PfBlockerNG
-
Hi ConfusedUser,
Those changes that you made to capture the Country in the List column are not correct unfortunately. But I think you need to look at the "CC" column which will already tell you which Country it is anyways. :)
Those changes were not made to change anything in the List or CC column.
$data = exec ("/sbin/pfctl -vv -sr", $results);
This is to prevent filtering by 'pfB_'if (preg_match("/USER_RULE: (.*)"/",$result,$desc))
And this is to display the rule name correctlySo on my side it's working absolutely fine.
-
Has anyone had an issue with settings reverting back after they are changed?
I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.
they seem to revert back to "deny both" on their own.
-
Has anyone had an issue with settings reverting back after they are changed?
I have set "deny inbound" on a number of different 2.2.1 boxes, hit save, and force update.
they seem to revert back to "deny both" on their own.
I have not seen that.. Are these boxes Sync'd via XML RPC Sync? When do you notice it reverting back?
-
Those changes were not made to change anything in the List or CC column.
Hi ConfusedUser,
Sorry, I mis-read your post… I'd rather not mix it with the other non-pfBNG alerts. But you are welcome to patch that in your system. Would be nice to add the CC column to the base pfSense Code.
-
Any update on the ad blocker you spoke about in earlier posts? Thanks!
-
Any update on the ad blocker you spoke about in earlier posts? Thanks!
I have a few testers using the beta of pfBNG with DNSBL. Been really busy lately, so I haven't had much time to spend on it. I will try to keep you guys informed on my progress.
-
Ok, I'm about to ask a stupid question. Yes I searched first, but didn't find the answer - or was too stupid to understand it.
Where is everyone getting the IP block lists to import into pfBNG? I know of a few, but it seems like everyone uses many of the same (based on the screenshots), so thought I would just ask if there is a list somewhere.
Jason
-
Jason, I don't think that's a stupid question at all. The lists come from a days and days of research. :)
There are a number of common lists that many folk use but the actual selection depends a lot upon how aggressive or conservative you want to be. BBcan177 has put a great deal of research into lists, and I expect that he will share some recommendations with you. I consider him to be "middle of road" in approach, although he is pretty knowledgable on both ends of the spectrum.
I am a bit conservative. Here is my list:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://feeds.dshield.org/top10-2.txt
http://www.openbl.org/lists/base.txt.gz
http://cinsscore.com/list/ci-badguys.txt
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://cinsscore.com/list/ci-badguys.txt
https://feeds.dshield.org/block.txt
http://www.openbl.org/lists/base.txt.gz
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
http://labs.snort.org/feeds/ip-filter.blf
https://www.projecthoneypot.org/list_of_ips.php?t=d
https://www.projecthoneypot.org/list_of_ips.php?t=s
https://atlas.arbor.net/summary/attacks.csv
https://atlas.arbor.net/summary/botnets.csv
https://atlas.arbor.net/summary/fastflux.csv
https://atlas.arbor.net/summary/phishing.csv
http://atlas.arbor.net/summary/scans.csv
https://reputation.alienvault.com/reputation.snort.gz
https://www.badips.com/get/list/any/2
https://www.autoshun.org/files/shunlist.csv
https://www.dragonresearchgroup.org/insight/vncprobe.txt
https://www.dragonresearchgroup.org/insight/sshpwauth.txt
https://www.dragonresearchgroup.org/insight/http-report.txt
http://www.reputationauthority.org/toptens.phpUse at your own risk. Others will have their own recommendations. I recommend that you do a bit of research before choosing lists.
FWIW, if I were to pick one and only one, Emerging Threats would be my current choice.
-
I had these bookmarked:
http://forum.pfsense.org/index.php?topic=42543.180
https://forum.pfsense.org/index.php/topic,64674.0.html
https://forum.pfsense.org/index.php?topic=73353.msg402927#msg402927
I use pfsense for personal use and I prefer minimal block lists because I don't want to invest time dealing with false positives. -
Ok, I'm about to ask a stupid question. Yes I searched first, but didn't find the answer - or was too stupid to understand it.
Where is everyone getting the IP block lists to import into pfBNG? I know of a few, but it seems like everyone uses many of the same (based on the screenshots), so thought I would just ask if there is a list somewhere.This was provided by BBcan17, stick the under /usr/local/www and run once via your browser. (All the lists are disabled by default.)
pfBlockerNG_import.php
/* pfBlockerNG_import.php pfBlockerNG Copyright (C) 2014 BBcan177@gmail.com All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require_once("config.inc"); require_once("util.inc"); require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("pfsense-utils.inc"); require_once("globals.inc"); require_once("services.inc"); print "``` "; $pfblist_new = array ( array ( "none" => "", "aliasname" => "IBlock", "description" => "pfBlockerNG IBlock", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Hijack"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_FS"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Web"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Spy"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Badpeer"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Ads"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Proxy")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI1", "description" => "pfBlockerNG PRI1", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/blockrules/compromised-ips.txt", "header"=> "ET_Comp"), array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "header"=> "ET_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/drop.txt", "header"=> "Spamhaus_drop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/edrop.txt", "header"=> "Spamhaus_edrop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://cinsscore.com/list/ci-badguys.txt", "header"=> "CIArmy"), array ("format" => "txt", "state" => "Disabled", "url" => "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Zeus"), array ("format" => "txt", "state" => "Disabled", "url" => "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Spyeye"), array ("format" => "txt", "state" => "Disabled", "url" => "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist", "header"=> "Abuse_Palevo"), array ("format" => "html", "state" => "Disabled", "url" => "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv", "header"=> "Abuse_SSLBL"), array ("format" => "block", "state" => "Disabled", "url" => "https://feeds.dshield.org/block.txt", "header"=> "dShield_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://labs.snort.org/feeds/ip-filter.blf", "header"=> "Snort_BL"), array ("format" => "html", "state" => "Disabled", "url" => "http://osint.bambenekconsulting.com/feeds/goz-iplist.txt", "header"=> "BBC_Goz")), "action"=> "Disabled", "cron" => "01hour", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI2", "description" => "pfBlockerNG PRI2", "infolists" => "", "row" => array (array ("format" => "gz_2", "state" => "Disabled", "url" => "https://reputation.alienvault.com/reputation.snort.gz", "header"=> "Alienvault"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/attacks.csv", "header"=> "Atlas_Attacks"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/botnets.csv", "header"=> "Atlas_Botnets"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/fastflux.csv", "header"=> "Atlas_Fastflux"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/phishing.csv", "header"=> "Atlas_Phishing"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/scans.csv", "header"=> "Atlas_Scans"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/Attacker.Cumulative.Summary", "header"=> "SRI_Attackers"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/CandC.Cumulative.Summary", "header"=> "SRI_CC"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1", "header"=> "HoneyPot")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI3", "description" => "pfBlockerNG PRI3", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "http://www.malwaredomainlist.com/hostslist/ip.txt", "header"=> "MDL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_http.txt", "header"=> "Nothink_BL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_ssh_week.txt", "header"=> "Nothink_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_dns.txt", "header"=> "Nothink_Malware"), array ("format" => "txt", "state" => "Disabled", "url" => "https://danger.rulez.sk/projects/bruteforceblocker/blist.php", "header"=> "DangerRulez"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.autoshun.org/files/shunlist.csv", "header"=> "Shunlist"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.infiltrated.net/blacklisted", "header"=> "Infiltrated"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/sshpwauth.txt", "header"=> "DRG_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/vncprobe.txt", "header"=> "DRG_VNC"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/http-report.txt", "header"=> "DRG_HTTP"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist", "header"=> "Feodo_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=badips", "header"=> "Feodo_Bad"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.reputationauthority.org/toptens.php", "header"=> "WatchGuard"), array ("format" => "txt", "state" => "Disabled", "url" => "https://vmx.yourcmc.ru/BAD_HOSTS.IP4", "header"=> "VMX"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.geopsy.org/blacklist.html", "header"=> "Geopsy"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.maxmind.com/en/anonymous_proxies", "header"=> "Maxmind"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.botscout.com/last_caught_cache.htm", "header"=> "BotScout"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.juniper.net/security/auto/spam", "header"=> "Juniper"), array ("format" => "txt", "state" => "Disabled", "url" => "http://blocklist.greensnow.co/greensnow.txt", "header"=> "Greensnow"), array ("format" => "txt", "state" => "Disabled", "url" => "https://lists.blocklist.de/lists/all.txt", "header"=> "BlocklistDE"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt", "header"=> "SFS_Toxic")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "SEC1", "description" => "pfBlockerNG SEC1", "infolists" => "", "row" => array (array ("format" => "html", "state" => "Disabled", "url" => "http://www.malwaregroup.com/ipaddresses/malicious", "header"=> "MalwareGroup"), array ("format" => "gz_2", "state" => "Disabled", "url" => "https://www.openbl.org/lists/base_90days.txt.gz", "header"=> "OpenBL"), array ("format" => "txt", "state" => "Disabled", "url" => "https://malc0de.com/bl/IP_Blacklist.txt", "header"=> "Malcode"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.badips.com/get/list/any/2", "header"=> "BadIPs")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "TOR", "description" => "pfBlockerNG TOR", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Tor"), array ("format" => "txt", "state" => "Disabled", "url" => "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv", "header"=> "Blut_Tor"), array ("format" => "html", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/open/suricata/rules/tor.rules", "header"=> "ET_Tor")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "MAIL", "description" => "pfBlockerNG MAIL", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt", "header"=> "VirBL"), array ("format" => "zip", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/bannedips.zip", "header"=> "SFS_All"), array ("format" => "txt", "state" => "Disabled", "url" => "http://antispam.imp.ch/spamlist", "header"=> "Improware"), array ("format" => "html", "state" => "Disabled", "url" => "http://toastedspam.com/denylist.cgi", "header"=> "ToastedSpam"), array ("format" => "html", "state" => "Disabled", "url" => "http://rss.uribl.com/reports/7d/dns_a.html", "header"=> "URIBL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text", "header"=> "SpamCop"), array ("format" => "gz_2", "state" => "Disabled", "url" => "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz", "header" => "Nix_Spam")), "action"=> "Disabled", "cron" => "08hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled") ); print "Checking for Existing pfBlockerNG Alias/Lists\n"; // Check for Existing pfBlockerNG Allias/Lists if (is_array($config['installedpackages']['pfblockernglistsv4']['config'])) { print "Found existing Alias/Lists. Merging Existing Alias/Lists with Imported Version\n\n"; $pfblist = $config['installedpackages']['pfblockernglistsv4']['config']; $pfbfinal = array_merge($pfblist, $pfblist_new); $config['installedpackages']['pfblockernglistsv4']['config'] = $pfbfinal; } else { print "No existing Alias/Lists found. Importing new Version.\n\n"; $config['installedpackages']['pfblockernglistsv4']['config'] = $pfblist_new; } print "pfBlockerNG Alias List Import Completed."; write_config(); ?>
Note: Make a configuration backup beforehand. If it makes your box explode, I don't care, you have been warned in advance. For forced import overwriting your current lists, comment out the code on lines 375-383.
-
doktornotor and BBcan17 thanks for the php code!
As a follow on, here is one way to implement the php update (I'm sure there are other ways :) ):
1. Select Diagnostics>Edit File
2. Enter```
/usr/local/www/pfBlockerNG_import.php3\. Click **Load** 4\. Paste the php code that doktornotor posted, into the editing field:``` /* pfBlockerNG_import.php pfBlockerNG Copyright (C) 2014 BBcan177@gmail.com All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require_once("config.inc"); require_once("util.inc"); require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("pfsense-utils.inc"); require_once("globals.inc"); require_once("services.inc"); print ""; $pfblist_new = array ( array ( "none" => "", "aliasname" => "IBlock", "description" => "pfBlockerNG IBlock", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Hijack"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_FS"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Web"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_BT_Spy"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Badpeer"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Ads"), array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Proxy")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI1", "description" => "pfBlockerNG PRI1", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/blockrules/compromised-ips.txt", "header"=> "ET_Comp"), array ("format" => "txt", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "header"=> "ET_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/drop.txt", "header"=> "Spamhaus_drop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.spamhaus.org/drop/edrop.txt", "header"=> "Spamhaus_edrop"), array ("format" => "txt", "state" => "Disabled", "url" => "http://cinsscore.com/list/ci-badguys.txt", "header"=> "CIArmy"), array ("format" => "txt", "state" => "Disabled", "url" => "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Zeus"), array ("format" => "txt", "state" => "Disabled", "url" => "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist", "header"=> "Abuse_Spyeye"), array ("format" => "txt", "state" => "Disabled", "url" => "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist", "header"=> "Abuse_Palevo"), array ("format" => "html", "state" => "Disabled", "url" => "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv", "header"=> "Abuse_SSLBL"), array ("format" => "block", "state" => "Disabled", "url" => "https://feeds.dshield.org/block.txt", "header"=> "dShield_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://labs.snort.org/feeds/ip-filter.blf", "header"=> "Snort_BL"), array ("format" => "html", "state" => "Disabled", "url" => "http://osint.bambenekconsulting.com/feeds/goz-iplist.txt", "header"=> "BBC_Goz")), "action"=> "Disabled", "cron" => "01hour", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI2", "description" => "pfBlockerNG PRI2", "infolists" => "", "row" => array (array ("format" => "gz_2", "state" => "Disabled", "url" => "https://reputation.alienvault.com/reputation.snort.gz", "header"=> "Alienvault"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/attacks.csv", "header"=> "Atlas_Attacks"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/botnets.csv", "header"=> "Atlas_Botnets"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/fastflux.csv", "header"=> "Atlas_Fastflux"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/phishing.csv", "header"=> "Atlas_Phishing"), array ("format" => "html", "state" => "Disabled", "url" => "https://atlas.arbor.net/summary/scans.csv", "header"=> "Atlas_Scans"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/Attacker.Cumulative.Summary", "header"=> "SRI_Attackers"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.cyber-ta.org/releases/malware/SOURCES/CandC.Cumulative.Summary", "header"=> "SRI_CC"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1", "header"=> "HoneyPot")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "PRI3", "description" => "pfBlockerNG PRI3", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "http://www.malwaredomainlist.com/hostslist/ip.txt", "header"=> "MDL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_http.txt", "header"=> "Nothink_BL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_ssh_week.txt", "header"=> "Nothink_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.nothink.org/blacklist/blacklist_malware_dns.txt", "header"=> "Nothink_Malware"), array ("format" => "txt", "state" => "Disabled", "url" => "https://danger.rulez.sk/projects/bruteforceblocker/blist.php", "header"=> "DangerRulez"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.autoshun.org/files/shunlist.csv", "header"=> "Shunlist"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.infiltrated.net/blacklisted", "header"=> "Infiltrated"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/sshpwauth.txt", "header"=> "DRG_SSH"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/vncprobe.txt", "header"=> "DRG_VNC"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.dragonresearchgroup.org/insight/http-report.txt", "header"=> "DRG_HTTP"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist", "header"=> "Feodo_Block"), array ("format" => "txt", "state" => "Disabled", "url" => "https://feodotracker.abuse.ch/blocklist/?download=badips", "header"=> "Feodo_Bad"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.reputationauthority.org/toptens.php", "header"=> "WatchGuard"), array ("format" => "txt", "state" => "Disabled", "url" => "https://vmx.yourcmc.ru/BAD_HOSTS.IP4", "header"=> "VMX"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.geopsy.org/blacklist.html", "header"=> "Geopsy"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.maxmind.com/en/anonymous_proxies", "header"=> "Maxmind"), array ("format" => "html", "state" => "Disabled", "url" => "http://www.botscout.com/last_caught_cache.htm", "header"=> "BotScout"), array ("format" => "html", "state" => "Disabled", "url" => "https://www.juniper.net/security/auto/spam", "header"=> "Juniper"), array ("format" => "txt", "state" => "Disabled", "url" => "http://blocklist.greensnow.co/greensnow.txt", "header"=> "Greensnow"), array ("format" => "txt", "state" => "Disabled", "url" => "https://lists.blocklist.de/lists/all.txt", "header"=> "BlocklistDE"), array ("format" => "txt", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt", "header"=> "SFS_Toxic")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "SEC1", "description" => "pfBlockerNG SEC1", "infolists" => "", "row" => array (array ("format" => "html", "state" => "Disabled", "url" => "http://www.malwaregroup.com/ipaddresses/malicious", "header"=> "MalwareGroup"), array ("format" => "gz_2", "state" => "Disabled", "url" => "https://www.openbl.org/lists/base_90days.txt.gz", "header"=> "OpenBL"), array ("format" => "txt", "state" => "Disabled", "url" => "https://malc0de.com/bl/IP_Blacklist.txt", "header"=> "Malcode"), array ("format" => "txt", "state" => "Disabled", "url" => "https://www.badips.com/get/list/any/2", "header"=> "BadIPs")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "TOR", "description" => "pfBlockerNG TOR", "infolists" => "", "row" => array (array ("format" => "gz", "state" => "Disabled", "url" => "http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz", "header"=> "IBlock_Tor"), array ("format" => "txt", "state" => "Disabled", "url" => "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv", "header"=> "Blut_Tor"), array ("format" => "html", "state" => "Disabled", "url" => "https://rules.emergingthreats.net/open/suricata/rules/tor.rules", "header"=> "ET_Tor")), "action"=> "Disabled", "cron" => "04hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled"), array ( "none" => "", "aliasname" => "MAIL", "description" => "pfBlockerNG MAIL", "infolists" => "", "row" => array (array ("format" => "txt", "state" => "Disabled", "url" => "https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt", "header"=> "VirBL"), array ("format" => "zip", "state" => "Disabled", "url" => "http://www.stopforumspam.com/downloads/bannedips.zip", "header"=> "SFS_All"), array ("format" => "txt", "state" => "Disabled", "url" => "http://antispam.imp.ch/spamlist", "header"=> "Improware"), array ("format" => "html", "state" => "Disabled", "url" => "http://toastedspam.com/denylist.cgi", "header"=> "ToastedSpam"), array ("format" => "html", "state" => "Disabled", "url" => "http://rss.uribl.com/reports/7d/dns_a.html", "header"=> "URIBL"), array ("format" => "txt", "state" => "Disabled", "url" => "http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text", "header"=> "SpamCop"), array ("format" => "gz_2", "state" => "Disabled", "url" => "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz", "header" => "Nix_Spam")), "action"=> "Disabled", "cron" => "08hours", "dow" => "1", "aliaslog" => "enabled", "custom"=> "", "custom_update" => "disabled") ); print "Checking for Existing pfBlockerNG Alias/Lists\n"; // Check for Existing pfBlockerNG Allias/Lists if (is_array($config['installedpackages']['pfblockernglistsv4']['config'])) { print "Found existing Alias/Lists. Merging Existing Alias/Lists with Imported Version\n\n"; $pfblist = $config['installedpackages']['pfblockernglistsv4']['config']; $pfbfinal = array_merge($pfblist, $pfblist_new); $config['installedpackages']['pfblockernglistsv4']['config'] = $pfbfinal; } else { print "No existing Alias/Lists found. Importing new Version.\n\n"; $config['installedpackages']['pfblockernglistsv4']['config'] = $pfblist_new; } print "pfBlockerNG Alias List Import Completed."; write_config(); ?>;
5. Click Save
6. ssh into the pfSense console
7. Type 8 to get to the shell
8. Paste```
php -f /usr/local/www/pfBlockerNG_import.php9\. Press **Return** 10\. Once the update is complete, the shell will return **pfBlockerNG Alias List Import Completed.[2.2.1-RELEASE]** 11\. Exit pfSense console 12\. Select **Firewall>pfBlockerNG>IPv4** to see the changes
-
Horribly beautiful package, BB: chapeau :-* :-* :-* :-* :-* :-* :-* :-* :-*
I think I have a problem. The default aliasses are installed, active, and they created the floating firewall rules. All perfect and well.
Next I wanted to deal with false positives.
-
I enabled supression in general settings, and then added an IP to the suppress with the + in the alerts tab. It neatly asked for a description and the CIDR, all very beautifully thought out. Next, indeed, the IP was gone at the alerts tab. But: I don't see the suppress alias in the IPv4/alias tab. I also don't see it in diagnostics/tables. I also don't see a floating rule created for the suppress alias (if I want to add a floating rule myself, I do see the pfBlockerNGSuppress-alias). I did find the IP I supressed in the /var/db/suppress txt file.
-
Next I created a PASS alias (within pfBlockerNG). There the same story: although now of course this one does show up in the IPv4/alias tab (as I created it myself), no floating rule has been created for it, and if I try to create the rule myself I can't select that PASS-alias: it isn't there (as opposed, thus, to the pfBlockerNGSuppress which does show up).
I did a force cron of course, and a force update, but that didn't help.
I am sure I am doing something wrong, but I have no clue what ( :-[ ?)
Would anybody know how to fix this?
Thank you ;D
(And again, BB: :-* :-* :-* :-* :-* ).
[b]EDIT: for point 2, it appears the PASS alias is only created (in tables), and the firewall rule is only created, if the alias contains at least one IP. So an empty alias (which mine initially was) does not create the alias table or the floating rules.
-
-
The suppress alias is visible in normal pfS aliases list (pfBlockerNGSuppress). Also, works only for /24 and /32.
Any of the Alias list actions are for manually created rules only. No auto rules will be created for these. -
The suppress alias is visible in normal pfS aliases list (pfBlockerNGSuppress). Also, works only for /24 and /32.
Any of the Alias list actions are for manually created rules only. No auto rules will be created for these.Thanks for clarifying this, Dok ;D
Why doesn't it create the rules automatically? On the todo-list?
-
No, definitely not on todo list, it's a feature. If you want auto rules to pass traffic, use the list action Permit {Inbound,Outbound,Both}.
-
I have searched the forums for a couple of hours, forced update, forced cron, reload reload, and even rebooted - still have this error. Does anyone know how I might be able to resolve this?
Thanks
Sanity Check (Not Including IPv6) ** These two Counts should Match! **
–----------
Masterfile Count [ 100076 ]
Deny folder Count [ 100061 ] -
Hi SkyHawk,
Try to Disable "Keep Setting" and Disable "pfBlockerNG", then hit "Save"… This will do a full clear of all the files. Re-apply "Keep" and Re-Enable pfBNG, followed by a "Force Update" and see if that clears the discrepancy...
-
Hi Mr. Jingles,
When you click on the "+" Icon to suppress an IP, it will clear that IP from the pfSense Alias Table that originally contained the IP. It then adds that IP to a pfSense Alias called "pfBlockerNGSuppress". When the lists are downloaded, any IP in this Alias will be suppressed. So it does not generate a Firewall Rule.
You can only suppress a /32 or a /24 Block… So if in the Alerts tab, you see the Alert was blocked by a /19 for example, you will need to put the IP that you want to allow into a "Permit Outbound" Alias (Custom Box entry). The order of the Rules is important, so that you will require this Permit Outbound Rule to be above the Block rules. You can change the order of the Rules in the "Rules Order" Setting in the "General Tab"
-
Hi SkyHawk,
Try to Disable "Keep Setting" and Disable "pfBlockerNG", then hit "Save"… This will do a full clear of all the files. Re-apply "Keep" and Re-Enable pfBNG, followed by a "Force Update" and see if that clears the discrepancy...
Thank you BBcan177 this needs to be on a sticky or something. I did as you suggested; then after Re-apply "Keep" and Re-Enable pfBNG I hit "Save" followed by a "Force Update" and poof - the error was resolved.
-
Thank you, BBCan177!
I try install pfBlockerNG in my firewall and config block some range IP.
I force update but it's not update anything and cannot download some range list.
It just show result:
" No Updates required.
CRON PROCESS ENDED
UPDATE PROCESS ENDED"
and
"===[ Aliastables / Rules ]================================No Changes to Firewall Rules, Skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update "
So, Could you tell some way to pfBlockerNG can update, please!
Thanks.