PfBlockerNG
-
Yes. Because when the updated firewall rules are broken, they fail to load. Flush your pfBNG configuration by unchecking the Keep configuration box, reinstall the package and start from scratch, enabling only ONE list at a time, until you figure this out.
-
Yes. Because when the updated firewall rules are broken, they fail to load. Flush your pfBNG configuration by unchecking the Keep configuration box, reinstall the package and start from scratch, enabling only ONE list at a time, until you figure this out.
Thanks for your help,
By enabling one by one the list in my alias, I figured out the list that was ginving problem.
I switch back to my previous config. pfSense 2.2 + pfBlocker with the same lists and everything was fine.
Any idea why that same list which was working fine with (pfSense 2.2 + pfBlocker) does not work anymore with (pfSense 2.2**.2** + pfBlockerNG) ?
That list is from i-blocklist with about 167 000 items.
When that list is loaded I can see the following in the "Live Log Viewer " :
Updating: pfB_AliasBlockList (...) no IP address found for /32pfctl: cannot load /var/db/aliastables/pfB_AliasBlockList.txt: No error: 0 (...) ====================[ Empty Lists w/1.1.1.1 ]================== malicious /32 malicious /32 malicious /32 malicious /32 malicious /32 malicious /32 malicious /32 malicious /32 malicious /32 malicious /32 malicious /32 (...)
-
Hi Hakim, my first guess is that IBlock has a variant of "0.0.0.0" in this list. I really do not understand why IBlock inserts this IP, every so often.
Are you using the latest version of pfBlockerNG? (v1.06)
Can you post the url of this list?
-
@Mr.:
Hi Mr. Jingles,
Take a look at the pfblockerng.log and/or the error.log … Both of these log files are accessible in the Log Browser Tab. It should give you clues as to why its failed.
Thanks BB ;D
I got that previous quote from error.log, wasn't awake enough to realize there was also info contained in another log:
[ Juniper ] Downloading New File
looking up www.juniper.net
connecting to www.juniper.net:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Certificate verification failed for /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
34381026664:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1162:
fetch: https://www.juniper.net/security/auto/spam: Authentication error[ pfB_PRI3 Juniper ] Download FAIL [ 04/18/15 7:00:29 ]
Looks like they have an issue with their certificate. Try to change the URL from 'https' to 'http'.
If you load that https URL in the browser do you get the same Cert error?
-
@Mr.:
Hi Mr. Jingles,
Take a look at the pfblockerng.log and/or the error.log … Both of these log files are accessible in the Log Browser Tab. It should give you clues as to why its failed.
Thanks BB ;D
I got that previous quote from error.log, wasn't awake enough to realize there was also info contained in another log:
[ Juniper ] Downloading New File
looking up www.juniper.net
connecting to www.juniper.net:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Certificate verification failed for /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
34381026664:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1162:
fetch: https://www.juniper.net/security/auto/spam: Authentication error[ pfB_PRI3 Juniper ] Download FAIL [ 04/18/15 7:00:29 ]
Looks like they have an issue with their certificate. Try to change the URL from 'https' to 'http'.
If you load that https URL in the browser do you get the same Cert error?
Thanks BB :-*
No, in the Firefox, everything is fine and the certificate appears ok.
I'll see what http instead of https does and report back :P
-
Thanks for your answer
Are you using the latest version of pfBlockerNG? (v1.06)
Yes I am on this version
Can you post the url of this list?
http://list.iblocklist.com/?n=malicious&list=ffxgwdvcgelinvypvhuz&fileformat=p2p&archiveformat=gz
There are username and pin parts at the end of the URL that I removed
The file is 2 Mb I may send it to you by emails if it may help.
-
I try to use the free lists from:
https://www.iblocklist.com/lists.phpbut looks like nothing can be downloaded from there in pfBlockerNG, any idea ?
[ IBads ] Downloading New File[ pfB_IBlist IBads ] Download FAIL
…I use:
2.2.2-RELEASE (amd64) built on Mon Apr 13 20:10:22 CDT 2015
pfBlockerNG 1.06for example first link, can be saved ok in browser:
[ IBads ]
http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gzinside gz-txt:
# List distributed by iblocklist.com Vitalij Martinov fastreadnew.com:1.36.202.60-1.36.202.60 ads.herald-sun.com ads:4.18.162.102-4.18.162.102 BURSTNETWORK ads:4.36.44.3-4.36.44.3 spammer ATBP:4.38.98.140-4.38.98.140 JKS Media, LLC:4.53.2.12-4.53.2.15 yahoo scammer:4.65.105.109-4.65.105.109 Quantcast:4.71.209.0-4.71.209.63 Doubleclick:4.79.208.56-4.79.208.59 comScore, Inc:4.79.208.224-4.79.208.255 ...
log:
UPDATE PROCESS START [ 04/19/15 17:22:14 ] [ pfB_Top_v4 ] exists, Reloading File [ ET_Comp ] exists, Reloading File [ ET_Block ] exists, Reloading File [ CIArmy ] exists, Reloading File [ Abuse_Zeus ] exists, Reloading File [ Abuse_Spyeye ] exists, Reloading File [ Abuse_Palevo ] Downloading New File [ pfB_PRI1 Abuse_Palevo ] Download FAIL [ 04/19/15 17:22:15 ] [ Abuse_SSLBL ] exists, Reloading File [ dShield_Block ] exists, Reloading File [ Snort_BL ] exists, Reloading File [ BBC_Goz ] exists, Reloading File [ Alienvault ] exists, Reloading File [ Atlas_Attacks ] exists, Reloading File [ Atlas_Botnets ] exists, Reloading File [ Atlas_Fastflux ] exists, Reloading File [ Atlas_Phishing ] exists, Reloading File [ Atlas_Scans ] exists, Reloading File [ SRI_Attackers ] exists, Reloading File [ SRI_CC ] exists, Reloading File [ HoneyPot ] exists, Reloading File [ MDL ] exists, Reloading File [ Nothink_BL ] exists, Reloading File [ Nothink_SSH ] exists, Reloading File [ Nothink_Malware ] exists, Reloading File [ DangerRulez ] exists, Reloading File [ Shunlist ] exists, Reloading File [ Infiltrated ] exists, Reloading File [ DRG_SSH ] exists, Reloading File [ DRG_VNC ] exists, Reloading File [ DRG_HTTP ] exists, Reloading File [ Feodo_Block ] exists, Reloading File [ Feodo_Bad ] exists, Reloading File [ WatchGuard ] Downloading New File ---------------------------------------------------------- Original Masterfile Outfile [ Post Duplication count ] ---------------------------------------------------------- 2322 23 23 [ Passed ] ---------------------------------------------------------- [ VMX ] Downloading New File [ 04/19/15 17:22:19 ] ---------------------------------------------------------- Original Masterfile Outfile [ Post Duplication count ] ---------------------------------------------------------- 5445 1876 1876 [ Passed ] ---------------------------------------------------------- [ Geopsy ] exists, Reloading File [ 04/19/15 17:22:20 ] [ Maxmind ] exists, Reloading File [ BotScout ] exists, Reloading File [ Juniper ] Downloading New File [ pfB_PRI3 Juniper ] Download FAIL [ 04/19/15 17:22:21 ] [ Greensnow ] exists, Reloading File [ BlocklistDE ] exists, Reloading File [ SFS_Toxic ] exists, Reloading File [ MalwareGroup ] exists, Reloading File [ OpenBL ] exists, Reloading File [ Malcode ] exists, Reloading File [ BadIPs ] exists, Reloading File [ IBlock_Tor ] Downloading New File [ pfB_TOR IBlock_Tor ] Download FAIL [ 04/19/15 17:22:22 ] [ Blut_Tor ] exists, Reloading File [ ET_Tor ] exists, Reloading File [ IBads ] Downloading New File [ pfB_IBlist IBads ] Download FAIL [ IBspyware ] Downloading New File [ pfB_IBlist IBspyware ] Download FAIL [ IBproxy ] Downloading New File [ pfB_IBlist IBproxy ] Download FAIL [ IBbadpeers ] Downloading New File [ pfB_IBlist IBbadpeers ] Download FAIL [ 04/19/15 17:22:23 ] [ IBhijacked ] Downloading New File [ pfB_IBlist IBhijacked ] Download FAIL [ IBdshield ] Downloading New File [ pfB_IBlist IBdshield ] Download FAIL [ IBforumspam ] Downloading New File [ pfB_IBlist IBforumspam ] Download FAIL [ 04/19/15 17:22:24 ] [ IBwebexploit ] Downloading New File [ pfB_IBlist IBwebexploit ] Download FAIL [ IBDROP ] Downloading New File [ pfB_IBlist IBDROP ] Download FAIL [ IBZeuS ] Downloading New File [ pfB_IBlist IBZeuS ] Download FAIL [ 04/19/15 17:22:25 ] [ IBSpyEye ] Downloading New File [ pfB_IBlist IBSpyEye ] Download FAIL [ IBPalevo ] Downloading New File [ pfB_IBlist IBPalevo ] Download FAIL [ IBMalicious ] Downloading New File [ pfB_IBlist IBMalicious ] Download FAIL [ 04/19/15 17:22:26 ] [ IBmalc0de ] Downloading New File [ pfB_IBlist IBmalc0de ] Download FAIL [ Bambenek_C2IPFeed ] Downloading New File [ pfB_Bambenek Bambenek_C2IPFeed ] Download FAIL ===[ Suppression Stats ]======================================== List Pre RFC1918 Suppress Masterfile ---------------------------------------------------------------- MDL 666 666 666 100994 Nothink_BL 20 20 20 100994 Nothink_SSH 4 4 4 100994 Nothink_Malware 129 129 129 100994 DangerRulez 66 66 66 100994 Shunlist 38 38 38 100994 Infiltrated 2134 2134 2134 100994 DRG_SSH 218 218 218 100994 DRG_VNC 59 59 59 100994 DRG_HTTP 829 829 829 100994 Feodo_Block 2 2 2 100994 Feodo_Bad 1 1 1 100994 WatchGuard 23 23 23 100994 VMX 1876 1874 1874 100992 Geopsy 2793 2793 2793 100992 Maxmind 177 177 177 100992 BotScout 15 15 15 100992 Greensnow 1812 1812 1812 100992 BlocklistDE 6107 6107 6107 100992 SFS_Toxic 15 15 15 100992 ===[ Aliastables / Rules ]================================ No Changes to Firewall Rules, Skipping Filter Reload Updating: pfB_PRI3 1897 addresses added. ===[ FINAL Processing ]===================================== [ Original count ] [ 378397 ] [ Processed Count ] [ 100992 ] ===[ Deny List IP Counts ]=========================== 100994 total 63463 /var/db/pfblockerng/deny/pfB_Top_v4.txt 6959 /var/db/pfblockerng/deny/BadIPs.txt 6607 /var/db/pfblockerng/deny/Alienvault.txt 6107 /var/db/pfblockerng/deny/BlocklistDE.txt 2793 /var/db/pfblockerng/deny/Geopsy.txt 2789 /var/db/pfblockerng/deny/SRI_Attackers.txt 2134 /var/db/pfblockerng/deny/Infiltrated.txt 1874 /var/db/pfblockerng/deny/VMX.txt 1812 /var/db/pfblockerng/deny/Greensnow.txt 1571 /var/db/pfblockerng/deny/Snort_BL.txt 829 /var/db/pfblockerng/deny/DRG_HTTP.txt 783 /var/db/pfblockerng/deny/ET_Block.txt 666 /var/db/pfblockerng/deny/MDL.txt 565 /var/db/pfblockerng/deny/Malcode.txt 426 /var/db/pfblockerng/deny/ET_Comp.txt 274 /var/db/pfblockerng/deny/ET_Tor.txt 218 /var/db/pfblockerng/deny/DRG_SSH.txt 200 /var/db/pfblockerng/deny/CIArmy.txt 190 /var/db/pfblockerng/deny/Abuse_SSLBL.txt 177 /var/db/pfblockerng/deny/Maxmind.txt 129 /var/db/pfblockerng/deny/Nothink_Malware.txt 68 /var/db/pfblockerng/deny/OpenBL.txt 66 /var/db/pfblockerng/deny/DangerRulez.txt 59 /var/db/pfblockerng/deny/DRG_VNC.txt 46 /var/db/pfblockerng/deny/Blut_Tor.txt 38 /var/db/pfblockerng/deny/Shunlist.txt 27 /var/db/pfblockerng/deny/MalwareGroup.txt 23 /var/db/pfblockerng/deny/WatchGuard.txt 20 /var/db/pfblockerng/deny/Nothink_BL.txt 15 /var/db/pfblockerng/deny/SFS_Toxic.txt 15 /var/db/pfblockerng/deny/BotScout.txt 10 /var/db/pfblockerng/deny/Atlas_Fastflux.txt 8 /var/db/pfblockerng/deny/SRI_CC.txt 5 /var/db/pfblockerng/deny/Atlas_Botnets.txt 4 /var/db/pfblockerng/deny/dShield_Block.txt 4 /var/db/pfblockerng/deny/Nothink_SSH.txt 4 /var/db/pfblockerng/deny/Atlas_Phishing.txt 4 /var/db/pfblockerng/deny/Atlas_Attacks.txt 3 /var/db/pfblockerng/deny/HoneyPot.txt 2 /var/db/pfblockerng/deny/Feodo_Block.txt 2 /var/db/pfblockerng/deny/Atlas_Scans.txt 2 /var/db/pfblockerng/deny/Abuse_Zeus.txt 1 /var/db/pfblockerng/deny/Feodo_Bad.txt 1 /var/db/pfblockerng/deny/BBC_Goz.txt 1 /var/db/pfblockerng/deny/Abuse_Spyeye.txt ====================[ Empty Lists w/1.1.1.1 ]================== Abuse_Spyeye BBC_Goz Feodo_Bad ====================[ Last Updated List Summary ]============== Jul 5 2012 VMX May 2 2013 SFS_Toxic Oct 7 2013 IBwebexploit.gz Oct 7 2013 IBspyware.zip Oct 7 2013 IBspyware.gz Oct 7 2013 IBproxy.gz Oct 7 2013 IBmalc0de.gz Oct 7 2013 IBlocklist_webexploit Oct 7 2013 IBlocklist_webexploit.gz Oct 7 2013 IBlocklist_spyware.gz Oct 7 2013 IBlocklist_proxy Oct 7 2013 IBlocklist_proxy.gz Oct 7 2013 IBlocklist_malc0de Oct 7 2013 IBlocklist_malc0de.gz Oct 7 2013 IBlocklist_hijacked Oct 7 2013 IBlocklist_hijacked.gz Oct 7 2013 IBlocklist_forumspam Oct 7 2013 IBlocklist_forumspam.gz Oct 7 2013 IBlocklist_dshield Oct 7 2013 IBlocklist_dshield.gz Oct 7 2013 IBlocklist_badpeers Oct 7 2013 IBlocklist_badpeers.gz Oct 7 2013 IBlocklist_ads Oct 7 2013 IBlocklist_ads.gz Oct 7 2013 IBlocklist_ZeuS Oct 7 2013 IBlocklist_ZeuS.gz Oct 7 2013 IBlocklist_SpyEye Oct 7 2013 IBlocklist_SpyEye.gz Oct 7 2013 IBlocklist_Palevo Oct 7 2013 IBlocklist_Palevo.gz Oct 7 2013 IBlocklist_Malicious Oct 7 2013 IBlocklist_Malicious.gz Oct 7 2013 IBlocklist_DROP Oct 7 2013 IBlocklist_DROP.gz Oct 7 2013 IBlock_malc0de.gz Oct 7 2013 IBlock_dshield.gz Oct 7 2013 IBlock_adserversYoyo.gz Oct 7 2013 IBlock_ZeuS.gz Oct 7 2013 IBlock_Web.gz Oct 7 2013 IBlock_Tor.gz Oct 7 2013 IBlock_Spyware.gz Oct 7 2013 IBlock_SpyEye.gz Oct 7 2013 IBlock_Proxy.gz Oct 7 2013 IBlock_Palevo.gz Oct 7 2013 IBlock_Malicious.gz Oct 7 2013 IBlock_Hijack.gz Oct 7 2013 IBlock_FS.gz Oct 7 2013 IBlock_DROP.gz Oct 7 2013 IBlock_Badpeer.gz Oct 7 2013 IBlock_BT_Web.gz Oct 7 2013 IBlock_BT_Spy.gz Oct 7 2013 IBlock_BT_Hijack.gz Oct 7 2013 IBlock_BT_FS.gz Oct 7 2013 IBlock_Ads.gz Oct 7 2013 IBlock2_Tor2.gz Oct 7 2013 IBloc_Proxy.gz Oct 7 2013 IBloc_BT_Web.gz Oct 7 2013 IBloc_BT_Spy.gz Oct 7 2013 IBloc_BT_Hijack.gz Oct 7 2013 IBloc_BT_FS.gz Oct 7 2013 IBloc_Ads.gz Oct 7 2013 IBhijacked.gz Oct 7 2013 IBforumspam.gz Oct 7 2013 IBdshield.gz Oct 7 2013 IBbadpeers.gz Oct 7 2013 IBads.zip Oct 7 2013 IBads.gz Oct 7 2013 IBZeuS.gz Oct 7 2013 IBSpyEye.gz Oct 7 2013 IBPalevo.gz Oct 7 2013 IBMalicious.gz Oct 7 2013 IBDROP.gz Oct 7 2013 Abuse_Spyeye Oct 7 2013 Abuse_Palevo Oct 7 2014 SRI_Attackers Oct 7 2014 SRI_CC Jan 19 12:36 Geopsy.raw Apr 11 17:51 MDL Apr 17 07:30 ET_Block Apr 17 07:30 ET_Comp Apr 18 06:12 ET_Tor.raw Apr 18 16:17 Malcode Apr 19 01:05 Nothink_Malware Apr 19 01:05 Nothink_BL Apr 19 01:05 Nothink_SSH Apr 19 03:06 Atlas_Attacks.raw Apr 19 03:11 Atlas_Botnets.raw Apr 19 03:16 Atlas_Phishing.raw Apr 19 03:19 Atlas_Scans.raw Apr 19 03:21 Atlas_Fastflux.raw Apr 19 05:00 DRG_HTTP Apr 19 14:49 Atlas_Attacks Apr 19 14:49 Atlas_Botnets Apr 19 14:49 Atlas_Fastflux Apr 19 14:49 Atlas_Phishing Apr 19 14:49 Atlas_Scans Apr 19 14:50 Geopsy Apr 19 14:51 Blut_Tor Apr 19 14:51 ET_Tor Apr 19 15:00 pfB_Top_v4 Apr 19 15:04 DRG_VNC Apr 19 15:04 DRG_SSH Apr 19 15:10 Infiltrated Apr 19 15:30 Shunlist.raw Apr 19 15:42 BlocklistDE Apr 19 16:01 Alienvault.gz Apr 19 16:01 Alienvault Apr 19 16:01 HoneyPot.raw Apr 19 16:01 HoneyPot Apr 19 16:01 DangerRulez Apr 19 16:01 Shunlist Apr 19 16:01 Feodo_Block Apr 19 16:01 Feodo_Bad Apr 19 16:01 Maxmind.raw Apr 19 16:01 Maxmind Apr 19 16:01 BotScout.raw Apr 19 16:01 BotScout Apr 19 16:01 Greensnow Apr 19 16:02 OpenBL.gz Apr 19 16:03 MalwareGroup.raw Apr 19 16:03 MalwareGroup Apr 19 16:03 OpenBL Apr 19 16:03 BadIPs Apr 19 16:15 CIArmy Apr 19 16:34 Abuse_Zeus Apr 19 16:53 BBC_Goz.raw Apr 19 16:56 dShield_Block.raw Apr 19 17:00 Snort_BL Apr 19 17:00 Abuse_SSLBL.raw Apr 19 17:00 Abuse_SSLBL Apr 19 17:00 dShield_Block Apr 19 17:00 BBC_Goz Apr 19 17:00 IBspyware Apr 19 17:00 IBads Apr 19 17:00 IBproxy Apr 19 17:00 IBhijacked Apr 19 17:00 IBbadpeers Apr 19 17:00 IBwebexploit Apr 19 17:00 IBforumspam Apr 19 17:00 IBdshield Apr 19 17:00 IBZeuS Apr 19 17:00 IBSpyEye Apr 19 17:00 IBDROP Apr 19 17:00 IBmalc0de Apr 19 17:00 IBPalevo Apr 19 17:00 IBMalicious Apr 19 17:16 Bambenek_C2IPFeed Apr 19 17:22 WatchGuard =============================================================== Sanity Check (Not Including IPv6) ** These two Counts should Match! ** ------------ Masterfile Count [ 100991 ] Deny folder Count [ 100991 ] Duplication Sanity Check (Pass=No IPs reported) ------------------------ Masterfile/Deny Folder Uniq check Deny Folder/Masterfile Uniq check Sync Check (Pass=No IPs reported) ---------- IPv4 Alias Table IP Total ----------------------------- 100993 IPv6 Alias Table IP Total ----------------------------- 0 Alias Table IP Counts ----------------------------- 100993 total 63463 /var/db/aliastables/pfB_Top_v4.txt 16982 /var/db/aliastables/pfB_PRI3.txt 9432 /var/db/aliastables/pfB_PRI2.txt 7619 /var/db/aliastables/pfB_SEC1.txt 3177 /var/db/aliastables/pfB_PRI1.txt 320 /var/db/aliastables/pfB_TOR.txt pfSense Table Stats ------------------- table-entries hard limit 2000000 Table Usage Count 101003 UPDATE PROCESS ENDED [ 04/19/15 17:22:34 ]
-
Hi n3by,
I would suggest that you uncheck "Keep Settings" and Disable pfBNG, and click "Save"… This will clear out all of the previously downloaded files... then enable "Keep" and pfBNG and execute a "Force Update".
I tried to download the URL you sent to me and it downloaded ok in my test box.
-
Hi,
Thank you for answer.
I did as suggested ….
EDIT:
It was my fault sorry:
I succeed to solve it;
It was the proxy guard from real pfSense router 2.1.5 that filtered direct IP access, I am testing 2.2.2 in VirtualBox.Best Regards.
-
Hi,
Thank you for answer.
I did as suggested ….
EDIT:
It was my fault sorry:
I succeed to solve it;
It was the proxy guard from real pfSense router 2.1.5 that filtered direct IP access, I am testing 2.2.2 in VirtualBox.Best Regards.
Thanks n3by for reporting back… I also see some other lists have failed... Disable "Abuse Palevo" as that list has been discontinued. Also some of the lists are being blocked by Snort from what I can tell from the log you sent.
-
Yes. Because when the updated firewall rules are broken, they fail to load. Flush your pfBNG configuration by unchecking the Keep configuration box, reinstall the package and start from scratch, enabling only ONE list at a time, until you figure this out.
Just for clarity, when you disable "Keep" and Disable pfBNG and click "Save" it will only clear the previously downloaded files and leave all of the Configuration Settings intact.
Its not necessary to re-install. If you re-install with "keep" unchecked, it will wipe all of the configuration settings and set the package back to a "Fresh" install state.
-
Hi,
is this list usable at you ( I set is as txt but still no downloading; I Hope I disabled all restriction this time :-[ ) ?
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
from:
http://osint.bambenekconsulting.com/feeds/ -
Changing to http worked, BB; Juniper updated :-*
Weird that Firefox does not complain about it, but pfBlockerNG does(?)
-
@Mr.:
Changing to http worked, BB; Juniper updated :-*
Weird that Firefox does not complain about it, but pfBlockerNG does(?)
The difference is that the browser handles the Certs a little different then the "fetch" shell FreeBSD command. Here is a link… Maybe one of the pfSense Devs will chime in on this issue?
http://smyck.net/2014/01/22/freebsd-authentication-error/
-
Some weird stuff ???
Problem 1:
-
The pfb_PASS rule is an automatic rule in floating;
-
I added to that pfb_NGSuppress right below it (still don't understand why this has to be done manually, btw).
-
After a Cron update, that second rule is gone, and there is a second pfb_Pass rule. Observed this for a couple of days.
Problem 2:
-
I try to whitelist an IP/block in pfb_PASS (top of the rules list in floating)
-
I tell it to log hits (so I can see it works) but it doesn't log anything in System/Firewall logs, AND:
-
The IP/block is still blocked, but now by pfb_PRI2, although deduplication is active.
Question 1:
- How do I whitelist sitenames? Archive.org is kept blocked. I can't add it to pfb_PASS since this is IP only, and NGSuppress is too. Do I need a different pass alias in floating for this?
Thanks BB :-*
-
-
@Mr.:
Changing to http worked, BB; Juniper updated :-*
Weird that Firefox does not complain about it, but pfBlockerNG does(?)
The difference is that the browser handles the Certs a little different then the "fetch" shell FreeBSD command. Here is a link… Maybe one of the pfSense Devs will chime in on this issue?
Thanks BB. That links says it'll be fixed by updating OpenSSL. Such a thing is 'core maintenance', not a bug that needs to be fixed, no(?)
-
@Mr.:
Some weird stuff ???
Hey Mr. J.
You are mixing some things up here :)
The pfBlockerNGSuppress alias does not need to be referenced to any Firewall Rules.
Suppression -
Suppression process occurs when Lists are downloaded from the Threat Sources.
When a List is downloaded, if the list contains 1.2.3.4/32 and the Suppress Alias has 1.2.3.4/32, then this IP is suppressed from the Blocklist.
If a list has 1.2.3.4/32 and the Suppress Alias has 1.2.3.0/24, then this IP is suppressed from the Blocklist.
If a list has 1.2.3.4/24 and the Suppress Alias has 1.2.3.4/32, then the Single 1.2.3.4/32 is suppressed, and all of the other IPs in this Range are added to the Blocklist.
When you click on the "+" icon in the Alerts tab, it will add the IP to the Suppress Alias, and also removes the IP from the Aliastable. However, the Suppressed IP is still in the Blocklist, and will be removed from the List at the Next Cron Update for the particular List. This will prevent these Suppressed IPs from being blocked.
Whitelisting -
When you whitelist, you are creating a new pfBNG alias and typically set it for "Permit Outbound". You can enter the Whitelisted IPs in the custom Box in the alias.
The best method is to suppress the IP above. But if you have a Block occuring from a CIDR under a /24, you can't suppress that (ie /20 etc…) To overcome that, you need to allow the IP "Permit Outbound" which will create a state in the pfSense State table that allows the return of that IP without being Blocked by the pfBNG Block/Reject rules. In the Alerts Tab, you can see the List that Blocked the IP, if no IP is shown below the List, then the Block occurred by a /32 Blocklist entry. If its blocked by a CIDR, it will show the IP and CIDR below the List. You then can decide if its a /24 to use Suppression, or use the Whitelist for other CIDR ranges.
Other questions -
The Permit Rules need to be above the Block/Reject rules. Ensure that in the Alias, you set "Logging" or enable Global logging in the General Tab which will enable Logging for all Aliases globally.
When you add a manual Rule, it can't have "pfB_" in the description, these will be removed by the Cron task each hour. To create "Alias" type rules, you need to enter the Description starting with "pfb_" (Lowercase)… This is explained in detail in the Alias "List Action" Section.
You cannot Use Domain names with pfBlockerNG currently. You will need to convert the domain into an IP and add that to a Custom list. In v2.0 I will also have Domain Name Blocking (DNSBL).
You can use a service like Hurricane Electric to collect IPs for Domain names that are changing more frequently and collect the list with the "html" format.
http://bgp.he.net/search?search%5Bsearch%5D=twitter&commit=Search
http://bgp.he.net/search?search%5Bsearch%5D=facebook&commit=Search
http://bgp.he.net/search?search%5Bsearch%5D=spotify&commit=Search
http://bgp.he.net/search?search%5Bsearch%5D=dropbox&commit=Search -
@Mr.:
@Mr.:
Changing to http worked, BB; Juniper updated :-*
Weird that Firefox does not complain about it, but pfBlockerNG does(?)
The difference is that the browser handles the Certs a little different then the "fetch" shell FreeBSD command. Here is a link… Maybe one of the pfSense Devs will chime in on this issue?
Thanks BB. That links says it'll be fixed by updating OpenSSL. Such a thing is 'core maintenance', not a bug that needs to be fixed, no(?)
yes that what I was saying… The fetch command uses OpenSSL as part of pfSense. So that issue is a core pfSense issue and not from pfBlockerNG.
-
Is there a comprehensive guide that covers the main features of the current version? I want to use it mainly to block ads
-
You can use a service like Hurricane Electric to collect IPs for Domain names that are changing more frequently and collect the list with the "html" format.
http://bgp.he.net/search?search%5Bsearch%5D=twitter&commit=Search
http://bgp.he.net/search?search%5Bsearch%5D=facebook&commit=Search
http://bgp.he.net/search?search%5Bsearch%5D=spotify&commit=Search
http://bgp.he.net/search?search%5Bsearch%5D=dropbox&commit=SearchFantastic… these hidden features/hacks that should be in a pfBNG FAQ or OP or something.