PfBlocker IP List



  • Greetings,

    pfSense v2.1 & pfBlocker 1.0.2 - setup pfBlocker and it generally seems to be working, however today I am seeing entries in my web server logs from 185.24.218.83 even though Poland is selected in pfBlocker.  My "Action" on the Europe page is set to "Deny Inbound" and "Enable pfBlocker" is checked on the General page.  Should this setup not block the above address?

    S.



  • It blocked it for me via the pfBlockerEurope alias.  Might wanna check your firewall rules page and see if the rules haven't been applied.



  • I have a side question to anyone:  Is there an updated CountryList service?  pfBlocker seems to be stale.  It's still pretty good, but curious if there's a better way.


  • Banned

    I get whitelisted danish IP's blocked so the lists hasnt been updated in a while.

    Deleted pfblocker for the same reason waiting for something with updated lists.



  • Hey Finger,

    If I look at my firewall rules I see the pfBlockerEurope rule there, and if I mouse over it I see plenty of address blocks, just not 185.24.218.0/24. :-(

    @Supermule: Do you mean that you whitelisted some blocks and they are/were still being blocked?  How did you whitelist them?  Did you make a "List" on the list page?

    S.


  • Banned

    No whitelist but a whitelisted danish IP got blocked on the asian list.

    I guess one of the ISP swapped an IP range…



  • Oh man, there is no way I can use that. :-(
    Thanks for letting me know, much appreciated.
    S.



  • @Snorkasaurus:

    Hey Finger,

    If I look at my firewall rules I see the pfBlockerEurope rule there, and if I mouse over it I see plenty of address blocks, just not 185.24.218.0/24. :-(

    Hovering only lists the first 10,000 items.  It's not listed on mine either when I hover.  So at the top of your firewall rules, you don't have a big red warning reminding you to "Apply" your new rules?  Same when going to Firewall –> Aliases.  Do you have a reminder asking you to Apply changes?

    If it's not that, it's probably a firewall rule order.  Are the pfBlocker rules toward the top?

    If it's not that, my last guess is your pfBlocker Europe countries whitelists another country that it thinks is 185.24.218..... maybe pfBlocker thinks that IP is actually in Norway or Austria or something and you are trying to block Poland.  That happens, too.  Heck, like SuperMule said, sometimes it's WAY off.  Japan shows up as England or something.

    Edit:  Oh, a silly question, but on your pfBlocker pfBlockerEurope page, you did highlight all the countries you want, right?  If they're unselected, they won't be added to the alias.  I've done silly things like that.



  • These are the only lists that should be used with pfblocker:

    pfblocker lists:
    Type             List
    gz                 http://list.iblocklist.com/?list=bt_hijacked&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=bt_dshield&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=tbnuqfclfkemqivekikv&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=npkuuhuxcsllnhoamkvm&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=pbqcylkejciyhmwttify&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=ynkdjqsjyfmilsgbogqf&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=zvjxsfuvdhoxktpeiokq&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=erqajhwrxiuvjxqrrwfj&fileformat=p2p
    txt                http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
    txt                http://rules.emergingthreats.net/blockrules/compromised-ips.txt
    txt                http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
    gz                 http://list.iblocklist.com/?list=bt_templist&fileformat=p2p
    gz                 http://list.iblocklist.com/?list=tor&fileformat=p2p
    txt                http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
    txt                http://www.ciarmy.com/list/ci-badguys.txt
    
    BE CAREFUL WITH THE TYPE.
    

    taken from: http://forum.pfsense.org/index.php/topic,64674.msg350652.html#msg350652

    Make sure you set them up as a single alias, and use the alias in your rules.

    If you feel the need to block entire country ranges, you are doing it wrong. Those lists are updated daily, and based on this I don't understand the "I had to remove pfblocker" mentioned above. pfblocker works OK, the lists are updated, I don't see a problem with that.

    Traditional disclaimer: I have not typed 1)someone else will come along and correct me, 2)I might be wrong, 3)I'm not sure about, but… 4)I'd be happy to be proven wrong. Based on this, please do not correct me. Pretty please? Pretty please with cherry on top? Do we really have to go into details why you shouldn't block by country lists? Really? Are you really, really sure you need to open that can of worms?



  • Hey again…
    @Finger79:

    Hovering only lists the first 10,000 items.  It's not listed on mine either when I hover.

    My list also appears to be in numerical order and goes past 185.24.218.0 but skips it.
    @Finger79:

    So at the top of your firewall rules, you don't have a big red warning reminding you to "Apply" your new rules?  Same when going to Firewall –> Aliases.  Do you have a reminder asking you to Apply changes?

    Nope, I have been adding lots of rules and have been applying them all.
    @Finger79:

    If it's not that, it's probably a firewall rule order.  Are the pfBlocker rules toward the top?

    Yeppers…
    http://s30.postimg.org/4gq78iqf5/pfshot1.jpg
    @Finger79:

    If it's not that, my last guess is your pfBlocker Europe countries whitelists another country that it thinks is 185.24.218….. maybe pfBlocker thinks that IP is actually in Norway or Austria or something and you are trying to block Poland.  That happens, too.

    I'm not sure I understand what you mean by "whitelist"… I don't see any whitelist setup in the pfBlocker configuration pages.  However, if pfBlocker is incorrect about which country 185.24.218.0/24 is in then I would think that there is a problem.  If I just happened to hit a "changed block" before my pfBlocker could update then I guess it was just my bad luck but I wouldn't want incorrect geo-evaluation.
    @Finger79:

    Edit:  Oh, a silly question, but on your pfBlocker pfBlockerEurope page, you did highlight all the countries you want, right?

    I sure did…
    http://s21.postimg.org/aigajyq2f/pfshot2.jpg
    @jflsakfja:

    These are the only lists that should be used with pfblocker

    Are you referring to these lists?
    http://s23.postimg.org/hm3saeil7/pfshot3.jpg
    @jflsakfja:

    If you feel the need to block entire country ranges, you are doing it wrong.

    I thought that blocking entire country ranges was the explicit reason for using pfBlocker?  I am not doing anything other than highlighting a half dozen countries (one of which is Poland) in the default configuration that comes with pfBlocker and asking it to block them.



  • @Snorkasaurus:

    @jflsakfja:

    These are the only lists that should be used with pfblocker

    Are you referring to these lists?
    http://s23.postimg.org/hm3saeil7/pfshot3.jpg
    @jflsakfja:

    If you feel the need to block entire country ranges, you are doing it wrong.

    I thought that blocking entire country ranges was the explicit reason for using pfBlocker?  I am not doing anything other than highlighting a half dozen countries (one of which is Poland) in the default configuration that comes with pfBlocker and asking it to block them.

    Yeap, press the + button and add all those lists as shown in a single list. Make sure the list action is alias only, update once a day.

    Then set up a firewall rule on the wan interface using that alias with block (NEVER USE REJECT ON WAN), and a rule on each lan side (lan,dmz,opt124324, etc.) with REJECT (you don't need to wait for timeouts on the lan side).Make sure Advanced>Firewall (NAT) has:
    Firewall Maximum Tables: 10,000,000 (without commas)
    Firewall Maximum Table Entries: 10,000,000 (without commas)
    so that all those IPs actually fit inside a table. The maximum tables could be lower, i'm using that value for other reasons. The entries MUST be that value, or the table will be too small to fit those IPs inside it.
    pfblocker should not be used to block countries, it creates more problems than it solves. There are a few thousand early warning systems across the planet which contribute to those lists (think of them as honeypots). You don't need to block the entire Iceland range for a single hosting company that doesn't care what it's customers are doing, for example. Those IPs will end up sooner or later on one (or more) of those lists.
    The whole blocking countries mentality comes from the… opens the "Keeping You Scared" bag Russian spies...nope... Pakistan cyberwarfare...nope....ah, here it is: Chinese State Sponsored Hackers. Such thing does not exist. They are not hackers, in the sense of a true hacker. Think of them more as script kiddies. A 16 year old kid that enjoys downloading exploits and attacking other systems is exactly the same as them.
    They will end up on those lists soon, simply because their trainers fell asleep during my classes. I always say in my classes that once you set up an alarm coming into a network, you are pretty much done and should move on to the next target. The United States Army Network Enterprise Technology Command (NETCOM) guys are notorious for falling asleep during classes for example. They still think that an attack starts with a ping to see if the target is up.
    Combine the falling asleep part with the part that the whole "system" operates as the old telephone game (you don't say what you were said) and you come to the conclussion that one country is no better (or worse in this case) when it comes to the whole "Cyberwarfare" part. Trust me and please stop blocking entire countries.



  • from snort's blocked list:

    211.81.31.53 	MALWARE-OTHER SQL Slammer worm propagation attempt inbound - 12/14/13-22:23:48
    

    a dns lookup:

    IP address:                     211.81.31.53
    Reverse DNS:                    [No reverse DNS entry per ns2.net.edu.cn.]
    Reverse DNS authenticity:       [Unknown]
    ASN:                            4538
    ASN Name:                       ERX-CERNET-BKB (China Education and Research Network Center)
    

    See? I'm always right. (see posts above)



  • But I just want to block Poland.
    Actually, the problem is that I set it up to block Poland, and it didn't. :-(
    S.


  • Banned

    Cause the lists are not up to date.

    Marcello and Tommyboy180 is the one behind Pfblocker.



  • @Snorkasaurus:

    But I just want to block Poland.
    Actually, the problem is that I set it up to block Poland, and it didn't. :-(
    S.

    Maybe see if the I-Blocklist Poland list is more accurate.  Create a new list in pfBlocker.


  • Moderator

    Does anyone know what the difference is between the spamhaus extensions ".txt" and ".lasso".  Which one should be used for pfBlocker?

    (Spamhaus - DROP)
        http://www.spamhaus.org/drop/drop.txt
        http://www.spamhaus.org/drop/drop.lasso

    (Spamhaus - EDROP)
        http://www.spamhaus.org/drop/edrop.txt   
        http://www.spamhaus.org/drop/edrop.lasso

    In Emerging Threats, these two lists seem to be the same but the data is different. Which lists should be used in pfBlocker?

    http://rules.emergingthreats.net/blockrules/rbn-ips.txt
        http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

    (Here are the other ET lists)
        http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
        http://rules.emergingthreats.net/blockrules/compromised-ips.txt
        http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt

    For anyone that is interested i came across these lists :

    (Brute Force Blocker)
        http://danger.rulez.sk/projects/bruteforceblocker/blist.php

    (OpenBL)
        http://www.us.openbl.org/lists/base_30days.txt

    Here are three others but they are not in a Txt format. Does anyone have any suggestions to get these to work with pfBlocker?

    (AutoShun)
        http://www.autoshun.org/files/shunlist.csv

    (Maxmind Proxies)
        http://www.maxmind.com/en/anonymous_proxies

    (Project Honeypot)
        http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1


  • Banned

    If you run Snort and use emergingthreats, the same list appears in the RBN rules.



  • @BBcan17:

    Does anyone know what the difference is between the spamhaus extensions ".txt" and ".lasso".  Which one should be used for pfBlocker?
    ….

    Use the txt one and make sure you select txt next to the list when setting it up.



  • Can I use this list:

    (Brute Force Blocker)
    http://danger.rulez.sk/projects/bruteforceblocker/blist.php

    In my pfsense aliases as a URLTABLE even though the URL does not end with .txt?



  • @new_to_pfsense:

    Can I use this list:

    (Brute Force Blocker)
    http://danger.rulez.sk/projects/bruteforceblocker/blist.php

    In my pfsense aliases as a URLTABLE even though the URL does not end with .txt?

    new_to_pfsense - Did you ever try to add the list?  I came across the list as well, and interested in knowing what happens when its added through the gui.
    Thx
    Ash,