PfBlocker IP Count
I'm using about 22 Lists in pfBlocker and noticed the following statistics.
Total Number of lines in all lists
cat /usr/local/pkg/pfblocker_aliases/*.txt | wc -l
Total Number of Duplicates
cat /usr/local/pkg/pfblocker_aliases/*.txt | sort | uniq -d | wc -l
Total number of addresses if I convert all /32 into /24 CIDR (This still leave all other /16, /19 etc intact)
cat /usr/local/pkg/pfblocker_aliases/.txt | sed -r 's//32//' | sed 's/.[0-9]$/.0/24/' | sort | uniq | wc -l
I would think that /24 would be better to block than /32?
And reducing the list to 25% would make a noticeable memory usage difference and possibly performance increase?
I also read that when pfBlocker if reloading that it will not block until it has fully reloaded, so if you are reloading lists each hour, there are potential security gaps each hour.
Yeah, feel free to do the legwork of concatenating, deduplicating and converting them, like - every time any of the lists updates. Or, maybe simply stop using pointless overlapping blocklists.
I already moved four of the large Blacklists to a cron job running a bash script, mapped pfBlocker to a local .txt file which does that process as you so eloquently described.
Shrunk the list by 50% already.
I use a remote syslog (ELSA) and it would be nice to have the pfSense syslogs incorporate the Rule that Blocked/Rejected/Passed the event. I heard this might be fixed in 2.2?
Also having a "hit count" would help this process.
I have spent alot of time on the Blacklists. Different locations get hit with different attacks. Various lists help to protect different aspects of the network.
If I had more PHP knowledge I would attempt to write some code to add some more functionality to pfBlocker.
- Convert /32 to /24 as an option per list
- Deduping based on Primary lists taking precedence
- Hit Count
- Log showing completion of list updates
- Previous IP count, post update IP count
- .csv and other file format download options (I Fixed that temporarily with a bash Script)