PfBlockerNG

BitechBob

Thank you for the quick reply!!  I performed the edit but then for the same process I now receive

Parse error: syntax error, unexpected '}' in /usr/local/www/pfblockerng/pfblockerng_alerts.php on line 704

It's no big deal and I can live with it until the next release.

Again THANK YOU!

BBcan177

Hi wiz561,

I have posted in this thread about blocking the world, and allowing a few Countries.. You should reverse this approach to Permit a few instead.. You can read this thread for more details on that.

pfSense is a stateful firewall by design. So if you do not have any Open ports, its already implicitly deny on the Inbound. So any rule on the Inbound is a waste of processing time etc…

If you have a few open ports, you should consider creating an "Alias Deny" Rule for just those ports on the Inbound instead of blocking all other ports that are already going to be blocked by the implicit deny rule.

For a 'Whitelist', its best to make it an "Alias Permit" and only allow a certain port and the specific IPs you want to allow inbound in the Firewall Rule.

The way you have it now, with a "Permit Both" will bypass all of the other rules and is not safe.

BBcan177

@BitechBob:

Thank you for the quick reply!!  I performed the edit but then for the same process I now receive

Parse error: syntax error, unexpected '}' in /usr/local/www/pfblockerng/pfblockerng_alerts.php on line 704

It's no big deal and I can live with it until the next release.

Again THANK YOU!

Sorry about that… try this:  You need to add the part    $dd = 1;  along with commenting the previous line above.

elseif ($list['type'] == "single" || $list['type'] == "network")
		$dd = 1;
                //$pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local);
}

BitechBob

@BBcan177:

@BitechBob:

Thank you for the quick reply!!  I performed the edit but then for the same process I now receive

Parse error: syntax error, unexpected '}' in /usr/local/www/pfblockerng/pfblockerng_alerts.php on line 704

It's no big deal and I can live with it until the next release.

Again THANK YOU!

Sorry about that… try this:  You need to add the part    $dd = 1;  along with commenting the previous line above.

elseif ($list['type'] == "single" || $list['type'] == "network")
		$dd = 1;
                //$pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local);
}

Still getting error

Parse error: syntax error, unexpected '}' in /usr/local/www/pfblockerng/pfblockerng_alerts.php on line 704

No rush I can hold off until the next release.

wiz561

@BBcan177:

The way you have it now, with a "Permit Both" will bypass all of the other rules and is not safe.

Thanks for the information.  I went back and modified what I did so I could undo it, exclude the country for now, and will have to figure out how to properly do it.  I tried to create an alias and go that route, but it wasn't working properly for me.

I'll dig through the thread and see if I can find the proper way to create whitelists.  Thanks for the response and the information about it!

Mr. Jingles

Hi Sir BB  ;D ( :-* )

Weird, this suddenly happening the last few days:

[ pfB_IBlock IBlock_BT_Web ] Download FAIL 
 [ pfB_IBlock IBlock_BT_Web ] Found: 1483 Line(s), Restoring previous List from Master 

 [ pfB_IBlock IBlock_Badpeer ] Download FAIL [ 05/09/15 0:04:32 ]
 [ pfB_IBlock IBlock_Badpeer ] Found: 48551 Line(s), Restoring previous List from Master 

 [ pfB_IBlock IBlock_Proxy ] Download FAIL 
 [ pfB_IBlock IBlock_Proxy ] Found: 5754 Line(s), Restoring previous List from Master 

Many more of them like this, but I didn't want to polute  :P

The error log says:

===[ Suppression Stats ]========================================

List                 Pre        RFC1918    Suppress   Masterfile
----------------------------------------------------------------
grepcidr: Not a valid pattern: dfiles.eu
ET_Comp              157        157        157        156198    
grepcidr: Not a valid pattern: dfiles.eu
ET_Block             213        213        213        156198    
grepcidr: Not a valid pattern: dfiles.eu
Spamhaus_drop        62         62         62         156198    
grepcidr: Not a valid pattern: dfiles.eu

Many more of those too.

I've attached the full logs.

*Rename to .zip, as this efficiency-preventing, and hence the most valuable asset we have - time - wasting, forum software doesn't allow me to upload a *.zip

Would you have any clue, Mr. YesBBCan?

Thank you  ;D

BB_pack.jpg

doktornotor

Would be much better to post the content of the failing lists or link to them. As for the Spyeye thing, Http/1.1 Service Unavailable is definitely not pfBNG issue.

BBcan177

Hi Mr. J.

Did I ever say that i really hate IBlock… I think every so often they have an issue with some of their mirrors and there is some malformed data in one of those lists. The mirrors that I use don't seem to have this issue. What would really help is getting a copy of the original downloaded files.

The files are in  /var/db/pfblockerng/original

What i would need are the IBlock .gz and .orig files for these fails lists. Also a copy of the

/var/db/pfblockerng/masterfile

If you can send those to my email which is listed in the 'General' tab, I could take a look at it. Or put it in a dropbox or similar cloud storage and pm me the link.

After you copy those files, Try to run a "Force Reload" and see if that clears it. If not, Disable pfBlockerNG and Disable "Keep Settings" and run a "Force Update".... If it still doesn't clear it, disable the 'State' of those IBlock Lists and try the above process again without those Lists.

BBcan177

@doktornotor:

Would be much better to post the content of the failing lists or link to them. As for the Spyeye thing, Http/1.1 Service Unavailable is definitely not pfBNG issue.

Yes Abuse Spyeye seems to be down… Should disable the 'State' for now....

There also seems to be an issue with a few SSL sites (Juniper and dShield). When using https, the fetch command is getting some ssl errors which seem to be related to OpenSSL in pfSense.

pfcode

HI, Guys

I'm noob to pfSense and pfBlokerNG, I have set up all the country block rules (e.g pfb_Europe_v4) in the floating rules tab,  the rule order is pfSense Pass/match+pfbPass/Match+pfbBlock/Reject, I then set up a floating rule on the TOP of all other rules,  to permits one of the LAN IPs to access WAN without being blocked by the country rules or blocked by SNORT:

Action: Pass
Quick: Ticked
Interface: LAN
Direction: any
TCP/IP version: IPv4
Protocol: any
Source:  Type: Single hosts or alias
              Address:  AndroidMediaBox,  which is a IP alias, 192.168.1.xxx
Destination:  Wan net

but I can still see bunch of source ip (192.168.1.xxx, AndroidMediaBox) appeared at pfBlockNG Alerts tab as well as at the System logs/Firewall tab,  that were blocked by the country rule (pfb_Europe_v4),  Proto: UDP, CC: CH

I'm sure I'm doing something wrong, but can't figure it out,  so need some helps to fix the issue. Thanks.

BBcan177

Hi pfcode,

Its best to make a new pfBlockerNG alias called "Whitelist". Add any IPs that you want to access (these are the destination IPs, not the local LAN IP) in the custom entry box at the bottom of the Whitelist Alias. Set the "List Action" to "Permit Outbound".

The rule order setting should ensure the this "Permit" rule is above the "Block" rules.

pfcode

@BBcan177:

Hi pfcode,

Its best to make a new pfBlockerNG alias called "Whitelist". Add any IPs that you want to access (these are the destination IPs, not the local LAN IP) in the custom entry box at the bottom of the Whitelist Alias. Set the "List Action" to "Permit Outbound".

The rule order setting should ensure the this "Permit" rule is above the "Block" rules.

Hi, BB

Thanks for the answer and suggestion, Yes, I was using pfBlockerNG Whitelist alias but gave up later, because there were so many Apps installed on that Android Media Box, P2P TV, IPTV app, …, so adding destination IPs in the custom entry box is PITA, tons of different IPs.

My concern is why the rule I put on the top of the floating rule doesn't work properly.

cassius_20

Hello all, long time lurker, first time poster

Got a few noob questions in regards to pfblockerNG. Only other packages i've installed are snort and ntopng. Everything is working well with pfblockerNG except suppression and allowing traffic to pass. For example, a list that I'm currently using (http://list.iblocklist.com/?list=ijfqtofzixtwayqovmxn&fileformat=p2p&archiveformat=gz) is blocking Facebook. I see entries in the Alerts that relate to Facebook, so i clicked on the + to add it to the suppression list.

Here's a screentshot of the specific IP address:

The Ip address shows up in the suppression list that pfblocker creates:

Without the list enabled, I am able to access Facebook no problem (with snort running on WAN with plenty of ET rules). However, with this list enabled,  i find that suppression is not working. Am i doing something wrong?

Also, on a related note, i'm trying to allow "akamaitechnologies" (most likely, content hoster for Facebook) pass through my lists; suppression is not working as there's many servers/hostnames that i cannot keep adding as they constantly change, including the port numbers. How can i allow all this type of traffic to pass? see screenshot below:

thanks for any help!

BBcan177

@pfcode:

My concern is why the rule I put on the top of the floating rule doesn't work properly.

Rule looks ok. Try to clear the firewall logs and clear the Firewall State table.

BBcan177

@cassius_20:

Hello all, long time lurker, first time poster

Hi cassius, I would not recommend those two IBlock lists. They have too many false positives. I wrote a script which was posted in the thread by doktornotor a few posts back which has better Blocklists than these from IBlock.

Also you can only use "Suppression" for a /24 or /32 Block… Take a look at the Alerts Tab and underneath the List column, will show the IP and CIDR of the Block. Hover over the list column, and you will get a "Popup" Description on how to Whitelist IPs.

SkyHawk

I use a custom ipv4 list ( /var/db/pfblockerng/spammers.txt ) with 1200+ address listed like such: 212.71.238.0/24 and it appears that sometimes pfblockerng misses blocking some of the address in the list.  It seems it doesn't block any /16 ranges either.  Every morning I discover some duplicate spam addresses and find that I already entered them in the custom list.  When this happens I also enter the address into the IPv4 Custom Address(es) section at the bottom, hit save, then update > full reload.  I'm concerned that the size of the custom list might cause problems because it is stored as 'Base64' format.  I think the old version worked with the /16 /20 /24, etc. ranges and they were blocked.  Is there anywhere I might look at to ensure that the spammers.txt file is consumed and acted upon correctly?  Thank you.

JuantonJohn

I may start my own thread, but I'll give my experience.
I'm newer to pfsense.
I had pfBlockerNG setup and working great.  Site had a power outage and after pfsense came back online, nothing would route / talk to the outside world.  Firewall Logs showed no blocking.  If I disabled pfBlocker (tick box), everything started working perfectly.
Not sure what to think.
Any advice on approaching this to diagnose it?

doktornotor

@JuantonJohn:

Site had a power outage and after pfsense came back online, nothing would route / talk to the outside world.  Firewall Logs showed no blocking.

• Reinstall
• Restore configuration backup
• Get UPS

BBcan177

Try a "Force Reload". If that has issues, then uncheck "keep settings" in the general tab, then disable pfBlockerNG. This should clear all of the downloaded files. Then re-check "keep", re-enable pfBlockerNG and run a "Force Update".

McFuzz

Hello!

Trying to (re)install pfBlockerNG from scratch - but the package does not appear in the package manager…? Any ideas?

Thanks!