PfBlockerNG
-
There is NO list turned on by default, anywhere. The blocklist simply lists tor exit nodes. You do not need to block anything. Simply stop using the "offending" blocklist to block outbound traffic, or whitelist the IP, or whatever.
-
Hello everyone,
I'm new to pfblockerng and I want some sugestions from you guys.
Which list could be useful for a home use scenario with no open ports, just outbound traffic is important.
I'm also interested in blocking adverts with pfblockerng. Is there a way to use the easylist from ADBlock Plus ?
Which lists are you using actual? And where do I get them?
Thanks for any advice.
Best regards
-
Which lists are you using actual? And where do I get them?
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975
-
Which lists are you using actual? And where do I get them?
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975
I totally missed that. Thanks so much for pointing it out.
-
Thanks for the list.
I imported it successfully and set these to "deny outbound" but they won't show up in the Dashboard listing.
Did I miss something?
//edit: Nevermind, had to switch the state of the link to "ON".
-
When you add IPs to a custom list, did you select "Update Custom List" at the bottom of the Alias Settings when you saved it (and ran a Force Update)? If you don't select this option, then it will only update the alias as per the defined Frequency setting of the Alias.
Its best to look at the Aliastable to see if the IP is actually in the table. You can view the table by hovering over the Alias in the Widget or Firewall Rules. You can also view the table in Diagnostics: Tables: in the pfSense GUI.
I will also be submitting a PR for a small bug. The details of the workaround can be found in the following link:
https://forum.pfsense.org/index.php?topic=86212.msg526272#msg526272I always run a Force Update after changes, however I did not have "Update Custom List" set. It is now set and I've changed the scope back to TCP/UDP. I'll report back with any issues.
Thanks again for your help!
-
How can I suppress a IP for example 192.16.71.176:443 ?
It's blocked by IBlock_ADS but it stops the twitch.tv Mobile App to work.
Thanks!
-
How can I suppress a IP for example 192.16.71.176:443 ?
It's blocked by IBlock_ADS but it stops the twitch.tv Mobile App to work.
Thanks!
Click on the suppress icon in the alerts?
(I'm probably saying something stupid now :-[ ).
-
Yeah, the suppress icon is there for a reason.
-
Thanks.
Is there a way to see a list with the suppressed hosts?
-
It's in Firewall - Aliases.
-
Do I have to add this alias manually to the specific interfaces?
Sorry for asking so many questions..
-
No.
-
Well then something is working wrong.
If I try to access "twitch.tv" the alert tab shows me this "IBlock_Ads 192.16.64.0/21" and the connection gets refused. (Tested in Firefox) (PfSense 2.2.3 amd64 full install)
Pressing the "+" button ends in this "Host IP address 192.16.71.176 already exists in the pfBlockerNG Suppress Table."
In the Interface rules, there is no auto created rule using the alias "pfBlockerNGSuppress".
I hope I provided enough information to figure this out.
Thanks for your help!
-
Well then something is working wrong.
If I try to access "twitch.tv" the alert tab shows me this "IBlock_Ads 192.16.64.0/21" and the connection gets refused. (Tested in Firefox) (PfSense 2.2.3 amd64 full install)
Pressing the "+" button ends in this "Host IP address 192.16.71.176 already exists in the pfBlockerNG Suppress Table."
In the Interface rules, there is no auto created rule using the alias "pfBlockerNGSuppress".
I hope I provided enough information to figure this out.
Thanks for your help!
Please read the following post to answer your questions :
https://forum.pfsense.org/index.php?topic=86212.msg513676#msg513676 -
I read that posting but it doesn't helped really.
This is what I do:
Try to access "www.twitch.tv"
See that it's blocked by following Alias List "IBlock_Ads 192.16.64.0/21"
Try to supress it with the "+".
Message that it's already supressed pops up.
Checking the PfBlockerNGSupress alias and see this "pfBlockerNGSuppress 192.16.71.176/32, 192.16.71.176/24 "
Running a forced cron task.
Try to access "www.twitch.tv" again. It is still blocked.
There is something I'm doing wrong, but I can't figure it out.
-
You can't use suppression when the blocked IP is in a CIDR like /21.
Hover over the "+" or the List column in the Alerts tab and you are presented with instructions.
So to circumvent this, create a new "permit Outbound" alias in pfBNG and add the IP to the custom entry box. This will create a permit outbound firewall rule above the Block rules.
-
You can't use suppression when the blocked IP is in a CIDR like /21.
So to circumvent this, create a new "permit Outbound" alias in pfBNG and add the IP to the custom entry box. This will create a permit outbound firewall rule above the Block rules.
Ahh thats it! Thank you!
Just one last question, how can I delete hosts from the suppression list? I removed the the Alias but there are still 2 Hosts suppressed.
-
Sorry if this has already been posted. I did a search but the terms are too general. :(
@BBcan177 in your original script on Github, you have a local source for a list where you're pulling from the local Suricata 'rules' directory. I looked in that directory and I see a bunch of policy rules, but I don't see any IP lists.
So my question is, is this still valid and, if so, how do I add it to pfBlockerNG?
Here's an easy link to the gist.
https://gist.github.com/BBcan177/3cbd01b5b39bb3ce216a
-
Here is a link to a script that I wrote which will import blocklists into pfBNG.
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975The rules in Snort/Suricata that contain IPs are in the botnet, compromised, drop, dshield and port-grouped categories. The script above, has these lists already, so it might not be worth to use the Snort/Suricata files. However, I did notice that there are some discrepancies between the Original Lists vs Snort/Suricata rules for these IPs. I use the ET Pro rules, so maybe those rules have some IPs that are not in the free Open Rulesets.
You can write a small script to pull those IPs and put them into a text file. Create a Cron task and then pull that into pfBNG if you wish:
Just change the path to reflect the IDS type (Snort/Suricata) and either i386/amd64.
find /usr/pbi/snort-amd64/etc/snort/rules/* -name '*bot*' -o -name '*ciarmy*' -o -name '*compromised*' -o -name '*drop*' -o -name '*dshield*' -o -name '*portgrouped*' | xargs cat | grep -aoEw -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?/[0-9]{2})" -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | sort | uniq > /tmp/ips.txt