PfBlockerNG
-
Maybe there is one who is able to answer to me why are there two BLOCK-rules, bogon-networks and private-networks if the WAN is BLOCKED by default …?
Thanks again in advance !!
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.
Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.
If everything is blocked on WAN-inbound per default / implicit, what is there reason (need) of having two recommended / additional rules on WAN ?
1. Block private networks and loopback addresses
2. Block boon networksUnless you have some "allow from any“ rule …
Do you mean on WAN-interface or on LAN-interface ?
Thanks a lot in advance !
-
Those can be enabled/disabled on the interface itself.
These are ip-addresses that should never exist on the WAN side (with the execption if you have a router on the WAN side that's not in bridge mode)
-
Thank you digdug3 !
That helped finally:
execption if you have a router on the WAN side that's not in bridge mode
-
Arbor Networks Feeds discontinued:
https://forum.pfsense.org/index.php?topic=122237.0 -
I know that this thread is a little older now.
I utilized the php script that Dok presented.
Should I go through and delete the failed downloads or what?
[ pfB_MAIL - ToastedSpam ] Download FAIL [ 03/19/17 18:50:22 ]
[ pfB_MAIL - VirBL ] Download FAIL [ 03/19/17 18:45:01 ]
[ pfB_SEC1 - MalwareGroup ] Download FAIL [ 03/19/17 18:35:56 ]
[ pfB_PRI3 - Geopsy ] Download FAIL [ 03/19/17 18:35:33 ]
[ pfB_PRI3 - VMX ] Download FAIL [ 03/19/17 18:35:31 ]
[ pfB_PRI3 - DangerRulez ] Download FAIL [ 03/19/17 18:35:03 ]
[ pfB_PRI2 - HoneyPot ] Download FAIL [ 03/19/17 18:34:41 ]
[ pfB_PRI1 - dShield_Block ] Download FAIL [ 03/19/17 18:33:09 ]
[ pfB_PRI1 - Abuse_Spyeye ] Download FAIL [ 03/19/17 18:32:51 ]
[ pfB_MAIL - URIBL ] Download FAIL [ 03/19/17 18:29:37 ]
[ pfB_MAIL - ToastedSpam ] Download FAIL [ 03/19/17 18:29:35 ]
[ pfB_MAIL - VirBL ] Download FAIL [ 03/19/17 18:25:05 ]
[ pfB_SEC1 - MalwareGroup ] Download FAIL [ 03/19/17 18:15:43 ]
[ pfB_PRI3 - Geopsy ] Download FAIL [ 03/19/17 18:15:03 ]
[ pfB_PRI3 - VMX ] Download FAIL [ 03/19/17 18:14:55 ]
[ pfB_PRI3 - DangerRulez ] Download FAIL [ 03/19/17 18:14:17 ]
[ pfB_PRI2 - HoneyPot ] Download FAIL [ 03/19/17 18:13:51 ]
[ pfB_PRI1 - dShield_Block ] Download FAIL [ 03/19/17 18:11:35 ] -
I went through each one that failed, retried them, and disabled the ones that failed again,
Then I attempted to go to each site, and if the site was no longer in existence, then I deleted.
Answered my own question without getting yelled at! -
I went through each one that failed, retried them, and disabled the ones that failed again,
Then I attempted to go to each site, and if the site was no longer in existence, then I deleted.
Answered my own question without getting yelled at!The script is a little dated. Some feeds have changed…. some down... so always best to open the site in a browser and check it out....
The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.
-
The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.
+1 from me for that! This might be a cool rich Option for us all, to get taps named like Malware, Virus, ect.
and insert there the links or URLs to several lists and perhaps a little "+" button to create his own new tap!
Perhaps I mean ;) -
Dropbox is block. NET::ERR_CERT_AUTHORITY_INVALID
grep result.
grep "dropbox.com" /var/unbound/pfb_dnsbl.conf
local-data: "dl.dropbox.com 60 IN A 10.10.10.1"
local-data: "dropbox.com.azamgold.com 60 IN A 10.10.10.1"
local-data: "dropbox.com.paki-library.com 60 IN A 10.10.10.1"
local-data: "dropbox.com.sexvoorlichting.com 60 IN A 10.10.10.1"
local-data: "www.dropbox.com 60 IN A 10.10.10.1"It seems Iblock is causing the issue. DNSBL alerts says the domain is already in the whitelist.
And now google is doing the same thing.
-
Dropbox is block. NET::ERR_CERT_AUTHORITY_INVALID
grep result.
grep "dropbox.com" /var/unbound/pfb_dnsbl.conf
local-data: "dl.dropbox.com 60 IN A 10.10.10.1"
local-data: "dropbox.com.azamgold.com 60 IN A 10.10.10.1"
local-data: "dropbox.com.paki-library.com 60 IN A 10.10.10.1"
local-data: "dropbox.com.sexvoorlichting.com 60 IN A 10.10.10.1"
local-data: "www.dropbox.com 60 IN A 10.10.10.1"It seems Iblock is causing the issue. DNSBL alerts says the domain is already in the whitelist.
And now google is doing the same thing.
IBlock feeds are IP based… What your showing here is from DNSBL...
grep "dropbox" /var/db/pfblockerng/dnsbl/*
If you have "dropbox.com" in the whitelist, that won't remove "www.dropbox.com"
Re-edit the DNSBL Whitelist and remove the dropbox entry, then use the Alerts Tab "+" whitelist icon to whitelist it again…. You can also whitelist all sub-domans if you wish... Follow the whitelist prompts. -
The firewall is now integrated into the home network.
iBlock lists have been disabled as this was causing too many https blocks.
Firewall IPv6 stuff:
Jun 3 16:59:23 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:42220 [2600:1406:32::43]:53 UDP
Jun 3 16:59:23 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:34926 [2600:1401:2::43]:53 UDP
Jun 3 16:59:23 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:65407 [2600:1408:1c::43]:53 UDP
Jun 3 16:59:23 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:53784 [2600:1480:1::43]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:33499 [2a01:111:2032:1::5]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:58694 [2620:0:37::53]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:52594 [2620:0:32::53]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:29910 [2600:1480:1::c0]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:64372 [2600:1406:32::c2]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:4792 [2600:1480:e800::c0]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:56634 [2620:0:32::53]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:62068 [2620:0:34::53]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:33253 [2600:1401:1::41]:53 UDP
Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004) [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:6709 [2600:1401:2::42]:53 UDP -
I just installed pfBlockerNG and tried to configure pfBlockerNG, IPV4, and DNSBL using google searches. Needless to say, I followed some contradicting and outdated "tutorials". So I decided that I will start at the beginning of this thread and read the entire thread before I try to configure anything.
To revert my pfSense back to prior installing and configuring pfBlockerNG and all the other components (i.e. IPV4, DNBL), I uninstalled pfBlockerNG and deleted all the auto generated rules and aliases. Is there anything else I need to undo?
-
To revert my pfSense back to prior installing and configuring pfBlockerNG and all the other components (i.e. IPV4, DNBL), I uninstalled pfBlockerNG and deleted all the auto generated rules and aliases. Is there anything else I need to undo?
There are notes in the General tab on how to do that… Uncheck "Enable" and "Keep" then save... This will clear out all the downloaded files... Then re-enable both followed by a Force Update command....
If you want to start from complete scratch. Then Uncheck "Keep", save, uninstall the pkg. Then re-install it ...
Hope that helps!
-
Having a problem with GSN Gaming Casino on Facebook with pfblockerNG enabled on my server. Tried whitelisting everything I thought could be the cause but still not getting through. Has this been reported by anyone else and/or resolved? I did a fairly extensive search but didn't turn up anything useful (to me) about how to allow the traffic.
-
Issue with pfBlockerNG + Unbound + DNSBL when RAM Disk is enabled.
Unbound fails to start after system reboot with RAM Disk enabled.
User must force Update + Reload CRON for Unbound to successfully startup.The file '/var/unbound/pfb_dnsbl.conf' is removed upon system reboot with RAM Disk enabled thus forced CRON to regenerate file is the only way to get Unbound started again.
We need the option to move this file inside pfBlocker's settings OR an option to preserve this file (and other settings/caches within pfBlocker) across system reboots when RAM Disk is enabled.
Please as this currently requires manual user input every time the machine is rebooted to restore services!!
-
Hmmm, I'm using pfBNG, DNSBL, Unbound - Resolving, and RAM disks and I don't have to do any of that, not for a normal reboot, a hard shutdown, or a power outage.
I do have servicewatchdog monitoring Unbound, but that wouldn't Force Update & Reload.
I am using 2.4.0 BETA, possibly something has been changed there that allows this to work?
-
Issue with pfBlockerNG + Unbound + DNSBL when RAM Disk is enabled.
Unbound fails to start after system reboot with RAM Disk enabled.
User must force Update + Reload CRON for Unbound to successfully startup.The file '/var/unbound/pfb_dnsbl.conf' is removed upon system reboot with RAM Disk enabled thus forced CRON to regenerate file is the only way to get Unbound started again.
We need the option to move this file inside pfBlocker's settings OR an option to preserve this file (and other settings/caches within pfBlocker) across system reboots when RAM Disk is enabled.
Please as this currently requires manual user input every time the machine is rebooted to restore services!!
See the following open Redline: https://redmine.pfsense.org/issues/6603
This can only be fixed in the pfSense Unbound code. -
@BlueKobold:
The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.
Any update on progress on that? Just curious, it sounds to be a very nice addition…
-
@BlueKobold:
The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.
Any update on progress on that? Just curious, it sounds to be a very nice addition…
I took some holiday time but hopefully in the next few weeks if all goes as plan.
-
I'm not sure if this is necessarily the best place to ask/report this, but in the process of attempting to reduce the maximum log file size below the current minimum of 5000 lines, I believe that I have discovered that this limit is only enforced every time the pfBlockerNG cron task executes. This determination was made experimentally as well as by taking a look at where pfb_log_mgmt is called in https://github.com/pfsense/FreeBSD-ports/blob/75dcc67f66100f7ef6bbf201c6562bdcb02c3177/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc I don't claim to know the best approach to improving this, but if the cron job frequency is set to a relatively long interval and the network size is relatively large, it appears that the associated log files could easily grow well beyond their configured limits. I realize that it would be impractical to provide a hard guarantee that the log files will never exceed their configured sizes even for a brief time period, but I wonder whether it would be feasible to trim them every minute, for example, as opposed to it being tied to the main cron job interval. Or I could be totally off base here and missing or failing to understand something obvious, so if that's the case, apologies in advance :) Thanks to all the pfBlockerNG devs; it's a great package and very much appreciated.