.
-
The update frequency for a URL (table) is specified in days. It is the "Update Freq" field on the GUI that looks just like the CIDR field for networks. The description was enhanced recently (since 2.1-RELEASE) to say that - https://github.com/pfsense/pfsense/commit/2b6e6fee8076fb9b677c8bb3d7753c62081cb023
rc.update_urltables is run (by default) at 12:30 each day and calls pfsense-utils.inc:process_alias_urltable to check and update each table as needed/specified.
Mostly the problem will be that the Update Freq field has been left set to 32 or 128 (days not bits!) so the table does not update very often. -
Hey phil.davis,
Thanks for the info… I was hoping to have my custom alias list update much more frequently (bandwidth simply isn't an issue since the list is maintained on the same LAN). Using your tidbits and some other info I found in the forums here I was able to make a new script and cron entry to update my list twice an hour, which of course included
unlink("/var/db/aliastables/my_url_alias_table.txt");just to be sure. :-)
Much appreciated,
S.
