PfBlockerNG
-
How long did your wait? What did the logs say? Look at the geoip.log, did it finish downloading?
I could nog fully install this: hangs at converting…
-
Just out of curiosity, go to <status><system logs=""><firewall logs="">then go to the bottom of the list and click <clear>. Might fix the problem.
Be gentle, this is my first post here. :)
When I go to the Alerts tab in pfBlockerNG, it shows the same set of Alerts, all dated Jan 28th. There are a total of 59 alerts. I installed pfBlockerNG in early February. The pfBlockerNG Dashboard Widget does seem to be accurate, with constantly changing counts under the Packets heading, which reset to zero when I update the rules. In other words, it seems to be working as it should, but the Alerts tab seems to be stuck on the initial set of 59 entries, all dated Jan 28th (not sure why Jan 28th when I installed the package in Feb?). I've updated pfBlockerNG a couple of times since my initial install, but the same Alerts continue to show.
I did have the original pfBlocker app installed back on the 2.1.5 release, and did not remove it prior to upgrading to 2.2. At some point after upgrading to 2.2, I uninstalled pfBlocker, then installed pfBlockerNG. I noticed immediately after installing NG those Alerts dated Jan 28th, which I thought was weird considering that date was many days old. But I've patiently waited a couple of updates to see if it would resolve itself. Since it hasn't yet, I'm posting here.
Any ideas?
Thanks!</clear></firewall></system></status>
-
Add the countries back one at a time, maybe run MalwareBytes on your PC/PC's?
I can't imagine a scenario where this package would slow down your network. Did you make any other changes the day you installed pfBkockerNG?
Has anyone had any impact on the network speed especially internet activity since enabling this? I disabled logging in hopes of speeding things up, could this be slowing things down?
No other than adding other ip list but none of them are seeing the hits like the top 20 countries list. I deselected all the top 20 countries and everything is running much smoother now. I was seeing a lot of packet hits on the ipv4 side. Im thinking mayb this had something to do with it.
-
Just out of curiosity, go to <status><system logs=""><firewall logs="">then go to the bottom of the list and click <clear>. Might fix the problem.</clear></firewall></system></status>
That did it. Thank you!
-
With the new 1.04 and all my lists installed with de-duplication on I am getting good results
-
I could nog fully install this: hangs at converting…
Hi pfsense_fan009, I think that you need to add some more memory to your box to be able to use pfBlockerNG or any other package like Snort/Suricata.
-
Since i turned de-duplication on, i havent been seeing any hits and the internet traffic is running much smoother. Should i still being seeing some hits though?
EDIT
I changed the inbound and outbound interface to WAN and it seems to be working again.
-
I did wait for 20minutes:
Converting MaxMind Country Databases for pfBlockerNG. This may take a few minutes…
I'm running this on a alix 2d13 on 2.2 (I had pfBlocker installed before installing the pfblockerNG).
Suggestions ?How long did your wait? What did the logs say? Look at the geoip.log, did it finish downloading?
I could nog fully install this: hangs at converting…
-
Since i turned de-duplication on, i havent been seeing any hits and the internet traffic is running much smoother. Should i still being seeing some hits though?
EDIT
I changed the inbound and outbound interface to WAN and it seems to be working again.
You should set inbound to WAN and outbound to LAN.
On your ipv4 lists if you want to block in and out you set "Deny Both". In saying that you don't need to block incoming as it's blocked by default, unless you have multiple ports opened you don't need to blocking incoming unless you like seeing things being blocked.
I can't see how deduplication would make things faster other than removing duplicate IP addresses in multiple lists, then I can't see how it would be slow in the first place
-
Since i turned de-duplication on, i havent been seeing any hits and the internet traffic is running much smoother. Should i still being seeing some hits though?
EDIT
I changed the inbound and outbound interface to WAN and it seems to be working again.
You should set inbound to WAN and outbound to LAN.
On your ipv4 lists if you want to block in and out you set "Deny Both". In saying that you don't need to block incoming as it's blocked by default, unless you have multiple ports opened you don't need to blocking incoming unless you like seeing things being blocked.
I can't see how deduplication would make things faster other than removing duplicate IP addresses in multiple lists, then I can't see how it would be slow in the first place
So basically I need to be looking at it this way, im the firewall what ever traffic I receive from the internet/WAN is considered inbound and whatever I send out it going to my internal LAN? Correct?
-
Converting MaxMind Country Databases for pfBlockerNG. This may take a few minutes…
I'm running this on a alix 2d13 on 2.2 (I had pfBlocker installed before installing the pfblockerNG).
Suggestions ?Look at the system logs if you see any Killed entry there.
-
So basically I need to be looking at it this way, im the firewall what ever traffic I receive from the internet/WAN is considered inbound and whatever I send out it going to my internal LAN? Correct?
Yes! :) Wan = Inbound , Lan = Outbound
-
So basically I need to be looking at it this way, im the firewall what ever traffic I receive from the internet/WAN is considered inbound and whatever I send out it going to my internal LAN? Correct?
Yes! :) Wan = Inbound , Lan = Outbound
Thanks, this all is starting to fall into place now. Now that i have my inbound and outbound interfaces set correctly, the adblock lists aren't really as bad as i thought they were.
-
Converting MaxMind Country Databases for pfBlockerNG. This may take a few minutes…
I'm running this on a alix 2d13 on 2.2
Running the same hardware, "Converting …" takes a few minutes.
-
I finally upgraded to pfSense 2.2 and pfBlockerNG. Wow, wlot of stuff has been added!
Is there an instructions for pfBlockerNG that I can read up on? Much of what I see is like trying to read Latin and I don't want to mess anything up
-
I have earlier in this topic posted some setup screens captures for people to see the setup. If need help with something just ask here or message me I will help
-
I have submitted Pull Request #820 to fix the following issues:
1. Issue for Nano and Ramdisk Installations -
The /var and /tmp folders get wiped on Reboot. This will delete the /var/db/aliastables folder which on Reboot causes a 60 second timeout per pfBNG Alias (Which for some can timeout for 20mins). The new functionality will now Archive the Aliastables on any Alias updates.
Using the **<earlyshellcmd></earlyshellcmd>**functionality, it will restore the archived Aliastables on reboot to prevent this issue.
However, all of the other /var/db/pfblockerng files are also deleted. To restore those files, a "Force Update" is required or ultimately will get restored by the next CRON run. This however, will not affect the reboot process.
If you manually patched the download_file() function from 60 secs to 5 secs. You can revert that change as its not required with these new changes.
2. Improved the Alerts Tab to handle a Large firewall log file (as 2.2 has functionality to increase the size of the log file). These changes should result in a 50-75% improvement in loading/CPU usage. The Javascript functions were also improved to avoid it being called when the "Auto Resolve" checkbox was not enabled. This was spinning up 2-3 additional php-fpm processes. A timeout was also added to reduce the hostname lookup to 30seconds. If you refresh the Alerts Page shortly after it loads, it can seem to take a little longer, but this is due to the hostname lookups that are still in progress.
3. Made additional improvements to the IPv6 Regex functionality.
4. This will bump the pfBNG version to 1.05.
-
Good evening and thanks for the wonderfull package.
I'm trying to configure it properly and I have a certain question.
Lets say I use 2 lists
The first list has 200 IPs inside, which I have configured it to "Deny Inbound" (I got lots of open ports)
The second list has 150 IPs inside, and I have configured it to "Deny Both"
On the second list 100 IPs are the same as the first list, so after deduplication I assume that we're left with 50 IPs blocked by the "Deny Both" rule applied on that list.
Are the deduplicated IPs fall under the "Deny Inbound" or "Deny Both" rule since after the deduplication they're not "left" on the second list?
p.s sorry for my bad english, i'm not a native speaker.
-
Okay, here are a few dumb questions with more to follow after I get these answers.
I'd like to subscribe to a few lists. They can be free or paid for, as long as they are kept current and are fairly complete. I am aware of I-Blocklist. Are there any that are better?
Whatever I do, I need to be sure this won't affect my clients and thir ability to conduct normal business. The only country I block at this time is China, they are unmerciful in their attacks.
I'm interested to subscribing to several lists. For instance, a spammer list (hacked IPs, etc) that are known for sending email spam, a hacker list (hacked IPs used for attempting to hack other servers for whatever reasons), and any other lists that may protect my network.
I really appreciate your input. Depending on the answer(s), I'll have more questions.
Thank you for your time.
-
Hi
I had a Pfblocker using OSSIM ip list.
One valid peer vas included in the block list and starting to be blocked, after a few days, it was out of the list but still if I ping from behind any of firewall interfaces, my ping or telnet :25 does not get any answer.At firewall logs I see the source and destination ip with a green mark so it appear to pass, but all replies to 25 TCP port and icmp are timed out.
I updated to pfsense 2.2, installed PFblockerNG and delected old list from directory, I deleted all old pfblocker firewall rules but still I have not response.
If I ssh into the firewall and try to telnet to 25 from firewall it answer without problem, but not answer behind any other int.
What could be hapeninng?Im getting crazy guys
