PfBlockerNG
-
If you are restricting those two ports for SSH and OpenVPN to a select few IPs, then it doesn't protect you to have pfBNG "Inbound" rules as the "Implicit Deny" on the WAN is already dropping all unsolicited traffic.
If you want to see the activity "noise" that is being implicitly blocked on the WAN, you can use "Deny Both" but it will slightly impact performance. FreeBSD "pf" is quite capable to process the IPs and lookup the Alias Tables, however its not offering any protection to your network as stated above.
You will see less activity in the Widget/Alert Logs without the "Deny Inbound" rules but that is a good thing. You should really be looking at what is being blocked. So if a LAN device is showing blocked activity to a Malicious IP, you should be investigating why?
By un-neccessarily using the "Deny Both" rules, you are cluttering your alerts log and you can miss the real malicious activity that you should be looking out for.
You don't just want to turn it on, and forget about it.
If for example you have a single port (or a few ports) open on the WAN, you are better off in creating an "Alias Deny" rule(s), and creating a manual Firewall rule just for the Inbound port(s). This way it reduces un-necessary processing of the Inbound packets.
-
Via the private repository but it will be available soon as a pfsense package.
Be patient :)
How can I get access to this private repo?
-
Via the private repository but it will be available soon as a pfsense package.
Be patient :)
How can I get access to this private repo?
The Package has already been released… Its in the pfSense Package Repo.
-
Hi folks,
I have a question re. utilizing a pfBlockerNG alias. Specifically, this text:
When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description and use the 'Exact' spelling of the Alias (no trailing Whitespace) Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if using Auto Rule Creation.
I am assuming that I don't have to change anything with respect to the alias created by pfBlockerNG itself, but when creating a rule that utilizes the alias must the rule description field contain only the alias name (with the lower case 'B' substituted in the pfb_ prefix) or can it include additional text after the alias name? The "in the beginning of rule description" wording implies (to me) that other text can follow …but the "no trailing Whitespace" implies no other text should follow. I currently have additional text in the rule description field, and the dashboard widget shows green for the alias, but I just want to be sure.
Thanks (and awesome package by the way!) ...
-
I currently have additional text in the rule description field, and the dashboard widget shows green for the alias, but I just want to be sure.
Hi Slab,
The Green arrow indicator, will show that there is a Rule associated with the pfBlockerNG Alias. If you add extra text to the Manual Rule Description, the Packet Count for this Manual Alias Rule in the widget might not work.
-
Hi, I updated from pfsense 2.2 to 2.2.1 and my pfBlockerng config got wiped. The package was uninstalled and reinstalled according to the logs
all I had was 1 alias of 1 country, type native
any ideas before I update the other 13 firewalls?
Thank you for your time
Mar 19 09:49:28 php: rc.bootup: Attempting to reinstall all packages
Mar 19 09:49:28 php: rc.bootup: List of packages to reinstall: OpenVPN Client Export Utility, pfBlocker
Mar 19 09:49:28 php: rc.bootup: Uninstalling package OpenVPN Client Export Utility
Mar 19 09:49:40 php: rc.bootup: Finished uninstalling package OpenVPN Client Export Utility
Mar 19 09:49:40 php: rc.bootup: Reinstalling package OpenVPN Client Export Utility
Mar 19 09:49:40 php: rc.bootup: Beginning package installation for OpenVPN Client Export Utility .
Mar 19 09:49:57 php: rc.bootup: Successfully installed package: OpenVPN Client Export Utility.
Mar 19 09:49:57 php: rc.bootup: Finished installing package OpenVPN Client Export Utility
Mar 19 09:49:57 php: rc.bootup: Uninstalling package pfBlocker
Mar 19 09:49:57 php: rc.bootup: Finished uninstalling package pfBlocker
Mar 19 09:49:57 php: rc.bootup: Reinstalling package pfBlocker
Mar 19 09:49:58 php: rc.bootup: Finished installing package pfBlocker
Mar 19 09:49:58 php: rc.bootup: Finished reinstalling all packages. -
Hi Seqteq,
There is a checkbox in the General Tab called "Keep Settings" that needs to be enabled. On all new installations it has been defaulted to "On".
Its strange that your posted log has "pfBlocker" when it should be "pfBlockerNG"
-
Hi, I updated from pfsense 2.2 to 2.2.1 and my pfBlockerng config got wiped. The package was uninstalled and reinstalled according to the logs
pfBlocker package does not exist any more. No configuration from there will be carried over to pfBlockerNG. Restart from scratch.
-
Hi Seqteq,
There is a checkbox in the General Tab called "Keep Settings" that needs to be enabled. On all new installations it has been defaulted to "On".
Its strange that your posted log has "pfBlocker" when it should be "pfBlockerNG"
Ah, thanks I'll check that tomorrow.
Just noticed the ng was missing in the log. I was definitely using ng in 2.2 and ng is definitely what got installed after the 2.2.1 update. iDunno. I adopted 2.2 for this appliance early, before the ng release, but that got replaced like the day after ng dropped. -
There's no way the package would reinstall in 1 second. Probably you have too many boxes to keep track of what actually was there.
-
Hello
Got Something strange with PpBlockerNG on alerts tab
Fatal error: Call to undefined function subnetv6_expand() in /etc/inc/util.inc on line 714
Any idea what is going wrong ?
Thanks
-
pfBlockerNG v1.06 has been Merged by the Devs.
Changelog:
-
Previously when deleting all IPs in the pfBlockerNGSuppress Alias, it would not
clear the widget Suppression Counter. This version fixes that issue as reported by user "Panz". -
Merged recent changes in pfSense diag_dns.php into pfblockerng_diag_dns.php to keep code base current.
-
Change Release to "Stable" from previous "Beta" Status.
Notes -
The issue reported by "stanthewizard" above is partially due to a missing function in pfSense (subnetv6_expand). I expect that I will need to submit a new Pull Request to fix this issue. I provided him a workaround to fix his issue for now.
-
-
And I thank you for that again
-
There's no way the package would reinstall in 1 second. Probably you have too many boxes to keep track of what actually was there.
That was it, it's been a busy year.
-
Hi, Thanks for a great pkg.
I'm having problem with port forwards and UPnP & NAT-PMP.
I use this settings for pfBlockerNG:
Marked all lists
Top 20 and Asia is blocked, both rest blocked inbound.
I have added custom lists from Bluetack ads/proxy/spyware and from Squidblacklist ads. All deny both
Set rule order pfSense pass/match | pfB_pass/match | pfB_block/rejectTIA
-
I'm having problem with port forwards and UPnP & NAT-PMP.
You need to describe what is your problem…
I use this settings for pfBlockerNG:
Marked all lists
Top 20 and Asia is blocked, both rest blocked inbound.What all lists? The country lists? So you blocked whole world inbound, or what? I don't understand your description at all. Plus, block is default on WAN. Are you actually running any service locally that you need to limit access to?
-
I'm having problem with port forwards and UPnP & NAT-PMP.
You need to describe what is your problem…
I use this settings for pfBlockerNG:
Marked all lists
Top 20 and Asia is blocked, both rest blocked inbound.What all lists? The country lists? So you blocked whole world inbound, or what? I don't understand your description at all. Plus, block is default on WAN. Are you actually running any service locally that you need to limit access to?
Never mind, me who has got all wrong :( Changed to outbound only and now it's working
-
I heard there was host blocking option on it's way?
-
I just wanted to drop a thank you for a great package. Runs excellent with all the bells running. Error log is empty.
Thanks again guys. BBcan177 nice job. Your work is appreciated. ;Dps: just finished reading this post in its entirety and what did you guys "NOT" cover. The post is a manual in its own right. Your patience shows. ::)
-
Here is another Threat Source for pfBlockerNG :
This feed is provided by : bambenekconsulting.com
These lists cover the following type of Threats:
-
Banjori
-
Bebloh/URLZone
-
Cryptolocker
-
Cryptowall
-
Dyre
-
Geodo
-
Hesperbot
-
Matsnu
-
Necurs
-
P2P GOZ
-
PT GOZ / New GOZ
-
Pushdo
-
Qakbot
-
Ramnit
-
Symmi
-
Tinba / TinyBanker
Here is a list of all the Feeds available: All Feeds
I would recommend using the two main IP lists which encompass all of the individual Lists:
c2 IP Feed Master Feed of known, active and non-sinkholed C&Cs IP addresses.
c2 All Indicator Feed Master Feed of known, active and non-sinkholed C&Cs indicators
Use the "html" Format to download these Lists. Download frequency of atleast once per day.
** Please read their License and please donate to the charity they run called the "Tumaini Foundation".
If you see Alerts to any of these Lists, please take additional measures to clean up any infections as these IPs are very malicious. So please put these lists into its own Alias.
-