PfBlockerNG
-
Sidebar: Doing a spotcheck, I found a popular SSL cert reseller is on a widely used blocklist.
As of this writing, the website for StartSSL is on SpamHaus's Don't Route Or Peer blocklist http://www.spamhaus.org/drop/.
www.startssl.com = 192.116.242.20 https://www.whatsmydns.net/#A/www.startssl.com
192.112.112.0/20 blocked by http://www.spamhaus.org/drop/drop.txt
Edit: I should clarify that this isn't an issue with pfBlockerNG.
It's just a reminder that reputable lists get conflicting data and there's no replacement for monitoring logs.and yes, I'm aware of Spamhause's heavy handed history.
-
Hi LinuxTracker,
There seems to be a big spread of time between those Alerts. Could it be that you added the Asia Continent after Spamhaus was already downloaded?
Do you have enable "De-duplication" checked in the General tab?
I would suggest to clear the Firewall Log and execute a "Force Reload", this will refresh all of the databases and then see how it goes from there.
I had some better examples where they all seemed to happen in a short time but I didn't screenshot them.
I'll follow up on your recommendations and post back if I see it happening again.
Thanks!
-
I recommend to everyone to enable "De-Duplication".
Scenario -
-
Country/Continents are Downloaded first. (No De-dup is needed as MaxMind reports Ranges per Country, so no overlap.)
-
As each subsequent Alias/List is downloaded, it will not add any IPs that are already being blocked by an existing Continent List.
When changes are made like "De-Dup or Reputation, or the removal of a Continent/Country or any Lists", I recommend that a "Force Reload" is executed. This will refresh the Database to the current settings.
-
-
NA country list is blocking my HE ipv6 tunnel. Tried suppression and changing order. Also tried de-selecting North America from the NA list. I have kept all countries to deny inbound.
Only way it works is by disabling NA country list entirely. Suggestions??
-
-
So I've downloaded pfblockerNG but cant find a tab to block the United States or North America which is only in response to the US announcing yesterday they will keep all non-US traffic for 5 years. I value my privacy so I'd rather not have anything to do with US sites after this announcement which will probably make surfing interesting to say the least.
So considering the number of CIDR's for the the US, would it be best to add them to Aliases and block via a firewall rule or use pfblockerng.
Do have to say it looks comprehensive which is good and certainly an improvement over earlier attempts to block IP's en mass.
-
So I've downloaded pfblockerNG but cant find a tab to block the United States or North America
Eeeeh?!
-
As a side note.., and a question..
Upgrading from version 1.01 to version 1.02 removed all my newly added pfBlockerNG rules from version 1.01.
Had to create them all again after the package update. Seeing that update 1.03 is available.. Will this also remove all my current pfBlockerNG rules?
Lots of manual labor..Anyway the new package is great!
-
Upgrading from version 1.01 to version 1.02 removed all my newly added pfBlockerNG rules from version 1.01.
Had to create them all again after the package update. Seeing that update 1.03 is available.. Will this also remove all my current pfBlockerNG rules?
Lots of manual labor.. -
Just to be clear: This post is not a personal attack at anybody.
Most of the problems as far as I can see where with user configuration errors. This isn't a fruity company's product. You DO actually need to configure it in order to run.
Choosing every single list on the planet without first understanding the basics is wrong.
Blocking by countries is wrong. Most web hosting "companies" (trust me, I know my competition better than they know themselves) are renting space in a "cheap-from-a-provider's POV" country (eg. US). Yes I do agree that the NSA is being run by criminals, and yes I do agree that most (all?) of them should be locked in cells with the door welded shut. Weigh in what you lose with what you get. Not arguing the "if you have nothing to hide, you have nothing to be afraid of" meme. I'm saying that by cutting off entire countries, you risk cutting off significant portion of the "good" part of the Internet as well. For a single user, who cares. For a provider, you will, trust me.
Spend 5 minutes (time it) going through the package's options before complaining that something doesn't work. There are cases where it is a genuine bug (eg PS tab not getting synced) and other times it's a specific issue to you (eg sync not working because of special characters in the password).Take care, and wait for the configuration guides before letting the beast out of the cage ;)
-
So I've downloaded pfblockerNG but cant find a tab to block the United States or North America
Eeeeh?!
So I've downloaded pfblockerNG but cant find a tab to block the United States or North America which is only in response to the US announcing yesterday they will keep all non-US traffic for 5 years. I value my privacy so I'd rather not have anything to do with US sites after this announcement which will probably make surfing interesting to say the least.
So considering the number of CIDR's for the the US, would it be best to add them to Aliases and block via a firewall rule or use pfblockerng.
Do have to say it looks comprehensive which is good and certainly an improvement over earlier attempts to block IP's en mass.
-
NA country list is blocking my HE ipv6 tunnel. Tried suppression and changing order. Also tried de-selecting North America from the NA list. I have kept all countries to deny inbound.
Only way it works is by disabling NA country list entirely. Suggestions??
Anyone?
-
So I've downloaded pfblockerNG but cant find a tab to block the United States or North America which is only in response to the US announcing yesterday they will keep all non-US traffic for 5 years. I value my privacy so I'd rather not have anything to do with US sites after this announcement which will probably make surfing interesting to say the least.
So considering the number of CIDR's for the the US, would it be best to add them to Aliases and block via a firewall rule or use pfblockerng.
Do have to say it looks comprehensive which is good and certainly an improvement over earlier attempts to block IP's en mass.
hmmm, so does this mean you wont be accessing the forum anymore?
-
If its hosted in the US, then yes that will be the case, is it as I've not looked yet, I thought this was Canadian a business?
-
This is a great package, congrats. Any tutorial available or planed to explain the multiple options?
Thank You
Best Regards -
If its hosted in the US, then yes that will be the case, is it as I've not looked yet, I thought this was Canadian a business?
Its based out of the US, Austin TX I believe. But with team members thru the world.
-
NA country list is blocking my HE ipv6 tunnel. Tried suppression and changing order. Also tried de-selecting North America from the NA list. I have kept all countries to deny inbound.
Only way it works is by disabling NA country list entirely. Suggestions??
Anyone?
Whitelist the tunnel's IP with a rule above the pfBlockerNG's rule maybe? (pfsense interface config, or tunnelbroker should show it)
-
@jflsakfja:
NA country list is blocking my HE ipv6 tunnel. Tried suppression and changing order. Also tried de-selecting North America from the NA list. I have kept all countries to deny inbound.
Only way it works is by disabling NA country list entirely. Suggestions??
Anyone?
Whitelist the tunnel's IP with a rule above the pfBlockerNG's rule maybe? (pfsense interface config, or tunnelbroker should show it)
This is what I do and it works prefect. I use floating rules, so its one of my first floater before the pfBlockerNG rules.. And I have Quick checked
P.S This is why there is an option (Rule Order) to change the way pfBlockerNG places the rules. To give you the flexible that is needed based on your setup. Since I have pfBlockerNG create floating rules, I needed to use the second Rule Order. If I wasn't using floating rules. The first option would work but I would still place my whitlisted IPs as a floating rule.
-
OK a bit confused. Could you please provide some quick screen shots. Last time I added a rule it was pushed all the way down on the floating rules. Also the suppression list alias is not being loaded in the rules as well.
-
Not in front of a pfsense box now, but you can find various options on where to put the automatically created rules in the pfblockerng package. One of them should allow you to have your defined rules first, and the automatically created ones (pfblockerng's) last. If you chose that option, and the rule is still created in the end, tick the rule and move it to the top manually.