PfBlockerNG
-
Ok, so the problem then is that the page never stops loading even than the log part shows the job finished.
ok. That is a small bug… The Window is still spinning as its waiting for a string
"UPDATE PROCESS ENDED"
but in Force Cron, it never sees that String... I will add a fix for that. But the task did complete when it outputs "CRON PROCESS ENDED". You can move away from the Tab or click "End View"
EDIT: Yup.. It won't add the Cron Task back as it didn't complete the function.
Click "Save" in the "General Tab" and it will be added.
-
Ok, so the problem then is that the page never stops loading even than the log part shows the job finished.
ok. That is a small bug… The Window is still spinning as its waiting for a string
"UPDATE PROCESS ENDED"
but in Force Cron, it never sees that String... I will add a fix for that. But the task did complete when it outputs "CRON PROCESS ENDED". You can move away from the Tab or click "End View"
It seems to work (adds the cron job back) if it actually does something. It didn't recreate the cronjob if the result was "No Updates required.".
Now I noticed another possible issue. The update code doesn't match the remote timestamp correctly for a particular list all of the sudden. (List = http://www.spamhaus.org/drop/edrop.txt)
[ SpamHDrop1 ] Remote timestamp: Tue, 3 Feb 2015 10:41:35 GMT Local timestamp: Tue, 03 Feb 2015 10:41:35 GMT Updates Found
I seem to be able to break everything I touch today :(
-
[ SpamHDrop1 ] Remote timestamp: Tue, 3 Feb 2015 10:41:35 GMT Local timestamp: Tue, 03 Feb 2015 10:41:35 GMT Updates Found
Spamhaus is using a single digit day while they should be using a two digit day. I have it on my list to follow up with them.
-
The filename should be "/usr/local/www/pfblockerng/pfblockerng.php"
/usr/local/www/pfblockerng.php on Line 150 and add the missing variable.
function pfb_update_check($header_url, $list_url, $url_format) {
to
function pfb_update_check($header_url, $list_url, $url_format, $pfbfolder) { -
Feature Request:
Allow 1,5,15,30 min interval for Update Frequency. I realize historically this has been forced minimum 1hr to force people to be good net-citizens, but having a faster update frequency would be preferred for internal lists. I admit 1min may be excessive, but the rest are reasonable for internal use lists.
I like to use different software/scripts to generate block lists on my machines behind the pfSense box, and have pfBlocker poll those lists. 1 hour is too long, as most attackers will give up in that time frame. Think of the SSH script kiddy or email spammer that are pounding on the machine for a short period of time. Since I may have multiple IP's forwarded to similar services (behind pfSense) it is convenient to have the list on pfSense so it's protecting all hosts, instead of the one getting pounded before the person moves on to the second or third.
This is actually all I use pfBlocker for, along with a few friends.
-
There is a new Pull Request #808 to fix the issues reported by Fragged and jflsakfja.
pfBNG - v1.03
- When Using "Force Cron" and "no updates" were found, the final process would not complete. This resulted in the active Cron task not being restored.
- XMLRPC Sync - Added MaxMind "Anonymous Proxy and Satellite providers"
-
Feature Request:
Allow 1,5,15,30 min interval for Update Frequency.
Yes this is functionality that I want to add. I don't expect to get to it soon thou. Lots of things to do, so little time… However, I would expect to use 15,30,45 mins time frames...
-
Hi!
Thanks for the new PfblockerNG.
Should be exellent from what I understand. However I cannot use it since the countrylists IPv4 are empty. What am I missing? :-)I tried to delete the package and made a reinstall but the result is the same.
Version 1.02
Thanks
Jonna -
However I cannot use it since the countrylists IPv4 are empty. What am I missing? :-)
Can you provide some more details? Screenshots etc…
-
Ok thank you.
Using clean install of pfSense-memstick-2.2-RELEASE and Pfblocker 1.02. Have been using the old Pfblocker without problems before.
I find nothing wrong in logs although I´m not sure where to find everything.
The countrylists top-20 spammers (jpeg5) are filled but not the other ones under tab Europe eg.Jonna
-
The countrylists top-20 spammers (jpeg5) are filled but not the other ones under tab Europe eg.
Thanks jonna99,
It seems that the Maxmind Files did not download? Thats why you see in the Continent pages
"Warning: Invalid Argument Supplied"
I can send you the command to update the MaxMind Database, but I would like to see if I can understand the circumstances that led to this issue for you? There is a log file called "geoip.log" in the Log Browser, can you PM me with those details.
-
(Edit: 2.2-RELEASE (amd64) pfBlockerNG 1.02)
I found a minor bug on the Alerts tab where the displayed rule is sometimes incorrect.
I've seen this a few times since yesterday (2 diff machines) and it seems to be displaying the rule from the previous entry.
If I get several entries in from the same list in-a-row and the 1st one is wrong, the subsequent ones are wrong too.
-
Hi LinuxTracker,
There seems to be a big spread of time between those Alerts. Could it be that you added the Asia Continent after Spamhaus was already downloaded?
Do you have enable "De-duplication" checked in the General tab?
I would suggest to clear the Firewall Log and execute a "Force Reload", this will refresh all of the databases and then see how it goes from there.
-
Make sure you dont have a rule like this on WAN
WEB-CLIENT csv file download request"; flow:to_server,established; content:"GET"; nocase; http_method; content:".csv"; nocase; http_uri;
Had one active and it prevented the download of maxmind country list in my first install…
F.
-
Sidebar: Doing a spotcheck, I found a popular SSL cert reseller is on a widely used blocklist.
As of this writing, the website for StartSSL is on SpamHaus's Don't Route Or Peer blocklist http://www.spamhaus.org/drop/.
www.startssl.com = 192.116.242.20 https://www.whatsmydns.net/#A/www.startssl.com
192.112.112.0/20 blocked by http://www.spamhaus.org/drop/drop.txt
Edit: I should clarify that this isn't an issue with pfBlockerNG.
It's just a reminder that reputable lists get conflicting data and there's no replacement for monitoring logs.and yes, I'm aware of Spamhause's heavy handed history.
-
Hi LinuxTracker,
There seems to be a big spread of time between those Alerts. Could it be that you added the Asia Continent after Spamhaus was already downloaded?
Do you have enable "De-duplication" checked in the General tab?
I would suggest to clear the Firewall Log and execute a "Force Reload", this will refresh all of the databases and then see how it goes from there.
I had some better examples where they all seemed to happen in a short time but I didn't screenshot them.
I'll follow up on your recommendations and post back if I see it happening again.
Thanks!
-
I recommend to everyone to enable "De-Duplication".
Scenario -
-
Country/Continents are Downloaded first. (No De-dup is needed as MaxMind reports Ranges per Country, so no overlap.)
-
As each subsequent Alias/List is downloaded, it will not add any IPs that are already being blocked by an existing Continent List.
When changes are made like "De-Dup or Reputation, or the removal of a Continent/Country or any Lists", I recommend that a "Force Reload" is executed. This will refresh the Database to the current settings.
-
-
NA country list is blocking my HE ipv6 tunnel. Tried suppression and changing order. Also tried de-selecting North America from the NA list. I have kept all countries to deny inbound.
Only way it works is by disabling NA country list entirely. Suggestions??
-
-
So I've downloaded pfblockerNG but cant find a tab to block the United States or North America which is only in response to the US announcing yesterday they will keep all non-US traffic for 5 years. I value my privacy so I'd rather not have anything to do with US sites after this announcement which will probably make surfing interesting to say the least.
So considering the number of CIDR's for the the US, would it be best to add them to Aliases and block via a firewall rule or use pfblockerng.
Do have to say it looks comprehensive which is good and certainly an improvement over earlier attempts to block IP's en mass.