Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlocker IP Count

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 969 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      I'm using about 22 Lists in pfBlocker and noticed the following statistics.

      Total Number of lines in all lists
        cat /usr/local/pkg/pfblocker_aliases/*.txt | wc -l
      634,438

      Total Number of Duplicates
        cat /usr/local/pkg/pfblocker_aliases/*.txt | sort | uniq -d | wc -l
      96,487

      Total number of addresses if I convert all /32 into /24 CIDR  (This still leave all other /16, /19 etc intact)
        cat /usr/local/pkg/pfblocker_aliases/.txt | sed -r 's//32//' | sed 's/.[0-9]$/.0/24/' | sort | uniq | wc -l
      160,536

      I would think that /24 would be better to block than /32?

      And reducing the list to 25% would make a noticeable memory usage difference and possibly performance increase?
      I also read that when pfBlocker if reloading that it will not block until it has fully reloaded, so if you are reloading lists each hour, there are potential security gaps each hour.

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Yeah, feel free to do the legwork of concatenating, deduplicating and converting them, like - every time any of the lists updates. Or, maybe simply stop using pointless overlapping blocklists.

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          I already moved four of the large Blacklists to a cron job running a bash script, mapped pfBlocker to a local .txt file which does that process as you so eloquently described.

          Shrunk the list by 50% already.

          I use a remote syslog (ELSA) and it would be nice to have the pfSense syslogs incorporate the Rule that Blocked/Rejected/Passed the event. I heard this might be fixed in 2.2?

          Also having a "hit count" would help this process.

          I have spent alot of time on the Blacklists. Different locations get hit with different attacks. Various lists help to protect different aspects of the network.

          If I had more PHP knowledge I would attempt to write some code to add some more functionality to pfBlocker.

          • Convert /32 to /24 as an option per list
          • Deduping based on Primary lists taking precedence
          • Hit Count
          • Log showing completion of list updates
          • Previous IP count, post update IP count
          • .csv and other file format download options (I Fixed that temporarily with a bash Script)

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.