PfBlockerNG
-
Whoever puts 0.0.0.0 in a blocklist should not maintain one in the first place… WTF! :o >:(
Yes exactly.. It should never be used. Some list also post 127.0.0.1… You have to remember that IBlock is used predominantly for their PeerBlock Software. This is why these lists are in range format. To use IBlock lists in pfSense, the ranges need to be converted to CIDR.
For IBlock the only Format setting that will convert those lists is "GZ" not "GZ_2"
I also see people using Lists from Sources (Like SigmaProjects and IBlock) that are a Copy of another List Provider. I recommend that people use the Original Provider so that they get accurate and the most up to date data.
So for example - Spamhaus is the Original provider :
http://www.spamhaus.org/drop/drop.txtLists that are using a copy of the Spamhaus Data :
https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=drop
http://list.iblocklist.com/?list=zbdlwrqkabxbcppvrnos&fileformat=p2p&archiveformat=gzSame can be said for IBlock - DShield, Zeus, Palevo, CI Army, Bogon, Cruzit, Malcode.
sigmaprojects also have Country Lists which are probably not as accurate as MaxMind and should also not be required.
The IBlock Anti-Infringement list should also be used with care. This is not a typical blocklist. It should be used with the "Alias Native" Format. And only used to block certain ports (P2P - and not that I am recommending it either :) ) "Alias Native" will avoid these lists from being De-Duplicated and also avoid these lists from being processed by the "Reputation Settings" if used.
Block Lists need to be evaluated before arbitrarily enabling them.
The pfBNG Log Browser has tabs where you can see the original list and the Final list that is being used by pfBNG.
-
Suggestion if not already done. Put the block to block both for each list.
And I get a lot of blocks from it. Go surf around some bad sites and watch the numbers grow.
Hi Topper. You don't need to make an Alias with a Single list. You can stack lists in a Alias that are similar in function.
-
try
.[ https://blocklist.sigmaprojects.org/api.cfc?method=getList&lists=spyware ]
.Just added this list, it's only showing a Count of 1 tho.
Count of 1, probably means that the List is empty or is all duplicates. Look at the pfblockerng.log and it will show more details about each download. I put a placeholder address of "1.1.1.1" in all empty lists.
Also see my previous post about sigmaproject lists…
-
@irj972:
I made mistake when first setting that up. That is a paid subscription so it does nothing for me. I do not pay for it.
Click the thanks at top right of my message if I helped you
I've been trying to find out how much a subscription cost for the IQRisk Lists but their website doesn't offer a price. How many people have this subscription?
The iBlock list subscription is only 9.99 a year and that is what I'm using.
If you have to ask…. ;) ...when I enquired last year it around $500 per year I recall. There isn't a 'consumer' level subscription like Snorts either as it was abused.
The IDS list from Emerging Threats (for Snort/Suricata) is $425.00/yr.
The ET IQRisk IP Rep subscription is $1400/yr.. Expensive, but if you are protecting a lot of devices, I would recommend as they post IPs that are not in any other 'free' lists. ET IQRisk is one of the best Lists available… They also have a Domain Blocklist which will be great for pfBNG v2.0 DNSBL.
I think if ET dropped these prices, that they will see subscriptions increase...
-
When you say 'block both' - do you mean block inbound and outbound?
Yes, inbound and outbound. Helps keep your browser from going to those IP's to begin with there for never waking the monsters in the cave.
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense. The only benefit is if you want to monitor what is being blocked and use this in a Analysis and Correlation software to find malicious behavior that could be attacking your Network.
It will also fill your log with noise that might be better spent on the events that are important.. Like why is a device on your Network hitting a China or Russian Web Server when you don't visit any of those sites…
Please protect your "Outbound" traffic first, as by Default pfSense is already blocking the "Inbound". Then if you have "Open ports", you can add additional rules to protect those "Open ports".
-
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense.
Can you put some huge bold red notice somewhere in the GUI? (Really hard to believe how many people keep missing basics…)
-
Just to be clear, Selecting "Inbound" will not offer any protection and unless you have Open ports. These "Inbound" events are already being blocked by Default by pfSense.
Can you put some huge bold red notice somewhere in the GUI? (Really hard to believe how many people keep missing basics…)
But it may not be seen in IE
-
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
Thanks for the reply. I did try this but the problem we have is that PFBlocker then puts it's rules first. If I change the order in PFBlocker we then end up with all of our permit rules first.
Here is the problem in a bit more detail with some examples, these are not the real rules but make it easier to see what is happening.
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x
Allow port 443 to host x.x.x.xSo this would block Romania but allow the rest of the world into port 80 & 443
Now we find that we have some IP's in Romania that need to be allowed in so we do this;
PFBlocker Allow this RomaniaAllowedAliasList (PFBlocker allows all ports from those IP's)
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereLooking at creating just an Alias list only with PFBlocker and a manual rule would give us this
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereOR
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhere
PFBlocker Block all RomaniaCannot get the config to do this though;
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereUnless I'm missing something?
Thanks for you help
-
@wavetune:
@wavetune:
What's the best advice on this for achieving that? If I edit the rule PFBlockerNG just destroys it on the Update.
Did you tried alias only and then create a manual rule?
Here is the problem in a bit more detail with some examples, these are not the real rules but make it easier to see what is happening.
Hi wavetune,
I think you should be able to do that with rule option "4" but you won't be able to set the Ports on the First rule with "Autorules".
| pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match |
Allow port 80 to host x.x.x.x from RomaniaAllowedAliasList
PFBlocker Block all Romania
Allow port 80 to host x.x.x.x from anywhere
Allow port 443 to host x.x.x.x from anywhereI think your only option is to create the 2nd rule "PFBlocker Block all Romania" as an "Alias Deny" rule. This way all the rules are aliases, and you can configure/customize them as you choose.
-
I have posted Pull Request #818 to fix the following issues:
1. Improved IPv6 Regex
2. Suppress '0.0.0.0/32' from being added to any Alias/Lists.
3. General Tab - Moved the "Keep" Checkbox to be just below the
"Enable pfBNG" checkbox.This will bump pfBNG to version 1.04
-
Disabled a couple I-Block lists after reading what you wrote BB. I was getting too many outbound blocks with a couple of them that I didn't want. Any I-Block lists worth using?
It is a shame that ET's prices are so high.
I also started using some of the lists that you referenced on page 16 on this forum. Thanks for the fast responses btw! Your help is appreciated.
-
Has anyone done a "How to setup example" like there are with the old PFB
-
-
Is it possible to use easy list
Not currently. That is a Domain Blocklist. pfBlockerNG is an IP Based Blocking solution. pfBNG v2.0 will have this functionality.
Sounds interesting with a domain blocklist. Could the functionality also be reversed, så it would be possible to create a domain whitelist in pfBNG 2.0?
Br,
Thomas -
Code red theme footer error. (Only in alerts tab)
Thanks turker… I will take a look at that when I get a chance...
-
Sounds interesting with a domain blocklist. Could the functionality also be reversed, så it would be possible to create a domain whitelist in pfBNG 2.0?
You could whitelist Domains that you didn't want to block (Suppression).. But a reverse, not sure how that would work with Unbound.
-
Has anyone done a "How to setup example" like there are with the old PFB
I will try to write one up… What kind of things would you guys want to see in a Tutorial? The basics? or just for the new features?
-
I think the how-to should be left up to the community. One of, or several of us could collaborate on that part. DNSBL needs attention, ie. pfBlockedrNG 2.0, I miss the daily updates. ::)
-
I'm noticing extremely high CPU usage on my pfSense box when I'm just sitting on my pfBlockerNG alerts page. Its attributed to one or more processes named "php-fpm: pool lighty (php-fpm)"
It seems like the longer I'm on the that page, the more of those processes I see, and the higher the CPU usage gets.
For what its worth, I'm seeing a significant number of alerts from attempts to access lots of different IPs at: 61.145.124.x and 183.61.112.x on port 80. These are originating from a Nexus 9 tablet. I can't figure out how they belong to, other than some Chinese telecon and some appear to be alibaba. Any ideas? I'm trying to decide if I should be concerned…
-
Hi reggie.
I haven't noticed any significant Load from the Alerts Tab myself? Do you leave it running with Auto-Refresh and Auto-Resolve running? Which Browser are you using?
Are those Alerts coming from a Country Block? You can click any of the "!" to pull more detail about those IPs. There are several different sites listed in that Lookup page.