PfBlockerNG
-
I don't think so, but please let me know how it went after Resetting the Logs?
Thanks, will do so tomorrow.
To be able to see the country for firewall logs is a great feature.
I could look at that. It will add some overhead but I could make it into an 'option'.
I just gave it a quick try (without the check boxes, simply hard coded since my php knowledge is pretty much non-existent) and changed the following:
Old:
$data = exec ("/sbin/pfctl -vv -sr | grep 'pfB_'", $results);
New:
$data = exec ("/sbin/pfctl -vv -sr", $results);
Old:
if (preg_match("/USER_RULE: (\w+)/",$result,$desc))
New:
if (preg_match("/USER_RULE: (.*)\"/",$result,$desc))
It would be very nice to be able to flip them both by toggling one check box.
Also it would be good if this one could be toggled as well:
//Remove any Duplicate IPs $pfb_local = array_unique($pfb_local);
Simple reason: This allows me to see for incoming mails if the same address tried multiple times and has been blocked by the spam filter on the mail server. If that happens (and it does) for some countries again and again which I don't do business with anyway I'd add them to the country block list.
Anyway, one more thing I completely forgot: pfBlockerNG is absolutely great!!!
-
Hi jeffh,
I would read this thread for my comments on 'Blocking the world, and allow a few Countries" and reverse that approach to Permit a select few Countries instead. pfSense is a stateful Firewall by design and is already Implicitly blocking on the Inbound.
If you want to protect some open ports, you should look at creating an Alias rule to protect the individual Inbound Port(s). Otherwise, Blocking on the Inbound with no open ports is inspecting packets that are already going to be dropped by the Implicit Deny Rule.
The Alerts Tab reads the Firewall Log to get its data. The Firewall logs only hold a certain amount of data (Can be configured in the Firewall Settings). The Firewall log is also cleared on a regular basis and thus older alerts will disappear.
The Widget Packet Counts are read from pfSense 'pfctl'. Those stats are cleared if you edit/save and Rules/Nat etc and a 'Filter_reload' occurs. So the counts will increase forever if you do not make any config changes. But as per above, the Firewall log is cleared and this is why these alerts are not being displayed in the Alerts Tab.
-
I just gave it a quick try (without the check boxes, simply hard coded since my php knowledge is pretty much non-existent) and changed the following
Thanks. I will take a look and see if I can incorporate that.
Also it would be good if this one could be toggled as well:
This is the code that skips 'Repeated Alerts' You can comment out the "continue" line to skip that process.
409 // Skip Repeated Alerts 410 if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) 411 continue;
Anyway, one more thing I completely forgot: pfBlockerNG is absolutely great!!!
Thanks! :)
-
Hi jeffh,
I would read this thread for my comments on 'Blocking the world, and allow a few Countries" and reverse that approach to Permit a select few Countries instead. pfSense is a stateful Firewall by design and is already Implicitly blocking on the Inbound.
If you want to protect some open ports, you should look at creating an Alias rule to protect the individual Inbound Port(s). Otherwise, Blocking on the Inbound with no open ports is inspecting packets that are already going to be dropped by the Implicit Deny Rule.
Thanks BBcan177, I'll read through this thread, but that definitely makes sense. Not sure why I didn't think of that approach from the get go.
-
Hello ha11oga11o,
There is an issue as you have all "-" in the Widget Packet Counts.
Please reset all files with the following steps from the General Tab:
- Uncheck "Keep Settings"
- Disable "pfBlockerNG"
- Click "Save"
After it completes, reverse the steps above. Then run a "Force Update" The widget Packet Counts should start with "0's".
NOTE - Please don't select Countries in the 'TOP' alias, and then select the same Countries in the other Continent Tabs.
Hello BBcan177,
Many thnx that works fine for widget.
But still cant see anything at Alerts tab :/
Cheers :)
-
Many thnx that works fine for widget.
But still cant see anything at Alerts tab :/
Find an IP that is in any of the pfBNG Alias Tables and ping it from a Device behind pfSense… That should trigger an Alert. Also make sure that logging in enabled in the Aliases.
This command will give you some more stats from the Shell:
pfctl -vvsTables -
Thanks BBcan177, I'll read through this thread, but that definitely makes sense. Not sure why I didn't think of that approach from the get go.
If you don't have open ports and you only want to have your devices talk to certain Countries, then you can create "Permit Outbound" rules. Keep in mind that their is a ton of Malicious IPs in NA Countries also.. Recommend using decent Blocklists to block known Malicious IPs.
-
Many thnx that works fine for widget.
But still cant see anything at Alerts tab :/
Find an IP that is in any of the pfBNG Alias Tables and ping it from a Device behind pfSense… That should trigger an Alert. Also make sure that logging in enabled in the Aliases.
This command will give you some more stats from the Shell:
pfctl -vvsTablesSomething is really wrong with mine pfblockerNG. Again i have "-" on widget and this is shell output.
http://pastebin.com/Gze9xyAd
-
ha11oga11o,
Does the pfblockerng.log show any errors/Issues?
Disable pfBlockerNG again as indicated in my post above. Then Reboot.
After the reboot, enable a few Aliases at a time and run a "Force Update" to see if those Aliases show "0's" in the widget… Rinse and Repeat with a few more Aliases. Then you can determine which alias is causing the issue. -
Hi ConfusedUser,
Those changes that you made to capture the Country in the List column are not correct unfortunately. But I think you need to look at the "CC" column which will already tell you which Country it is anyways. :)
-
ha11oga11o,
Does the pfblockerng.log show any errors/Issues?
Disable pfBlockerNG again as indicated in my post above. Then Reboot.
After the reboot, enable a few Aliases at a time and run a "Force Update" to see if those Aliases show "0's" in the widget… Rinse and Repeat with a few more Aliases. Then you can determine which alias is causing the issue.No errors at all,
i rebooted, enabled couple of lists all is working fine. Now i just need to enable one by one and update. I think that should solve problem to find which list is broken, or maybe i have way to much IPs on lists that they cannot fit to tables.
Many thnx for pinpointing me to right direction., Now its up-to me just to do my stuff and find broken one.
Cheers :)
-
Hi ConfusedUser,
Those changes that you made to capture the Country in the List column are not correct unfortunately. But I think you need to look at the "CC" column which will already tell you which Country it is anyways. :)
Those changes were not made to change anything in the List or CC column.
$data = exec ("/sbin/pfctl -vv -sr", $results);
This is to prevent filtering by 'pfB_'if (preg_match("/USER_RULE: (.*)"/",$result,$desc))
And this is to display the rule name correctlySo on my side it's working absolutely fine.
-
Has anyone had an issue with settings reverting back after they are changed?
I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.
they seem to revert back to "deny both" on their own.
-
Has anyone had an issue with settings reverting back after they are changed?
I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.
they seem to revert back to "deny both" on their own.
I have not seen that.. Are these boxes Sync'd via XML RPC Sync? When do you notice it reverting back?
-
Those changes were not made to change anything in the List or CC column.
Hi ConfusedUser,
Sorry, I mis-read your post… I'd rather not mix it with the other non-pfBNG alerts. But you are welcome to patch that in your system. Would be nice to add the CC column to the base pfSense Code.
-
Any update on the ad blocker you spoke about in earlier posts? Thanks!
-
Any update on the ad blocker you spoke about in earlier posts? Thanks!
I have a few testers using the beta of pfBNG with DNSBL. Been really busy lately, so I haven't had much time to spend on it. I will try to keep you guys informed on my progress.
-
Ok, I'm about to ask a stupid question. Yes I searched first, but didn't find the answer - or was too stupid to understand it.
Where is everyone getting the IP block lists to import into pfBNG? I know of a few, but it seems like everyone uses many of the same (based on the screenshots), so thought I would just ask if there is a list somewhere.
Jason
-
Jason, I don't think that's a stupid question at all. The lists come from a days and days of research. :)
There are a number of common lists that many folk use but the actual selection depends a lot upon how aggressive or conservative you want to be. BBcan177 has put a great deal of research into lists, and I expect that he will share some recommendations with you. I consider him to be "middle of road" in approach, although he is pretty knowledgable on both ends of the spectrum.
I am a bit conservative. Here is my list:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://feeds.dshield.org/top10-2.txt
http://www.openbl.org/lists/base.txt.gz
http://cinsscore.com/list/ci-badguys.txt
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://cinsscore.com/list/ci-badguys.txt
https://feeds.dshield.org/block.txt
http://www.openbl.org/lists/base.txt.gz
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
http://labs.snort.org/feeds/ip-filter.blf
https://www.projecthoneypot.org/list_of_ips.php?t=d
https://www.projecthoneypot.org/list_of_ips.php?t=s
https://atlas.arbor.net/summary/attacks.csv
https://atlas.arbor.net/summary/botnets.csv
https://atlas.arbor.net/summary/fastflux.csv
https://atlas.arbor.net/summary/phishing.csv
http://atlas.arbor.net/summary/scans.csv
https://reputation.alienvault.com/reputation.snort.gz
https://www.badips.com/get/list/any/2
https://www.autoshun.org/files/shunlist.csv
https://www.dragonresearchgroup.org/insight/vncprobe.txt
https://www.dragonresearchgroup.org/insight/sshpwauth.txt
https://www.dragonresearchgroup.org/insight/http-report.txt
http://www.reputationauthority.org/toptens.phpUse at your own risk. Others will have their own recommendations. I recommend that you do a bit of research before choosing lists.
FWIW, if I were to pick one and only one, Emerging Threats would be my current choice.
-
I had these bookmarked:
http://forum.pfsense.org/index.php?topic=42543.180
https://forum.pfsense.org/index.php/topic,64674.0.html
https://forum.pfsense.org/index.php?topic=73353.msg402927#msg402927
I use pfsense for personal use and I prefer minimal block lists because I don't want to invest time dealing with false positives.