PfBlockerNG
-
Yeah, the suppress icon is there for a reason.
-
Thanks.
Is there a way to see a list with the suppressed hosts?
-
It's in Firewall - Aliases.
-
Do I have to add this alias manually to the specific interfaces?
Sorry for asking so many questions..
-
No.
-
Well then something is working wrong.
If I try to access "twitch.tv" the alert tab shows me this "IBlock_Ads 192.16.64.0/21" and the connection gets refused. (Tested in Firefox) (PfSense 2.2.3 amd64 full install)
Pressing the "+" button ends in this "Host IP address 192.16.71.176 already exists in the pfBlockerNG Suppress Table."
In the Interface rules, there is no auto created rule using the alias "pfBlockerNGSuppress".
I hope I provided enough information to figure this out.
Thanks for your help!
-
Well then something is working wrong.
If I try to access "twitch.tv" the alert tab shows me this "IBlock_Ads 192.16.64.0/21" and the connection gets refused. (Tested in Firefox) (PfSense 2.2.3 amd64 full install)
Pressing the "+" button ends in this "Host IP address 192.16.71.176 already exists in the pfBlockerNG Suppress Table."
In the Interface rules, there is no auto created rule using the alias "pfBlockerNGSuppress".
I hope I provided enough information to figure this out.
Thanks for your help!
Please read the following post to answer your questions :
https://forum.pfsense.org/index.php?topic=86212.msg513676#msg513676 -
I read that posting but it doesn't helped really.
This is what I do:
Try to access "www.twitch.tv"
See that it's blocked by following Alias List "IBlock_Ads 192.16.64.0/21"
Try to supress it with the "+".
Message that it's already supressed pops up.
Checking the PfBlockerNGSupress alias and see this "pfBlockerNGSuppress 192.16.71.176/32, 192.16.71.176/24 "
Running a forced cron task.
Try to access "www.twitch.tv" again. It is still blocked.
There is something I'm doing wrong, but I can't figure it out.
-
You can't use suppression when the blocked IP is in a CIDR like /21.
Hover over the "+" or the List column in the Alerts tab and you are presented with instructions.
So to circumvent this, create a new "permit Outbound" alias in pfBNG and add the IP to the custom entry box. This will create a permit outbound firewall rule above the Block rules.
-
You can't use suppression when the blocked IP is in a CIDR like /21.
So to circumvent this, create a new "permit Outbound" alias in pfBNG and add the IP to the custom entry box. This will create a permit outbound firewall rule above the Block rules.
Ahh thats it! Thank you!
Just one last question, how can I delete hosts from the suppression list? I removed the the Alias but there are still 2 Hosts suppressed.
-
Sorry if this has already been posted. I did a search but the terms are too general. :(
@BBcan177 in your original script on Github, you have a local source for a list where you're pulling from the local Suricata 'rules' directory. I looked in that directory and I see a bunch of policy rules, but I don't see any IP lists.
So my question is, is this still valid and, if so, how do I add it to pfBlockerNG?
Here's an easy link to the gist.
https://gist.github.com/BBcan177/3cbd01b5b39bb3ce216a
-
Here is a link to a script that I wrote which will import blocklists into pfBNG.
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975The rules in Snort/Suricata that contain IPs are in the botnet, compromised, drop, dshield and port-grouped categories. The script above, has these lists already, so it might not be worth to use the Snort/Suricata files. However, I did notice that there are some discrepancies between the Original Lists vs Snort/Suricata rules for these IPs. I use the ET Pro rules, so maybe those rules have some IPs that are not in the free Open Rulesets.
You can write a small script to pull those IPs and put them into a text file. Create a Cron task and then pull that into pfBNG if you wish:
Just change the path to reflect the IDS type (Snort/Suricata) and either i386/amd64.
find /usr/pbi/snort-amd64/etc/snort/rules/* -name '*bot*' -o -name '*ciarmy*' -o -name '*compromised*' -o -name '*drop*' -o -name '*dshield*' -o -name '*portgrouped*' | xargs cat | grep -aoEw -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?/[0-9]{2})" -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | sort | uniq > /tmp/ips.txt
-
Thank you! I'll give this a try.
-
@BBcan177 this worked amazingly! Thank you!
-
Did that fix your problem Jamerson?
no still waiting for some answers,
whenever i activate the pfBlockerNG the internet stops working.We need to see rules.debug or a screenshot of the rules created to give you any information.
what rules are referring to ? Firewall rules or the pfblocker NG rules ?
-
what rules are referring to ? Firewall rules or the pfblocker NG rules ?
Can you post both?
-
I'm sorry by the "stupid question" but….
If i have a DNS and SMTP server (to work my mail and domains) can i use pfblockerng to block all Africa and Asia ??? (i don't have any mail/relation with us)
You will continue to run the dns? or i have problems ???
-
virusbcn - Yes you can block individual countries or entire continents. Default deny inbound rule is blocks all traffic, if you don't want to block everything you can specify which ports you would like to block (53,25,587,995) and allow everything else.
-
Upgraded to 2.2.4 and in the log I see the following error. Any ideas on how to fix? These are files I had created previously and they have been working fine for several months. I see no change in the IDE screen, the list is shown properly.
Thanks
[ pfB_shodan shodan ] Download FAIL
[ pfB_shodan shodan ] Local File Failure[ pfB_BadIPV6 BadIP6_v6 ] Download FAIL
[ pfB_BadIPV6 BadIP6_v6 ] Local File Failure -
Hi cjbujold,
Which folder did you place the localfile into? Are you sure that it still exists after the re-install? You can view the various folders in the pfBNG log browser tab.