Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Developing a DNS block via httpBL and ZEN: Question about connection detection

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 676 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fmstrat
      last edited by

      Background
      On all my Linode and AWS cloud machines, I have a bash script I wrote up that tail's a log of incoming/passed connections, then checks the IP doing a DNS lookup with Spamhaus' ZEN (minus PBL). If it passes that test, it does a DNS lookup with httpBL, also known as the HoneyPot Project, with a configuration that allows you to specify the number of days since last infraction and the threat level. If it's considered bad, it uses iptables to drop packets from that host. Every X hours (configured) it then rechecks currently blocked IPs.

      I like this method because the DNS based lookups are quick to update, and httpBL not only provides a wealth of data on the IP in question, but is a unique community project on it's own. My personal experience is that it catches a lot of threat IPs before they get to Spamhaus, too.

      Question
      I would like to recreate the above for my PFSense machines in package format. Currently, the best way I can think to do this is to require turning on logging for any "pass" firewall rules that a user would like the package to monitor. My questions are:

      • Is there a better way to monitor passed connections in FreeBSD?

      • What would the "appropriate" way be to block an IP in PFSense from a package install?

      Thanks,
      Ben

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.