PfBlockerNG
-
Thanks BBcan177, I'll read through this thread, but that definitely makes sense. Not sure why I didn't think of that approach from the get go.
If you don't have open ports and you only want to have your devices talk to certain Countries, then you can create "Permit Outbound" rules. Keep in mind that their is a ton of Malicious IPs in NA Countries also.. Recommend using decent Blocklists to block known Malicious IPs.
-
Many thnx that works fine for widget.
But still cant see anything at Alerts tab :/
Find an IP that is in any of the pfBNG Alias Tables and ping it from a Device behind pfSense… That should trigger an Alert. Also make sure that logging in enabled in the Aliases.
This command will give you some more stats from the Shell:
pfctl -vvsTablesSomething is really wrong with mine pfblockerNG. Again i have "-" on widget and this is shell output.
http://pastebin.com/Gze9xyAd
-
ha11oga11o,
Does the pfblockerng.log show any errors/Issues?
Disable pfBlockerNG again as indicated in my post above. Then Reboot.
After the reboot, enable a few Aliases at a time and run a "Force Update" to see if those Aliases show "0's" in the widget… Rinse and Repeat with a few more Aliases. Then you can determine which alias is causing the issue. -
Hi ConfusedUser,
Those changes that you made to capture the Country in the List column are not correct unfortunately. But I think you need to look at the "CC" column which will already tell you which Country it is anyways. :)
-
ha11oga11o,
Does the pfblockerng.log show any errors/Issues?
Disable pfBlockerNG again as indicated in my post above. Then Reboot.
After the reboot, enable a few Aliases at a time and run a "Force Update" to see if those Aliases show "0's" in the widget… Rinse and Repeat with a few more Aliases. Then you can determine which alias is causing the issue.No errors at all,
i rebooted, enabled couple of lists all is working fine. Now i just need to enable one by one and update. I think that should solve problem to find which list is broken, or maybe i have way to much IPs on lists that they cannot fit to tables.
Many thnx for pinpointing me to right direction., Now its up-to me just to do my stuff and find broken one.
Cheers :)
-
Hi ConfusedUser,
Those changes that you made to capture the Country in the List column are not correct unfortunately. But I think you need to look at the "CC" column which will already tell you which Country it is anyways. :)
Those changes were not made to change anything in the List or CC column.
$data = exec ("/sbin/pfctl -vv -sr", $results);
This is to prevent filtering by 'pfB_'if (preg_match("/USER_RULE: (.*)"/",$result,$desc))
And this is to display the rule name correctlySo on my side it's working absolutely fine.
-
Has anyone had an issue with settings reverting back after they are changed?
I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.
they seem to revert back to "deny both" on their own.
-
Has anyone had an issue with settings reverting back after they are changed?
I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.
they seem to revert back to "deny both" on their own.
I have not seen that.. Are these boxes Sync'd via XML RPC Sync? When do you notice it reverting back?
-
Those changes were not made to change anything in the List or CC column.
Hi ConfusedUser,
Sorry, I mis-read your post… I'd rather not mix it with the other non-pfBNG alerts. But you are welcome to patch that in your system. Would be nice to add the CC column to the base pfSense Code.
-
Any update on the ad blocker you spoke about in earlier posts? Thanks!
-
Any update on the ad blocker you spoke about in earlier posts? Thanks!
I have a few testers using the beta of pfBNG with DNSBL. Been really busy lately, so I haven't had much time to spend on it. I will try to keep you guys informed on my progress.
-
Ok, I'm about to ask a stupid question. Yes I searched first, but didn't find the answer - or was too stupid to understand it.
Where is everyone getting the IP block lists to import into pfBNG? I know of a few, but it seems like everyone uses many of the same (based on the screenshots), so thought I would just ask if there is a list somewhere.
Jason
-
Jason, I don't think that's a stupid question at all. The lists come from a days and days of research. :)
There are a number of common lists that many folk use but the actual selection depends a lot upon how aggressive or conservative you want to be. BBcan177 has put a great deal of research into lists, and I expect that he will share some recommendations with you. I consider him to be "middle of road" in approach, although he is pretty knowledgable on both ends of the spectrum.
I am a bit conservative. Here is my list:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://feeds.dshield.org/top10-2.txt
http://www.openbl.org/lists/base.txt.gz
http://cinsscore.com/list/ci-badguys.txt
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://cinsscore.com/list/ci-badguys.txt
https://feeds.dshield.org/block.txt
http://www.openbl.org/lists/base.txt.gz
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
http://labs.snort.org/feeds/ip-filter.blf
https://www.projecthoneypot.org/list_of_ips.php?t=d
https://www.projecthoneypot.org/list_of_ips.php?t=s
https://atlas.arbor.net/summary/attacks.csv
https://atlas.arbor.net/summary/botnets.csv
https://atlas.arbor.net/summary/fastflux.csv
https://atlas.arbor.net/summary/phishing.csv
http://atlas.arbor.net/summary/scans.csv
https://reputation.alienvault.com/reputation.snort.gz
https://www.badips.com/get/list/any/2
https://www.autoshun.org/files/shunlist.csv
https://www.dragonresearchgroup.org/insight/vncprobe.txt
https://www.dragonresearchgroup.org/insight/sshpwauth.txt
https://www.dragonresearchgroup.org/insight/http-report.txt
http://www.reputationauthority.org/toptens.phpUse at your own risk. Others will have their own recommendations. I recommend that you do a bit of research before choosing lists.
FWIW, if I were to pick one and only one, Emerging Threats would be my current choice.
-
I had these bookmarked:
http://forum.pfsense.org/index.php?topic=42543.180
https://forum.pfsense.org/index.php/topic,64674.0.html
https://forum.pfsense.org/index.php?topic=73353.msg402927#msg402927
I use pfsense for personal use and I prefer minimal block lists because I don't want to invest time dealing with false positives. -
Ok, I'm about to ask a stupid question. Yes I searched first, but didn't find the answer - or was too stupid to understand it.
Where is everyone getting the IP block lists to import into pfBNG? I know of a few, but it seems like everyone uses many of the same (based on the screenshots), so thought I would just ask if there is a list somewhere.This was provided by BBcan17, stick the under /usr/local/www and run once via your browser. (All the lists are disabled by default.)
pfBlockerNG_import.php
/* pfBlockerNG_import.php pfBlockerNG Copyright (C) 2014 BBcan177@gmail.com All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require_once("config.inc"); require_once("util.inc"); require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("pfsense-utils.inc"); require_once("globals.inc"); require_once("services.inc"); print "``` "; $pfblist_new = array ( array ( "none" => "", "aliasname" => "IBlock", "description" => "pfBlockerNG IBlock", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Hijack"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_FS"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Web"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Spy"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Badpeer"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Ads"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Proxy")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI1", "description" => "pfBlockerNG PRI1", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/blockrules/compromised-ips.txt", "header"=> "ET_Comp"), array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "header"=> "ET_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/drop.txt", "header"=> "Spamhaus_drop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/edrop.txt", "header"=> "Spamhaus_edrop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://cinsscore.com/list/ci-badguys.txt", "header"=> "CIArmy"), array ("format" => "txt", "state" => "Disabled", "url" => "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Zeus"), array ("format" => "txt", "state" => "Disabled", "url" => "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Spyeye"), array ("format" => "txt", "state" => "Disabled", "url" => "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist", "header"=> "Abuse_Palevo"), array ("format" => "html", "state" => "Disabled", "url" => "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv", "header"=> "Abuse_SSLBL"), array ("format" => "block", "state" => "Disabled", "url" => "https://feeds.dshield.org/block.txt", "header"=> "dShield_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://labs.snort.org/feeds/ip-filter.blf", "header"=> "Snort_BL"), array ("format" => "html", "state" => "Disabled", "url" => "http://osint.bambenekconsulting.com/feeds/goz-iplist.txt", "header"=> "BBC_Goz")), "action"=> "Disabled", "cron" => "01hour", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI2", "description" => "pfBlockerNG PRI2", "infolists" => "", "row" => array (array ("format" => "gz_2", "state" => "Disabled", "url" => "https://reputation.alienvault.com/reputation.snort.gz", "header"=> "Alienvault"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/attacks.csv", "header"=> "Atlas_Attacks"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/botnets.csv", "header"=> "Atlas_Botnets"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/fastflux.csv", "header"=> "Atlas_Fastflux"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/phishing.csv", "header"=> "Atlas_Phishing"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/scans.csv", "header"=> "Atlas_Scans"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/Attacker.Cumulative.Summary", "header"=> "SRI_Attackers"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/CandC.Cumulative.Summary", "header"=> "SRI_CC"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1", "header"=> "HoneyPot")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI3", "description" => "pfBlockerNG PRI3", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "http://www.malwaredomainlist.com/hostslist/ip.txt", "header"=> "MDL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_http.txt", "header"=> "Nothink_BL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_ssh_week.txt", "header"=> "Nothink_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_dns.txt", "header"=> "Nothink_Malware"), array ("format" => "txt", "state" => "Disabled", "url" => "https://danger.rulez.sk/projects/bruteforceblocker/blist.php", "header"=> "DangerRulez"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.autoshun.org/files/shunlist.csv", "header"=> "Shunlist"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.infiltrated.net/blacklisted", "header"=> "Infiltrated"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/sshpwauth.txt", "header"=> "DRG_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/vncprobe.txt", "header"=> "DRG_VNC"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/http-report.txt", "header"=> "DRG_HTTP"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist", "header"=> "Feodo_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=badips", "header"=> "Feodo_Bad"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.reputationauthority.org/toptens.php", "header"=> "WatchGuard"), array ("format" => "txt", "state" => "Disabled", "url" => "https://vmx.yourcmc.ru/BAD_HOSTS.IP4", "header"=> "VMX"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.geopsy.org/blacklist.html", "header"=> "Geopsy"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.maxmind.com/en/anonymous_proxies", "header"=> "Maxmind"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.botscout.com/last_caught_cache.htm", "header"=> "BotScout"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.juniper.net/security/auto/spam", "header"=> "Juniper"), array ("format" => "txt", "state" => "Disabled", "url" => "http://blocklist.greensnow.co/greensnow.txt", "header"=> "Greensnow"), array ("format" => "txt", "state" => "Disabled", "url" => "https://lists.blocklist.de/lists/all.txt", "header"=> "BlocklistDE"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt", "header"=> "SFS_Toxic")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "SEC1", "description" => "pfBlockerNG SEC1", "infolists" => "", "row" => array (array ("format" => "html", "state" => "Disabled", "url" => "http://www.malwaregroup.com/ipaddresses/malicious", "header"=> "MalwareGroup"), array ("format" => "gz_2", "state" => "Disabled", "url" => "https://www.openbl.org/lists/base_90days.txt.gz", "header"=> "OpenBL"), array ("format" => "txt", "state" => "Disabled", "url" => "https://malc0de.com/bl/IP_Blacklist.txt", "header"=> "Malcode"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.badips.com/get/list/any/2", "header"=> "BadIPs")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "TOR", "description" => "pfBlockerNG TOR", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Tor"), array ("format" => "txt", "state" => "Disabled", "url" => "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv", "header"=> "Blut_Tor"), array ("format" => "html", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/open/suricata/rules/tor.rules", "header"=> "ET_Tor")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "MAIL", "description" => "pfBlockerNG MAIL", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt", "header"=> "VirBL"), array ("format" => "zip", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/bannedips.zip", "header"=> "SFS_All"), array ("format" => "txt", "state" => "Disabled", "url" => "http://antispam.imp.ch/spamlist", "header"=> "Improware"), array ("format" => "html", "state" => "Disabled", "url" => "http://toastedspam.com/denylist.cgi", "header"=> "ToastedSpam"), array ("format" => "html", "state" => "Disabled", "url" => "http://rss.uribl.com/reports/7d/dns_a.html", "header"=> "URIBL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text", "header"=> "SpamCop"), array ("format" => "gz_2", "state" => "Disabled", "url" => "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz", "header" => "Nix_Spam")), "action"=> "Disabled", "cron" => "08hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled") ); print "Checking for Existing pfBlockerNG Alias/Lists\n"; // Check for Existing pfBlockerNG Allias/Lists if (is_array($config['installedpackages']['pfblockernglistsv4']['config'])) { print "Found existing Alias/Lists. Merging Existing Alias/Lists with Imported Version\n\n"; $pfblist = $config['installedpackages']['pfblockernglistsv4']['config']; $pfbfinal = array_merge($pfblist, $pfblist_new); $config['installedpackages']['pfblockernglistsv4']['config'] = $pfbfinal; } else { print "No existing Alias/Lists found. Importing new Version.\n\n"; $config['installedpackages']['pfblockernglistsv4']['config'] = $pfblist_new; } print "pfBlockerNG Alias List Import Completed."; write_config(); ?>
Note: Make a configuration backup beforehand. If it makes your box explode, I don't care, you have been warned in advance. For forced import overwriting your current lists, comment out the code on lines 375-383.
-
doktornotor and BBcan17 thanks for the php code!
As a follow on, here is one way to implement the php update (I'm sure there are other ways :) ):
1. Select Diagnostics>Edit File
2. Enter```
/usr/local/www/pfBlockerNG_import.php3\. Click **Load** 4\. Paste the php code that doktornotor posted, into the editing field:``` /* pfBlockerNG_import.php pfBlockerNG Copyright (C) 2014 BBcan177@gmail.com All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require_once("config.inc"); require_once("util.inc"); require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("pfsense-utils.inc"); require_once("globals.inc"); require_once("services.inc"); print ""; $pfblist_new = array ( array ( "none" => "", "aliasname" => "IBlock", "description" => "pfBlockerNG IBlock", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Hijack"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_FS"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Web"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Spy"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Badpeer"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Ads"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Proxy")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI1", "description" => "pfBlockerNG PRI1", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/blockrules/compromised-ips.txt", "header"=> "ET_Comp"), array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "header"=> "ET_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/drop.txt", "header"=> "Spamhaus_drop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/edrop.txt", "header"=> "Spamhaus_edrop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://cinsscore.com/list/ci-badguys.txt", "header"=> "CIArmy"), array ("format" => "txt", "state" => "Disabled", "url" => "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Zeus"), array ("format" => "txt", "state" => "Disabled", "url" => "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Spyeye"), array ("format" => "txt", "state" => "Disabled", "url" => "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist", "header"=> "Abuse_Palevo"), array ("format" => "html", "state" => "Disabled", "url" => "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv", "header"=> "Abuse_SSLBL"), array ("format" => "block", "state" => "Disabled", "url" => "https://feeds.dshield.org/block.txt", "header"=> "dShield_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://labs.snort.org/feeds/ip-filter.blf", "header"=> "Snort_BL"), array ("format" => "html", "state" => "Disabled", "url" => "http://osint.bambenekconsulting.com/feeds/goz-iplist.txt", "header"=> "BBC_Goz")), "action"=> "Disabled", "cron" => "01hour", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI2", "description" => "pfBlockerNG PRI2", "infolists" => "", "row" => array (array ("format" => "gz_2", "state" => "Disabled", "url" => "https://reputation.alienvault.com/reputation.snort.gz", "header"=> "Alienvault"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/attacks.csv", "header"=> "Atlas_Attacks"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/botnets.csv", "header"=> "Atlas_Botnets"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/fastflux.csv", "header"=> "Atlas_Fastflux"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/phishing.csv", "header"=> "Atlas_Phishing"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/scans.csv", "header"=> "Atlas_Scans"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/Attacker.Cumulative.Summary", "header"=> "SRI_Attackers"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/CandC.Cumulative.Summary", "header"=> "SRI_CC"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1", "header"=> "HoneyPot")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI3", "description" => "pfBlockerNG PRI3", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "http://www.malwaredomainlist.com/hostslist/ip.txt", "header"=> "MDL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_http.txt", "header"=> "Nothink_BL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_ssh_week.txt", "header"=> "Nothink_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_dns.txt", "header"=> "Nothink_Malware"), array ("format" => "txt", "state" => "Disabled", "url" => "https://danger.rulez.sk/projects/bruteforceblocker/blist.php", "header"=> "DangerRulez"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.autoshun.org/files/shunlist.csv", "header"=> "Shunlist"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.infiltrated.net/blacklisted", "header"=> "Infiltrated"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/sshpwauth.txt", "header"=> "DRG_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/vncprobe.txt", "header"=> "DRG_VNC"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/http-report.txt", "header"=> "DRG_HTTP"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist", "header"=> "Feodo_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=badips", "header"=> "Feodo_Bad"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.reputationauthority.org/toptens.php", "header"=> "WatchGuard"), array ("format" => "txt", "state" => "Disabled", "url" => "https://vmx.yourcmc.ru/BAD_HOSTS.IP4", "header"=> "VMX"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.geopsy.org/blacklist.html", "header"=> "Geopsy"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.maxmind.com/en/anonymous_proxies", "header"=> "Maxmind"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.botscout.com/last_caught_cache.htm", "header"=> "BotScout"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.juniper.net/security/auto/spam", "header"=> "Juniper"), array ("format" => "txt", "state" => "Disabled", "url" => "http://blocklist.greensnow.co/greensnow.txt", "header"=> "Greensnow"), array ("format" => "txt", "state" => "Disabled", "url" => "https://lists.blocklist.de/lists/all.txt", "header"=> "BlocklistDE"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt", "header"=> "SFS_Toxic")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "SEC1", "description" => "pfBlockerNG SEC1", "infolists" => "", "row" => array (array ("format" => "html", "state" => "Disabled", "url" => "http://www.malwaregroup.com/ipaddresses/malicious", "header"=> "MalwareGroup"), array ("format" => "gz_2", "state" => "Disabled", "url" => "https://www.openbl.org/lists/base_90days.txt.gz", "header"=> "OpenBL"), array ("format" => "txt", "state" => "Disabled", "url" => "https://malc0de.com/bl/IP_Blacklist.txt", "header"=> "Malcode"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.badips.com/get/list/any/2", "header"=> "BadIPs")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "TOR", "description" => "pfBlockerNG TOR", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Tor"), array ("format" => "txt", "state" => "Disabled", "url" => "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv", "header"=> "Blut_Tor"), array ("format" => "html", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/open/suricata/rules/tor.rules", "header"=> "ET_Tor")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "MAIL", "description" => "pfBlockerNG MAIL", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt", "header"=> "VirBL"), array ("format" => "zip", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/bannedips.zip", "header"=> "SFS_All"), array ("format" => "txt", "state" => "Disabled", "url" => "http://antispam.imp.ch/spamlist", "header"=> "Improware"), array ("format" => "html", "state" => "Disabled", "url" => "http://toastedspam.com/denylist.cgi", "header"=> "ToastedSpam"), array ("format" => "html", "state" => "Disabled", "url" => "http://rss.uribl.com/reports/7d/dns_a.html", "header"=> "URIBL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text", "header"=> "SpamCop"), array ("format" => "gz_2", "state" => "Disabled", "url" => "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz", "header" => "Nix_Spam")), "action"=> "Disabled", "cron" => "08hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled") ); print "Checking for Existing pfBlockerNG Alias/Lists\n"; // Check for Existing pfBlockerNG Allias/Lists if (is_array($config['installedpackages']['pfblockernglistsv4']['config'])) { print "Found existing Alias/Lists. Merging Existing Alias/Lists with Imported Version\n\n"; $pfblist = $config['installedpackages']['pfblockernglistsv4']['config']; $pfbfinal = array_merge($pfblist, $pfblist_new); $config['installedpackages']['pfblockernglistsv4']['config'] = $pfbfinal; } else { print "No existing Alias/Lists found. Importing new Version.\n\n"; $config['installedpackages']['pfblockernglistsv4']['config'] = $pfblist_new; } print "pfBlockerNG Alias List Import Completed."; write_config(); ?>;
5. Click Save
6. ssh into the pfSense console
7. Type 8 to get to the shell
8. Paste```
php -f /usr/local/www/pfBlockerNG_import.php9\. Press **Return** 10\. Once the update is complete, the shell will return **pfBlockerNG Alias List Import Completed.[2.2.1-RELEASE]** 11\. Exit pfSense console 12\. Select **Firewall>pfBlockerNG>IPv4** to see the changes
-
Horribly beautiful package, BB: chapeau :-* :-* :-* :-* :-* :-* :-* :-* :-*
I think I have a problem. The default aliasses are installed, active, and they created the floating firewall rules. All perfect and well.
Next I wanted to deal with false positives.
-
I enabled supression in general settings, and then added an IP to the suppress with the + in the alerts tab. It neatly asked for a description and the CIDR, all very beautifully thought out. Next, indeed, the IP was gone at the alerts tab. But: I don't see the suppress alias in the IPv4/alias tab. I also don't see it in diagnostics/tables. I also don't see a floating rule created for the suppress alias (if I want to add a floating rule myself, I do see the pfBlockerNGSuppress-alias). I did find the IP I supressed in the /var/db/suppress txt file.
-
Next I created a PASS alias (within pfBlockerNG). There the same story: although now of course this one does show up in the IPv4/alias tab (as I created it myself), no floating rule has been created for it, and if I try to create the rule myself I can't select that PASS-alias: it isn't there (as opposed, thus, to the pfBlockerNGSuppress which does show up).
I did a force cron of course, and a force update, but that didn't help.
I am sure I am doing something wrong, but I have no clue what ( :-[ ?)
Would anybody know how to fix this?
Thank you ;D
(And again, BB: :-* :-* :-* :-* :-* ).
[b]EDIT: for point 2, it appears the PASS alias is only created (in tables), and the firewall rule is only created, if the alias contains at least one IP. So an empty alias (which mine initially was) does not create the alias table or the floating rules.
-
-
The suppress alias is visible in normal pfS aliases list (pfBlockerNGSuppress). Also, works only for /24 and /32.
Any of the Alias list actions are for manually created rules only. No auto rules will be created for these. -
The suppress alias is visible in normal pfS aliases list (pfBlockerNGSuppress). Also, works only for /24 and /32.
Any of the Alias list actions are for manually created rules only. No auto rules will be created for these.Thanks for clarifying this, Dok ;D
Why doesn't it create the rules automatically? On the todo-list?
-
No, definitely not on todo list, it's a feature. If you want auto rules to pass traffic, use the list action Permit {Inbound,Outbound,Both}.