PfBlockerNG
-
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
[ WhitelistIPv6_custom_v6 ] Custom List Error ]
I tried adding /64 in the end to that IP as well. Doesn't work.
-
Create an alias outside of pfSenseNG for the IPv6 subnet you want to whitelist. Then add a manual permit rule to your floating rules (with quick checked). You will probably have to change the rule order to what I suggested before.
The IPv6 regex still needs some adjustments in pfBlockerNG. When we tested this a few months ago, I was able to get it work with some test IPv6 addresses I was using for testing. At the time, I couldn't locate any good list to thoroughly test like I did with IPv4
-
PfBlocker enabled
All countries - Deny InboundHmmm… There's default deny rule already. The above is an exercise in wasting memory and creating useless rules, or what exactly have I missed here?
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
I tried adding /64 in the end to that IP as well. Doesn't work.Yeah, of course the /64 does not work. Should be 2001:470:xxxx:xxx::/1 without the bogus trailing 1. Other than that, seeing people shooting themselves in the foot by completely nonsensical blocking makes me wonder. WTF.
-
PfBlocker enabled
All countries - Deny InboundHmmm… There's default deny rule already. The above is an exercise in wasting memory and creating useless rules, or what exactly have I missed here?
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
I tried adding /64 in the end to that IP as well. Doesn't work.Yeah, of course the /64 does not work. Should be 2001:470:xxxx:xxx::/1 without the bogus trailing 1. Other than that, seeing people shooting themselves in the foot by completely nonsensical blocking makes me wonder. WTF.
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install. PfBlocker has the settings unchecked and disabled at first install and is at users discretion to enable them how one wants for tighter control.
-
Create an alias outside of pfSenseNG for the IPv6 subnet you want to whitelist. Then add a manual permit rule to your floating rules (with quick checked). You will probably have to change the rule order to what I suggested before.
The IPv6 regex still needs some adjustments in pfBlockerNG. When we tested this a few months ago, I was able to get it work with some test IPv6 addresses I was using for testing. At the time, I couldn't locate any good list to thoroughly test like I did with IPv4
I will try it and if it doesn't work will hold off till there is a good update to the IPv6 address list.
-
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.
Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.
-
2001:470:xxxx:xxx::/1 or even just 2001:470:xxxx:xxx:: has not change. It still gives the same error…
[ WhitelistIPv6_custom_v6 ] Custom List Error ]
IPv6 area of PfBlocker definitely needs some work.
-
I have no idea what you are trying to to. First of all, if you wish to block the entire world except for one particular subnet, then nuke your "allow any" rule, allow only the respective subnet and forget about creating an incredibly huge "All countries" alias for blocking something that'd get implicitly blocked anyway if you designed your rules in a sane way.
-
Just installed the latest updates on 2 nategate pfsense firewalls and installed the latest pfblockerng on both. I selected all of the top 20 spammer countries IPV4 list set it to deny both and enabled. When I enable pfblockerng and hit save it is not creating any fire wall rules. I see where it created the alias URL but no rules under floating, Wan or Lan. I tried selecting the floatiing rules but that didn't do anything either. I tired running the force update, Force Cron and Force Reload and still no rules.
On my dashboard I enabled the pfblockerng widget and it shows pfblockerng is active but has a red down arrow that says No rules are defined for this alias.
The error log does not show any errors.
When I do a reload this shows in the logs
"No Changes to Firewall Rules, Skipping Filter Reload"Any suggestions on what I need to do to get the rules created?
-
Any suggestions on what I need to do to get the rules created?
Changes are Applied via CRON or 'Force Update'. In red, and in bold letters at the bottom.
-
I don't have a terribly compelling use for pfblockerng right now, but I was playing around with it just to see if I could get it to block ads with reasonable effectiveness. I added some lists from iblocklist (the ads list there, plus the YoYo list) and configured them to reject on outbound LAN. When I had logging on, I saw lots of hits (so many I turned off logging), but no noticeable decrease in ads. Is this to be expected?
I'm guessing that DNSBL+Adblock-easylist functionality in pfblockerng-v2 will improve things, I'm just curious how this lines up with other users' experiences.
-
Install adblock in firefox and "borrow" the list from there…it works.
-
-
Corrected :D
Install adblock in firefox and steal the list from there…it works.
borrow :)
-
Sorry for my ignorance, but that works? Maybe I'm missing something. Are you saying that I can use the easyList with pfblockerNG already?
I thought we needed to use IP lists. The easyList rules appear to be URL filters- and not even full URLs.
Is there some other list I'm not aware of?
-
Any suggestions on what I need to do to get the rules created?
Changes are Applied via CRON or 'Force Update'. In red, and in bold letters at the bottom.
I have already tried the force update. When I run it I get this
UPDATE PROCESS START [ 02/05/15 13:15:17 ]
[ pfB_Top_v4 ] exists, Reloading File [ 02/05/15 13:15:18 ]
===[ Aliastables / Rules ]================================
No Changes to Firewall Rules, Skipping Filter Reload
Updating: pfB_Top_v4
no changes.UPDATE PROCESS ENDED [ 02/05/15 13:15:22 ]
After running this I have no blocking rules
Any suggestions
-
Here is the logfile you asked for.
Hi Jonna, The log file shows that its failing to download the Maxmind files. Can you run the following command from the shell and try to see what is stopping it from completing?
Suggestions:
Try to goto the MaxMind Website and see if you can get there first? If you are having issues getting to that site, you need to fix that first.
The following command can be executed from the Shell to manually download the MaxMind Database and Update the pfBNG XML files.
php /usr/local/www/pfblockerng/pfblockerng.php dc -
I have already tried the force update. When I run it I get this
Hi nckwebtech, Did you select the Interfaces in the General Tab? IN/Outbound? Also please ensure that you selected the "Action Setting" in the Alias settings.
-
I would recommend for users to please read the text beside each setting in pfBlockerNG. There is a lot of good detail there to follow. Also Hover over in the Alerts Tab will show more comments as well.
pfSense is a stateful firewall by design. By default all Inbound is set to Deny (implicit).
So the only reasons to have Deny Inbound or Deny Both, is if you have Open ports that you would like to protect. Most often a "Deny Outbound" is sufficient. If you wish to log activity that is hitting your firewall then you can set "Deny Both". This is a generalization. You need to think about your needs in your network first.
Suppression does not work on Country Blocking. It can only be used for IPv4 Lists and only on /32 or /24 IPs.
If you want to circumvent a Country Block, Create a pfBNG Alias ie "Whitelist" and set the Action to "Permit Outbound". You most likely do not want to set it as "Permit Both" or Permit Inbound" as that allows those IPs to get past all other rules in the Firewall. Then add the IPs that you want to allow Outbound access to in the Custom Box entry for the Whitelist Alias. You can also Whitelist a list of IPs with the URL settings. Then make sure to select the Rule Order setting to allow the Permit rule to be above the Block rules.
If users want to block the world, (Not recommending it but if you did want this option) pfSense is already set as Deny Inbound. So instead of adding all IPs to a Block list, you would do the inverse and just make a list of Countries to Allow and have that rule above a Deny all rule.
IPv6 needs some more work on the Regex. (Did I say I Really hate Regex… any help appreciated to make that part better !! )
-
I don't have a terribly compelling use for pfblockerng right now, but I was playing around with it just to see if I could get it to block ads with reasonable effectiveness. I added some lists from iblocklist (the ads list there, plus the YoYo list) and configured them to reject on outbound LAN. When I had logging on, I saw lots of hits (so many I turned off logging), but no noticeable decrease in ads. Is this to be expected?
I'm guessing that DNSBL+Adblock-easylist functionality in pfblockerng-v2 will improve things, I'm just curious how this lines up with other users' experiences.
Hi reggie14,
pfBNG is an IP based solution. Some lists for Domain blocking (DNSBL) have some IPs listed. So if you did use one of those Domain Lists, it would pull those IPs. IBlock Ads is not that great. So if you are looking for Ads blocking, you will need to wait for v2 of pfBNG. However, you should consider using pfBlockerNG as a tool to help block Outbound traffic to known malicious IPs.. There are lots of lists around.
Here are a few lists to use:
https://rules.emergingthreats.net/blockrules/compromised-ips.txt ET_Comp txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt ET_Block txt
http://www.spamhaus.org/drop/drop.txt Spamhaus_Drop txt
http://www.spamhaus.org/drop/edrop.txt Spamhaus_eDrop txt
https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv Abuse_SSLBL html
https://reputation.alienvault.com/reputation.snort.gz Alienvault gz_2
https://danger.rulez.sk/projects/bruteforceblocker/blist.php DangerRulez txt
http://www.us.openbl.org/lists/base_90days.txt OpenBL txt
https://malc0de.com/bl/IP_Blacklist.txt Malcode txt
