PfBlockerNG
-
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
-
We've started using PFBlockerNG on a couple of our firewalls and are using the country block to keep some countries out. However there are a few IP ranges we would like to let through within those blocked countries and these IP ranges change weekly so we're pulling a txt file into an IPV4 alias via PFBlocker daily updates.
Everything so far is working great but the permit rule created by PFBlockerNG is
IPv4 * pfB_Cloudflare * * * * none pfB_Cloudflare auto rule
What we'd like that rule to say is
IPv4 * pfB_Cloudflare * AN_IP 80 * none pfB_Cloudflare auto rule
IPv4 * pfB_Cloudflare * AN_IP 443 * none pfB_Cloudflare auto ruleAN_IP = an internal IP of a server we have
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
-
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
-
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
I think that would be the best way to approach this. pfBlockerNG is meant to block all ports, if you need specific ports opened; then alias with a manual rule
-
I left it running overnight - plenty of blocks now :D
-
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
-
Suggestion if not already done. Put the block to block both for each list.
And I get a lot of blocks from it. Go surf around some bad sites and watch the numbers grow.
When you say 'block both' - do you mean block inbound and outbound?
-
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
If you have to ask…. ;) ...when I enquired last year it around $500 per year I recall. There isn't a 'consumer' level subscription like Snorts either as it was abused.
-
@irj972:
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
If you have to ask…. ;) ...when I enquired last year it around $500 per year I recall. There isn't a 'consumer' level subscription like Snorts either as it was abused.
lol I was thinking it's never a good thing when prices aren't listed. Kind of like when you walk into an art gallery.
-
register here to see prices.
https://portal.emergingthreats.net/login#I was hoping there may have been a deal cut with a pfsense gold subscription you know…..hint hint guys ;D
-
When you say 'block both' - do you mean block inbound and outbound?
Yes, inbound and outbound. Helps keep your browser from going to those IP's to begin with there for never waking the monsters in the cave.
-
Whoever puts 0.0.0.0 in a blocklist should not maintain one in the first place… WTF! :o >:(
Yes exactly.. It should never be used. Some list also post 127.0.0.1… You have to remember that IBlock is used predominantly for their PeerBlock Software. This is why these lists are in range format. To use IBlock lists in pfSense, the ranges need to be converted to CIDR.
For IBlock the only Format setting that will convert those lists is "GZ" not "GZ_2"
I also see people using Lists from Sources (Like SigmaProjects and IBlock) that are a Copy of another List Provider. I recommend that people use the Original Provider so that they get accurate and the most up to date data.
So for example - Spamhaus is the Original provider :
http://www.spamhaus.org/drop/drop.txtLists that are using a copy of the Spamhaus Data :
https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=drop
http://list.iblocklist.com/?list=zbdlwrqkabxbcppvrnos&fileformat=p2p&archiveformat=gzSame can be said for IBlock - DShield, Zeus, Palevo, CI Army, Bogon, Cruzit, Malcode.
sigmaprojects also have Country Lists which are probably not as accurate as MaxMind and should also not be required.
The IBlock Anti-Infringement list should also be used with care. This is not a typical blocklist. It should be used with the "Alias Native" Format. And only used to block certain ports (P2P - and not that I am recommending it either :) ) "Alias Native" will avoid these lists from being De-Duplicated and also avoid these lists from being processed by the "Reputation Settings" if used.
Block Lists need to be evaluated before arbitrarily enabling them.
The pfBNG Log Browser has tabs where you can see the original list and the Final list that is being used by pfBNG.
-
Suggestion if not already done. Put the block to block both for each list.
And I get a lot of blocks from it. Go surf around some bad sites and watch the numbers grow.
Hi Topper. You don't need to make an Alias with a Single list. You can stack lists in a Alias that are similar in function.
-
try
.[ https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=spyware ]
.Just added this list, it's only showing a Count of 1 tho.
Count of 1, probably means that the List is empty or is all duplicates. Look at the pfblockerng.log and it will show more details about each download. I put a placeholder address of "1.1.1.1" in all empty lists.
Also see my previous post about sigmaproject lists…
-
@irj972:
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
If you have to ask…. ;) ...when I enquired last year it around $500 per year I recall. There isn't a 'consumer' level subscription like Snorts either as it was abused.
The IDS list from Emerging Threats (for Snort/Suricata) is $425.00/yr.
The ET IQRisk IP Rep subscription is $1400/yr.. Expensive, but if you are protecting a lot of devices, I would recommend as they post IPs that are not in any other 'free' lists. ET IQRisk is one of the best Lists available… They also have a Domain Blocklist which will be great for pfBNG v2.0 DNSBL.
I think if ET dropped these prices, that they will see subscriptions increase...
-
When you say 'block both' - do you mean block inbound and outbound?
Yes, inbound and outbound. Helps keep your browser from going to those IP's to begin with there for never waking the monsters in the cave.
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense. The only benefit is if you want to monitor what is being blocked and use this in a Analysis and Correlation software to find malicious behavior that could be attacking your Network.
It will also fill your log with noise that might be better spent on the events that are important.. Like why is a device on your Network hitting a China or Russian Web Server when you don't visit any of those sites…
Please protect your "Outbound" traffic first, as by Default pfSense is already blocking the "Inbound". Then if you have "Open ports", you can add additional rules to protect those "Open ports".
-
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense.
Can you put some huge bold red notice somewhere in the GUI? (Really hard to believe how many people keep missing basics…)
-
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense.
Can you put some huge bold red notice somewhere in the GUI? (Really hard to believe how many people keep missing basics…)
But it may not be seen in IE
-
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
Thanks for the reply. I did try this but the problem we have is that PFBlocker then puts it's rules first. If I change the order in PFBlocker we then end up with all of our permit rules first.
Here is the problem in a bit more detail with some examples, these are not the real rules but make it easier to see what is happening.
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x
Allow port 443 to host x.x.x.xSo this would block Romania but allow the rest of the world into port 80 & 443
Now we find that we have some IP's in Romania that need to be allowed in so we do this;
PFBlocker Allow this RomaniaAllowedAliasList (PFBlocker allows all ports from those IP's)
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereLooking at creating just an Alias list only with PFBlocker and a manual rule would give us this
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereOR
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhere
PFBlocker Block all RomaniaCannot get the config to do this though;
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereUnless I'm missing something?
Thanks for you help
-
@wavetune:
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
Here is the problem in a bit more detail with some examples, these are not the real rules but make it easier to see what is happening.
Hi wavetune,
I think you should be able to do that with rule option "4" but you won't be able to set the Ports on the First rule with "Autorules".
| pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match |
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereI think your only option is to create the 2nd rule "PFBlocker Block all Romania" as an "Alias Deny" rule. This way all the rules are aliases, and you can configure/customize them as you choose.