PfBlockerNG

N8LBV

Thanks will do.

BBcan177

Here is a link to PR # 175 for pfBlockerNG v2.1.1_3

https://forum.pfsense.org/index.php?topic=115357.msg649167#msg649167

pfBasic

I want to clarify my understanding of blocking and whitelisting here. I'm running a home network with no open WAN ports.

I have turned off default allow any lan, anti lockout rules, put up a floating block everything rule and write a couple LAN pass rules to allow the ports I need.

On pfBNG I'm using a bunch of lists the BBCan177 suggested. I'm also using DNSBL lists he suggested and the easy lists. Finally I have the top20 spammers country lists. ALL of these rules are LAN deny outbound.

I see everywhere that you should not block the world and only allow what you need, but it seems like that is directed to setups with open WAN ports. Is LAN deny outbound for country lists valid? I am getting a lot of blocks for the top spammers country lists.

BBcan177

@pfBasic:

I am getting a lot of blocks for the top spammers country lists.

If your just using the TOP20, that's not "Blocking the World"… Some users, are clicking every Country in every Continent except for a few, and that's what "B.T.W." was referencing...

You can review the Alerts Tab, to see what's getting blocked... You can also refine the Alerts by using the "Alert Filter" tool.

pfBasic

OK great, so setting up my pfBNG rules as LAN deny outbound is ideal and I'm not just wasting processing power?

BBcan177

@pfBasic:

OK great, so setting up my pfBNG rules as LAN deny outbound is ideal and I'm not just wasting processing power?

NP. ;)

N8LBV

@RonpfS:

Check the installation logs, /var/log/pfblockerng/*, Dashboard for crash report etc.
and look here https://forum.pfsense.org/index.php?topic=102470.msg647719#msg647719

Been a busy week not had any time to dig into the issue yet. 
Looks like many people are having to change or increase memory limits and PHP stuff?
I'm guessing that may be the direction that I may need to go?

Please forgive my newbieness here but isn't the point of an installable package that they should just work?
Should not the package install itself modify memory settings as/if needed? and anything else?

I don't have any other packages installed nor am I doing anything crazy memory hungry. 
Wasn't going to do anything fancy with the blocker either just wanted to try it out and only have it block the "top ten" fist and see how that worked.

I'm also reading that uninstalling the package and/or reinstalling it is an absolute NO-NO and can break things even worse!!!  WTF! :) 
So being a package I'm not able to just uninstall it or reinstall it.   
I'll reference this if need be but right now I just noticed mention of it in a few threads I read.

RonpfS

An update to the package is now available https://forum.pfsense.org/index.php?topic=115357.msg649167#msg649167 & https://forum.pfsense.org/index.php?topic=115357.msg649605#msg649605

metalliqaz

Is there any real documentation for this package?

I installed it and all it seemed to do was destroy DNS lookups for all clients, including the firewall itself, for about 45 minutes.  The configuration page is a huge array of settings that are unexplained.  The package doesn't seem to be doing anything at all.  There are no new rules in the firewall, there seems to be no way of viewing any block lists at all.  I can't even find any obvious setting to tell it which sources to use.  Serously, where did everyone learn how to use this?

RonpfS

@metalliqaz:

Is there any real documentation for this package?

I installed it and all it seemed to do was destroy DNS lookups for all clients, including the firewall itself, for about 45 minutes.  The configuration page is a huge array of settings that are unexplained.  The package doesn't seem to be doing anything at all.  There are no new rules in the firewall, there seems to be no way of viewing any block lists at all.  I can't even find any obvious setting to tell it which sources to use.  Serously, where did everyone learn how to use this?

Start with the first pages of each of these threads:
pfBlockerNG
pfBlockerNG v2.0 w/DNSBL
pfBlockerNG v2.1 w/TLD
And over time ;) why not read all pages.

Also there are plenty of Information boxes on almost every page, click on them.
And start slowly, go with one feature at a time, IPV4, IPV6, GeoIP, DNSBL until you get things running.

Go to Firewall / pfBlockerNG / Log Browser, there you can see the log file and pfBlockerNG files. Also visit the Diagnostics /Tables.

metalliqaz

Those are only useful if you already know the function of the config page in the first place.

Firewall / pfBlockerNG / Update / Update Settings:

Well, it obviously schedules a cron job, but what does the cron job do?  No indication whatsoever.
What's the difference between update, cron, and reload?  No idea.

Firewall / pfBlockerNG / Alerts / Alert Settings:

Well, each category gets a number.  What that number means is not explained.  Doesn't seem to matter though, because there is nothing in any alert queue.

Firewall / pfBlockerNG / Alerts / IPv4:

What does this do? It's just an "Add" button.  Probably IPv4 rules?  Okay lets make a rule, click Add:
Good lord.  Apparently I need to find lists myself, unlike ABP in my browser.  What format does it need? What are valid sources? What is the purpose of country codes?

Can you, being serious and honest with yourself, say that anyone could come in completely cold and actually be able to configure something that works?

Nah, I don't have time.  The mysterious disruption of DNS site-wide gives me an uneasy feeling, and the lack of documentation and a homepage seals it.

RonpfS

Again if you clicked on some infobox you would get many answers.
As for finding the lists, yes I could go thru the posts and fetch them to you, but you are probably able to do that on you own.

tdi

metalliqaz does have a point.

Digging through forum threads is never a fun task.

It would be really good to have detailed info on package configuration and updated lists in one place.

RonpfS

@BBcan177:

Its what "Open Source" is all about, and I encourage more people to get involved.

coliflower

@doktornotor:

@Asterix:

Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.

Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.

If everything is blocked on WAN-inbound per default / implicit, what is there reason (need) of having two recommended / additional rules on WAN ?

1. Block private networks and loopback addresses
2. Block boon networks

Unless you have some "allow from any“ rule …

Do you mean on WAN-interface or on LAN-interface ?

Thanks a lot in advance !

Mr. Jingles

It's either a bug or a feature (old IT joke from when I was younger  ;D ).

RonpfS

I have some alerts like that in dnsbl.log, last one was Aug 9

DNSBL Reject HTTPS,Aug 09 19:21:32,watson.microsoft.com

That was probably with pfBlockerNG-2.1.1_1, what version are you using now?

From the Info infoblock under Firewall / pfBlockerNG / DNSBL

So not a bug or a feature, more a limitation of the pfBlockerNG DNSBL Web Server.

coliflower

Just finished to read the whole thread, uff ..
Thanks to BBCan for the package and this thread, I am quit new to pfSense so I learned a lot!

WAN = INbound, don’t BLOCK the world, the world ist blocked by default, PASS only what you need and take care on that …
LAN = OUTbound, PASS what you need first and BLOCK all afterwards.

That two rules are most important to me, afterwards I can take care on the scenarios I need.

Thanks once again !!

coliflower

Maybe there is one who is able to answer to me why are there two BLOCK-rules, bogon-networks and private-networks if the WAN is BLOCKED by default …?

Thanks again in advance !!

@coliflower:

@doktornotor:

@Asterix:

Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.

Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.

If everything is blocked on WAN-inbound per default / implicit, what is there reason (need) of having two recommended / additional rules on WAN ?

1. Block private networks and loopback addresses
2. Block boon networks

Unless you have some "allow from any“ rule …

Do you mean on WAN-interface or on LAN-interface ?

Thanks a lot in advance !

digdug3

Those can be enabled/disabled on the interface itself.

These are ip-addresses that should never exist on the WAN side (with the execption if you have a router on the WAN side that's not in bridge mode)