PfBlockerNG
-
pfBlockerNG v1.0 – Official Release
This is a new package based upon the previous pfBlocker package. pfBlockerNG is basically an IP Download manager. It can collect IPs from a multitude of sources. The auto-creation of Firewall rules in Deny, Permit and Match. Firewall rules can also be created on any Interface including the 'Floating' interface. Custom setup can be achieved utilizing the Alias Format.
Improved Features
[ [color=red]Country Blocking ]
Country Blocking utilizes Maxmind Inc. Free GeoLite2 IP geolocation databases (IPv4/6). The data is 99.8% accurate for Country Codes and is updated the first Tuesday of each Month. The download hour is randomized (0-23) to reduce a surge in downloads to any specific hour.[ [color=red]Cron ]
1. Min Start time (00, 15, 30, 45)
2. Base Hour Start Time (0-23)
3. Update hours of (1,2,3,4,6,8,12,24, and weekly)
4. Time/Date file check to skip downloads where remote file remains unchanged.
5. On any download fail, a Query is now performed to see if a BlockList or IDS (Snort/Suricata) has blocked the Lists download. ( see error.log )
6. Multiple list formats available – txt, gz (Iblock), gz (all other), zip, xlsx, block and html based lists.
7. Individual lists can be enabled/disabled in an 'Alias'. Lists can also be put on “Hold”
8. If Firewall Rule changes are made a 'Filter Reload' is performed, otherwise a pfctl command updates the Alias Tables as required. This will minimize Log spamming and will not clear the Widget packet counts.[ [color=red]Logging ] With the real-time viewer, all pfBlockerNG functions are easily managed.
1. Selecting any of the “Force” buttons in the Update Tab will run a Live Log viewer.
2. Logging for Each Alias can be individually controlled.
3. Global Logging can be selected for all Aliases[ [color=red]Firewall Rules Ordering ] Four rule ordering options are now available to re-order Firewall Rules based upon user specific network requirements.
[ [color=red]XML RPC Sync ] Improvements to http/https and Username. The 'General Tab settings' can also be excluded from the sync to allow for Site specific customizations.
[ [color=red]Widget ] Enabled status, Links to Alerts/Log page, IP Counts and failed download alerting.
[ [color=red]IPv4/6 ] Improved Regex Parsers to validate IP address.
New Features
[ [color=red]De-Duplication ] Utilizing a tool called Grepcidr by Jem Berkes (Partially funded by Spamhaus).
“grepcidr can be used to filter a list of IP addresses against one or more Classless Inter-Domain Routing (CIDR) specifications. “[ [color=red]Suppression ] IP address(es) may be suppressed from the Lists. The new Alerts Tab, allows for an immediate clear of the Blocked IP and prevents the re-occurrence of the IP thereafter. Country Blocking Suppression will require a new “Permit Outbound” Alias.
[ [color=red]Reputation ] An advanced process to analyze for Repeat Offenders in each IP Range.
[ [color=red]Emerging Threats IQRisk ] A professional IP list accessible via Subscription only. This list can be used for Blocking or Match Rules.
[ [color=red]IPv6 ] As lists become available, IPv6 is now supported. User Custom Lists can also be used.
[ [color=red]Log Browser ] All files are easily managed via the Log Browser management Tab. Lists can also be downloaded to your local machine.
[ [color=red]Alerts Tab ] Deny, Permit and Match alerts are visible all in one Tab. IPs can be resolved by clicked the “!” icon. IPs can also be suppressed. The List that contains the IP is also referenced.
Thanks,
BBCan177[ Thanks to wbennett77 for allowing me to commandeer this first post in the thread! ]
-
Via the private repository but it will be available soon as a pfsense package.
Be patient :)
-
Can us mortals access this private repository? I'm guessing private probably means no which is ok. I've just got the upgrade itch. I've been holding off updating to the latest nightly as it sounds like there are issues with it and the current pfblocker.
-
Its very close to release afaik so keep the itch under control for a short while.
:)
-
I'm eagerly awaiting it in the Repo too :P
BB is very skilled (and kind ;) ), as are the current beta-testers I know off. BB tried to help me set it up in a virtual machine, but I couldn't get it to work. So I'll simply have to wait until it's in the repository. I think I'll drewl if I see what this Master has made ;D
-
Wait till you see what he's done for Unbound (DNS Resolver) on 2.2 :D
-
Any picture?
-
-
why would you want to be teased?
He paid extra for that
-
-
Hmm… Probably going to get slapped via email... :)
-
I think you can't do better than Mr Jingles pic ;D
-
-
I wait for it.. nice
-
I have a request to make. Is it possible to put a port in the whitelist so I can always permit VPN port regardless of country I am traveling in?
-
I have a request to make. Is it possible to put a port in the whitelist so I can always permit VPN port regardless of country I am traveling in?
Sure. Change the Rule Order.
-
create a floating rule which includes your whitelisted ports
-
I would love for this package to come out….or at least be able to use it....
-
Seems like they may be waiting for 2.2 final before releasing it.
-
Seems like they may be waiting for 2.2 final before releasing it.
I'm thinking more inline that they are utilizing their resources to get 2.2 final before they can assign a resource to review the code. Compare to other packages, there is a ton of code in this baby.. It does run on 2.1.5 and 2.2. I can see it taking time for them to QA it before it's release to the public.
Then wait for the next release, so far I'm blocking 64772 domains as of today.. -
Easily my most favourite package on pfsense. Just wish I could help BBcan177 with the coding, rather than pointing out things that don't work. It's a tonne of code that he's put into it.
-
Easily my most favourite package on pfsense. Just wish I could help BBcan177 with the coding, rather than pointing out things that don't work. It's a tonne of code that he's put into it.
I'm sure once we mere mortals may admire this package too, I will offer BB a nice cup of coffee ;D
-
I know it's the wrong thread but had to ask… ;D any news on updates for Dans or e2guardian in the private repository?
-
I know it's the wrong thread but had to ask… ;D any news on updates for Dans or e2guardian in the private repository?
I dont know of any private repo for dansguardian or e2guardian… Maybe ask on the numerous duplicate squid threads out there?
-
-
This whole thing with people posting how they have PfblockerNG while telling everybody else to be patient is…offputting.
-
I want to get that soon as it comes out.. 2.2 is in release now..
-
;) Thanks for the patience.. I will try my best to get it released asap. But unfortunately it's not in my control.
-
I love this package, it helps me sleep at night! ;D
-
I see it in the pkgconfig on github. So I guess be in here soon? or is it already?
https://github.com/pfsense/pfsense-packages/blob/master/pkg_config.10.xml
-
I see it in the pkgconfig on github. So I guess be in here soon? or is it already?
Been there for a month. Not really useful with
<required_version>3.0</required_version> -
Seems to take quite some time to implement into pfsense package repository… not good!
-
Seems to take quite some time to implement into pfsense package repository… not good!
It's already there, but it's being tested by ESF before it's released for the public. doktornotor's post above shows the reason why it's not showing up on 2.1.5 or 2.2 :)
-
why it's not showing up on 2.1.5 or 2.2 :)
Maybe it could with a bit of unsupported fiddling with /etc/version :P
-
why it's not showing up on 2.1.5 or 2.2 :)
Maybe it could with a bit of unsupported fiddling with /etc/version :P
I knew there's a way to fool the system, but didn't know the right place :)
-
Note: If someone does this, I'd suggest revert the change immediately after the package is installed.
-
Seems to take quite some time to implement into pfsense package repository… not good!
I think I will wipe the dirt from my other diploma, that from law school, and speak in defense of ( ;D ):
The Pfsense team has worked hard on 2.2; I'm sure that took, and still takes, almost all of their time.
't Makes (pf)sense to me that other work gets delayed with relatively limited resources.
-
why it's not showing up on 2.1.5 or 2.2 :)
Maybe it could with a bit of unsupported fiddling with /etc/version :P
Don't you all appreciate that multiple sets of eyes look at code before it gets released for your perimeter security appliance :) ?
I appreciate that procedure, and I'm sure BB does too, as perhaps the pfSense team notices things BB overlooked (that happens: when you look too much at something, you develop a sort of 'blindness' for things. I'm sure BB looked alot at the code ;D . I suffer from the same: in the end, after looking at Excel sheets for 10 hours, you don't see anything anymore.)
-
@Mr.:
Don't you all appreciate that multiple sets of eyes look at code before it gets released for your perimeter security appliance :) ?
Pretty confident the package is working a whole LOT better compared to the old pfBlocker thing (which, ATM, is not really usable with 2.2 any more depending on which blocklists you happen to use, plus the rest of features - the country etc. blocklists - being desperately outdated and useless.)
-
I'm really looking forward to this new release! I love pfBlocker and these upgrades are exactly what are needed. I can hardly wait!
