PfBlockerNG
-
thanks BBcan177 for a great package, what is the account to donate?
You can send a paypal to my email account, which is listed in the General Tab of pfBNG. I will put this towards v2.0 Development! :)
-
I have to agree with doktornotor, most of the problems I'm seeing reported here could have been avoided by reading the instructions on each page. BB' worked hard to explain everything either above or below each choice. Example: "Headers" are required.
The 'Header' Field must be Unique
IE. A Blank "Header field" is not unique.
Read each page carefully and it will work. :)
I totally agree with your both!!
Like I tell my privates, read the f$cking FM! And in the case of pfBlockerNG, the directions are there on every page.
Maybe the package needs a warning: for advanced and/or IT users only =D
-
As a person who is regularly caught explaining "in plain English" IT terminology, I see the problem somewhere else, and I'll play the devil's advocate here.
Someone has to bridge the engineer > user gap. I'm regularly caught in all three sides (including the middle-man), and I see the problem from every possible angle.
An example:
Engineer's thought process:
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
(if you know that && means execute the following command when the previous one ends)User's thought process:
upgrade system nextHaving to set up aliases is not the point here. It's actually having to set up aliases that's the problem ;)
The engineer knows that in order to get to the next version, the system has to first know about that version (update), bring the system up to the last upgradable point before the actual jump to the next version to reduce the possibility of things going south (upgrade), then make the jump (dist-upgrade).
The user wants to upgrade the system and doesn't care about the process behind it.
Trust me, works a lot better when IT is cut out of the discussion. Think accounting. I don't actually care about the process to get to a result, as long as I get a result. Although I personally find it fascinating knowing how things work, not everyone does ;-)
Not saying any side is wrong btw, just laying out my thoughts for both sides to consider. group hug
-
@jflsakfja:
As a person who is regularly caught explaining "in plain English" IT terminology, I see the problem somewhere else, and I'll play the devil's advocate here.
-
Add them in the IPv4 tab like shown in picture below my post
.png)
.png_thumb) -
I have been using pfblockerNG for a few days now (v1.03), and I have been seeing extremely long boot times. The system hangs at configuring firewall for about 13 minutes before finally continuing and bringing up the system. I was able to ssh into the system, and it shows almost zero load with ~16 processes including top, until my ssh session freezes when the boot process completes.
This is very similar to the massive delay seen when trying to use the original pfblocker under pfSense 2.2.
I am using just the country block lists, and I am blocking all unsolicited inbound traffic from all the nations listed, except mine.
The behavior is very strange in that the system just seems to be idling, before it finally unsticks and completes the boot process.
Cheers,
Bennett -
Are you blocking the package repository from pfsense?
-
I am using just the country block lists, and I am blocking all unsolicited inbound traffic from all the nations listed, except mine.
Ugh. Yeah, so you are having aliases with billions of IPs for absolutely NO valid reason, since all those are already blocked by default deny, just without this huge overhead.. And wondering why it's slow and takes ages to configure the rules? Sigh. :( :'(
Lets try again:
pfSense is a stateful firewall by design. By default all Inbound is set to Deny (implicit).
So the only reasons to have Deny Inbound or Deny Both, is if you have Open ports that you would like to protect. Most often a "Deny Outbound" is sufficient. If you wish to log activity that is hitting your firewall then you can set "Deny Both". This is a generalization. You need to think about your needs in your network first.
-
I have been seeing extremely long boot times.
This is very similar to the massive delay seen when trying to use the original pfblocker under pfSense 2.2.
Hi Bennett,
With Nano and Ramdisk installs, the /var/db folder is being cleared on reboot. I moved the Country files to the PBI folder, but the final Aliastables are still in the /var/db folder. I have to get the Devs involved to find the best solution for this issue.
-
pfSense is a stateful firewall by design. By default all Inbound is set to Deny (implicit).
So the only reasons to have Deny Inbound or Deny Both, is if you have Open ports that you would like to protect.
That's absolutely clear, but what if we do have Open ports? Which settings will be recommended and considered sufficient in this case? For example, I have some TCP ports open (for ssh, OpenVPN) and UDP (for IPSec), even now when I have entire Asia blocked I see occasional connection attempts in both IPSec and OpenVPN logs.
-
That's absolutely clear, but what if we do have Open ports? Which settings will be recommended and considered sufficient in this case?
Do it the other way round! Whitelist, not blacklist! A single-country whitelist is a whole LOT smaller than the entire-world minus one country blacklist.
-
That's absolutely clear, but what if we do have Open ports? Which settings will be recommended and considered sufficient in this case? For example, I have some TCP ports open (for ssh, OpenVPN) and UDP (for IPSec), even now when I have entire Asia blocked I see occasional connection attempts in both IPSec and OpenVPN logs.
To continue with Doktornotor's post, you can make a new IPv4 "Alias" as "Alias Permit". In the URL field, enter the path to the Country Code files (Change the amd64 to i386, if required). You can add any number of Countries to a single Alias but they all have to be IPv4 or IPv6 depending on which Tab you created them in IPv4 or IPv6 Tabs. Set it to update once per week.
/usr/pbi/pfblockerng-amd64/share/GeoIP/US_v4.txt
Then create a Firewall Rule, select the Interfaces and the Ports etc for this particular rule. Make sure this rule is above the other Deny Rules.
You would need to create an IPv6 also, if you require that. This way you are reducing the size of the Aliastables. You still can be hammered by any USA IPs thou! So its just stopping all of the other countries from hitting those open ports. When creating the Manual Rule, follow the instructions in the Alias Tab for the proper "Description" Settings. Use the prefix pfb_ (Lowercase) and the name of the Alias. This way it will show in the widget packet counts. Using pfB_ in the Manual Alias will cause these Rules to disappear at the next Cron event..
For the question about seeing traffic on the IPSec and OpenVPN interfaces, did you enable rules for these Interfaces?
-
Thanks a lot for the suggestions, I'm already trying to build a simpler config. Will stay with a short country list and Permit Inbound rule.
P.S. It seems I managed to find a glitch - some rules got multiplied, see screenshot.
-
For the question about seeing traffic on the IPSec and OpenVPN interfaces, did you enable rules for these Interfaces?
I've noticed some connection attempts (through WAN), from the countries which were not included into my country blocking, i.e. USA. So it's not about functionality of the Package, it's more about proper protection design. Thanks a lot!
-
I am in the same boat as AndrewZ, in that I really don't want the whole world pounding on my IPSec and OpenVPN connections. The IPSec point to point tunnels are already protected to a degree by an alias specifying allowed hosts, but the road warrior VPN needs to be a bit more open. I also have a vanity web server in the mix serving pictures for friends and family. The web server runs on a small VM protected by an even smaller VM that pre-filters requests via ModSecurity.
While I understand that the lists are huge and setting up the rules is computationally intensive, what bewilders me is that the process shows absolutely no load in top.
Thank you for the pointers. I will try to implement a more sensible scheme, but I will miss my dashboard full of countries and blocked packets.
-
what bewilders me is that the process shows absolutely no load in top.
After reading some pfsense base code today, I see that compared to 2.1.x, 2.2 has a 60 second delay while trying to find a non-existent file in /var/db/aliastables. So this 60 second delay will occur for each and every Alias. So if you have 10 aliases, it will timeout for 10 mins. Obviously there is no load as its not doing anything ;D So this only affects Nano and Ramdisk installations as they have the /var/db folders wiped at reboot.
Its simple to change the timeout to say 5 secs, but the issue still remains that on Reboot, Nano and Ramdisk installs have no aliastables. The only way to get them back is to do a "Force Update" or wait for Cron to execute.
So while you guys have been drinking Beer and relaxing….
I wrote some code that Compresses the contents of /var/db/aliastables at reboot, and can restore this file on Bootup... Just need some testers ;D and the Devs to approve it of course.
-
what bewilders me is that the process shows absolutely no load in top.
So while you guys have been drinking Beer and relaxing….
I wrote some code that Compresses the contents of /var/db/aliastables at reboot, and can restore this file on Bootup... Just need some testers ;D and the Devs to approve it of course.
Thank you! I had a feeling there was a whole lot of nothing going on. I would be happy to test code related to this.
-
BB do you recommend enabling Floating Rules or have the auto-rules generated in the WAN/LAN interfaces? I dont currently have Floating Rules enabled. I also don't have an interface selected for Inbound Interfaces since I'll only be rejecting on my Outbound Interface.
-
There is a thread all about this topic of floating vs Std Interfaces. Its not difficult to flip back and forth. With Floating they will match quicker.
https://forum.pfsense.org/index.php?topic=78062.0
-
what bewilders me is that the process shows absolutely no load in top.
So while you guys have been drinking Beer and relaxing….
I wrote some code that Compresses the contents of /var/db/aliastables at reboot, and can restore this file on Bootup... Just need some testers ;D and the Devs to approve it of course.
Thank you! I had a feeling there was a whole lot of nothing going on. I would be happy to test code related to this.
I am also happy to test. I have 32 and 64 bit nanoBSD systems that I can test with. PM me about any code…
