PfBlockerNG
-
An update to the package is now available https://forum.pfsense.org/index.php?topic=115357.msg649167#msg649167 & https://forum.pfsense.org/index.php?topic=115357.msg649605#msg649605
-
Is there any real documentation for this package?
I installed it and all it seemed to do was destroy DNS lookups for all clients, including the firewall itself, for about 45 minutes. The configuration page is a huge array of settings that are unexplained. The package doesn't seem to be doing anything at all. There are no new rules in the firewall, there seems to be no way of viewing any block lists at all. I can't even find any obvious setting to tell it which sources to use. Serously, where did everyone learn how to use this?
-
Is there any real documentation for this package?
I installed it and all it seemed to do was destroy DNS lookups for all clients, including the firewall itself, for about 45 minutes. The configuration page is a huge array of settings that are unexplained. The package doesn't seem to be doing anything at all. There are no new rules in the firewall, there seems to be no way of viewing any block lists at all. I can't even find any obvious setting to tell it which sources to use. Serously, where did everyone learn how to use this?
Start with the first pages of each of these threads:
pfBlockerNG
pfBlockerNG v2.0 w/DNSBL
pfBlockerNG v2.1 w/TLD
And over time ;) why not read all pages.Also there are plenty of Information boxes on almost every page, click on them.
And start slowly, go with one feature at a time, IPV4, IPV6, GeoIP, DNSBL until you get things running.Go to Firewall / pfBlockerNG / Log Browser, there you can see the log file and pfBlockerNG files. Also visit the Diagnostics /Tables.
-
Those are only useful if you already know the function of the config page in the first place.
Firewall / pfBlockerNG / Update / Update Settings:
Well, it obviously schedules a cron job, but what does the cron job do? No indication whatsoever.
What's the difference between update, cron, and reload? No idea.Firewall / pfBlockerNG / Alerts / Alert Settings:
Well, each category gets a number. What that number means is not explained. Doesn't seem to matter though, because there is nothing in any alert queue.
Firewall / pfBlockerNG / Alerts / IPv4:
What does this do? It's just an "Add" button. Probably IPv4 rules? Okay lets make a rule, click Add:
Good lord. Apparently I need to find lists myself, unlike ABP in my browser. What format does it need? What are valid sources? What is the purpose of country codes?Can you, being serious and honest with yourself, say that anyone could come in completely cold and actually be able to configure something that works?
Nah, I don't have time. The mysterious disruption of DNS site-wide gives me an uneasy feeling, and the lack of documentation and a homepage seals it.
-
Again if you clicked on some infobox you would get many answers.
As for finding the lists, yes I could go thru the posts and fetch them to you, but you are probably able to do that on you own. -
metalliqaz does have a point.
Digging through forum threads is never a fun task.
It would be really good to have detailed info on package configuration and updated lists in one place.
-
Its what "Open Source" is all about, and I encourage more people to get involved.
-
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.
Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.
If everything is blocked on WAN-inbound per default / implicit, what is there reason (need) of having two recommended / additional rules on WAN ?
1. Block private networks and loopback addresses
2. Block boon networksUnless you have some "allow from any“ rule …
Do you mean on WAN-interface or on LAN-interface ?
Thanks a lot in advance !
-
It's either a bug or a feature (old IT joke from when I was younger ;D ).
-
I have some alerts like that in dnsbl.log, last one was Aug 9
DNSBL Reject HTTPS,Aug 09 19:21:32,watson.microsoft.com
That was probably with pfBlockerNG-2.1.1_1, what version are you using now?
From the Info infoblock under Firewall / pfBlockerNG / DNSBL
So not a bug or a feature, more a limitation of the pfBlockerNG DNSBL Web Server.
-
Just finished to read the whole thread, uff ..
Thanks to BBCan for the package and this thread, I am quit new to pfSense so I learned a lot!WAN = INbound, don’t BLOCK the world, the world ist blocked by default, PASS only what you need and take care on that …
LAN = OUTbound, PASS what you need first and BLOCK all afterwards.That two rules are most important to me, afterwards I can take care on the scenarios I need.
Thanks once again !!
-
Maybe there is one who is able to answer to me why are there two BLOCK-rules, bogon-networks and private-networks if the WAN is BLOCKED by default …?
Thanks again in advance !!
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.
Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.
If everything is blocked on WAN-inbound per default / implicit, what is there reason (need) of having two recommended / additional rules on WAN ?
1. Block private networks and loopback addresses
2. Block boon networksUnless you have some "allow from any“ rule …
Do you mean on WAN-interface or on LAN-interface ?
Thanks a lot in advance !
-
Those can be enabled/disabled on the interface itself.
These are ip-addresses that should never exist on the WAN side (with the execption if you have a router on the WAN side that's not in bridge mode)
-
Thank you digdug3 !
That helped finally:
execption if you have a router on the WAN side that's not in bridge mode
-
Arbor Networks Feeds discontinued:
https://forum.pfsense.org/index.php?topic=122237.0 -
I know that this thread is a little older now.
I utilized the php script that Dok presented.
Should I go through and delete the failed downloads or what?
[ pfB_MAIL - ToastedSpam ] Download FAIL [ 03/19/17 18:50:22 ]
[ pfB_MAIL - VirBL ] Download FAIL [ 03/19/17 18:45:01 ]
[ pfB_SEC1 - MalwareGroup ] Download FAIL [ 03/19/17 18:35:56 ]
[ pfB_PRI3 - Geopsy ] Download FAIL [ 03/19/17 18:35:33 ]
[ pfB_PRI3 - VMX ] Download FAIL [ 03/19/17 18:35:31 ]
[ pfB_PRI3 - DangerRulez ] Download FAIL [ 03/19/17 18:35:03 ]
[ pfB_PRI2 - HoneyPot ] Download FAIL [ 03/19/17 18:34:41 ]
[ pfB_PRI1 - dShield_Block ] Download FAIL [ 03/19/17 18:33:09 ]
[ pfB_PRI1 - Abuse_Spyeye ] Download FAIL [ 03/19/17 18:32:51 ]
[ pfB_MAIL - URIBL ] Download FAIL [ 03/19/17 18:29:37 ]
[ pfB_MAIL - ToastedSpam ] Download FAIL [ 03/19/17 18:29:35 ]
[ pfB_MAIL - VirBL ] Download FAIL [ 03/19/17 18:25:05 ]
[ pfB_SEC1 - MalwareGroup ] Download FAIL [ 03/19/17 18:15:43 ]
[ pfB_PRI3 - Geopsy ] Download FAIL [ 03/19/17 18:15:03 ]
[ pfB_PRI3 - VMX ] Download FAIL [ 03/19/17 18:14:55 ]
[ pfB_PRI3 - DangerRulez ] Download FAIL [ 03/19/17 18:14:17 ]
[ pfB_PRI2 - HoneyPot ] Download FAIL [ 03/19/17 18:13:51 ]
[ pfB_PRI1 - dShield_Block ] Download FAIL [ 03/19/17 18:11:35 ] -
I went through each one that failed, retried them, and disabled the ones that failed again,
Then I attempted to go to each site, and if the site was no longer in existence, then I deleted.
Answered my own question without getting yelled at! -
I went through each one that failed, retried them, and disabled the ones that failed again,
Then I attempted to go to each site, and if the site was no longer in existence, then I deleted.
Answered my own question without getting yelled at!The script is a little dated. Some feeds have changed…. some down... so always best to open the site in a browser and check it out....
The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.
-
The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.
+1 from me for that! This might be a cool rich Option for us all, to get taps named like Malware, Virus, ect.
and insert there the links or URLs to several lists and perhaps a little "+" button to create his own new tap!
Perhaps I mean ;) -
Dropbox is block. NET::ERR_CERT_AUTHORITY_INVALID
grep result.
grep "dropbox.com" /var/unbound/pfb_dnsbl.conf
local-data: "dl.dropbox.com 60 IN A 10.10.10.1"
local-data: "dropbox.com.azamgold.com 60 IN A 10.10.10.1"
local-data: "dropbox.com.paki-library.com 60 IN A 10.10.10.1"
local-data: "dropbox.com.sexvoorlichting.com 60 IN A 10.10.10.1"
local-data: "www.dropbox.com 60 IN A 10.10.10.1"It seems Iblock is causing the issue. DNSBL alerts says the domain is already in the whitelist.
And now google is doing the same thing.