PfBlockerNG
-
try
.[ https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=spyware ]
.Just added this list, it's only showing a Count of 1 tho.
-
add them all in a group is what I did so I not see how many each have. But I have them all and I get pretty good amount of blocks from those lists.. I also have deduplication on so all my lists are stripped of duplicates making them smaller too
-
Okay, ill give it a try. Tho I have been able to find out what lists are blocking what, like malwarebytes or deviantart.com, by having them displayed individually and not in groups. Once you visit a site you can see which lists are denying or blocking packets.
I also have de-duplication enabled.
Question, I see that you've selected "Unknown" in the ET IQRISK BLOCK LISTS and ET IQRISK Match LISTS. What does that do?
-
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
-
We've started using PFBlockerNG on a couple of our firewalls and are using the country block to keep some countries out. However there are a few IP ranges we would like to let through within those blocked countries and these IP ranges change weekly so we're pulling a txt file into an IPV4 alias via PFBlocker daily updates.
Everything so far is working great but the permit rule created by PFBlockerNG is
IPv4 * pfB_Cloudflare * * * * none pfB_Cloudflare auto rule
What we'd like that rule to say is
IPv4 * pfB_Cloudflare * AN_IP 80 * none pfB_Cloudflare auto rule
IPv4 * pfB_Cloudflare * AN_IP 443 * none pfB_Cloudflare auto ruleAN_IP = an internal IP of a server we have
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
-
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
-
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
I think that would be the best way to approach this. pfBlockerNG is meant to block all ports, if you need specific ports opened; then alias with a manual rule
-
I left it running overnight - plenty of blocks now :D
-
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
-
Suggestion if not already done. Put the block to block both for each list.
And I get a lot of blocks from it. Go surf around some bad sites and watch the numbers grow.
When you say 'block both' - do you mean block inbound and outbound?
-
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
If you have to ask…. ;) ...when I enquired last year it around $500 per year I recall. There isn't a 'consumer' level subscription like Snorts either as it was abused.
-
@irj972:
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
If you have to ask…. ;) ...when I enquired last year it around $500 per year I recall. There isn't a 'consumer' level subscription like Snorts either as it was abused.
lol I was thinking it's never a good thing when prices aren't listed. Kind of like when you walk into an art gallery.
-
register here to see prices.
https://portal.emergingthreats.net/login#I was hoping there may have been a deal cut with a pfsense gold subscription you know…..hint hint guys ;D
-
When you say 'block both' - do you mean block inbound and outbound?
Yes, inbound and outbound. Helps keep your browser from going to those IP's to begin with there for never waking the monsters in the cave.
-
Whoever puts 0.0.0.0 in a blocklist should not maintain one in the first place… WTF! :o >:(
Yes exactly.. It should never be used. Some list also post 127.0.0.1… You have to remember that IBlock is used predominantly for their PeerBlock Software. This is why these lists are in range format. To use IBlock lists in pfSense, the ranges need to be converted to CIDR.
For IBlock the only Format setting that will convert those lists is "GZ" not "GZ_2"
I also see people using Lists from Sources (Like SigmaProjects and IBlock) that are a Copy of another List Provider. I recommend that people use the Original Provider so that they get accurate and the most up to date data.
So for example - Spamhaus is the Original provider :
http://www.spamhaus.org/drop/drop.txtLists that are using a copy of the Spamhaus Data :
https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=drop
http://list.iblocklist.com/?list=zbdlwrqkabxbcppvrnos&fileformat=p2p&archiveformat=gzSame can be said for IBlock - DShield, Zeus, Palevo, CI Army, Bogon, Cruzit, Malcode.
sigmaprojects also have Country Lists which are probably not as accurate as MaxMind and should also not be required.
The IBlock Anti-Infringement list should also be used with care. This is not a typical blocklist. It should be used with the "Alias Native" Format. And only used to block certain ports (P2P - and not that I am recommending it either :) ) "Alias Native" will avoid these lists from being De-Duplicated and also avoid these lists from being processed by the "Reputation Settings" if used.
Block Lists need to be evaluated before arbitrarily enabling them.
The pfBNG Log Browser has tabs where you can see the original list and the Final list that is being used by pfBNG.
-
Suggestion if not already done. Put the block to block both for each list.
And I get a lot of blocks from it. Go surf around some bad sites and watch the numbers grow.
Hi Topper. You don't need to make an Alias with a Single list. You can stack lists in a Alias that are similar in function.
-
try
.[ https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=spyware ]
.Just added this list, it's only showing a Count of 1 tho.
Count of 1, probably means that the List is empty or is all duplicates. Look at the pfblockerng.log and it will show more details about each download. I put a placeholder address of "1.1.1.1" in all empty lists.
Also see my previous post about sigmaproject lists…
-
@irj972:
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
If you have to ask…. ;) ...when I enquired last year it around $500 per year I recall. There isn't a 'consumer' level subscription like Snorts either as it was abused.
The IDS list from Emerging Threats (for Snort/Suricata) is $425.00/yr.
The ET IQRisk IP Rep subscription is $1400/yr.. Expensive, but if you are protecting a lot of devices, I would recommend as they post IPs that are not in any other 'free' lists. ET IQRisk is one of the best Lists available… They also have a Domain Blocklist which will be great for pfBNG v2.0 DNSBL.
I think if ET dropped these prices, that they will see subscriptions increase...
-
When you say 'block both' - do you mean block inbound and outbound?
Yes, inbound and outbound. Helps keep your browser from going to those IP's to begin with there for never waking the monsters in the cave.
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense. The only benefit is if you want to monitor what is being blocked and use this in a Analysis and Correlation software to find malicious behavior that could be attacking your Network.
It will also fill your log with noise that might be better spent on the events that are important.. Like why is a device on your Network hitting a China or Russian Web Server when you don't visit any of those sites…
Please protect your "Outbound" traffic first, as by Default pfSense is already blocking the "Inbound". Then if you have "Open ports", you can add additional rules to protect those "Open ports".
-
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense.
Can you put some huge bold red notice somewhere in the GUI? (Really hard to believe how many people keep missing basics…)
