PfBlockerNG
-
unfortunately have to disable the package
its not working fine in my case,
its blocking all Europe countries every its enabled to block those countries . -
its blocking all Europe countries every its enabled to block those countries .
That's extremely surprising that it's doing what you told it to do… ::) ;D If you don't want to block those, then don't block those. (Not to mention the endless explanations on this thread about defaulty deny and how NOT to (ab)use the country lists.)
-
@Music:
i also had something strange.
i don't have country blocking enabled at all. But PFsense did block the forums.pfsense IP. which is on the United States list from i-blocklist
United States:208.123.64.0-208.123.95.255
but i don't use that list nor do i use country block.
When i disabled the floating rules in pfblocker settings site worked again. when i put it on floating again it still works the site. maybe after a while it starts blocking again.
Edit:
i used a list before that had a few sites on it that i use a lot. ( probably false positive ) so i removed that list from pfblockerng. i also already cleared the files manually and disabled pfblockerng and re-enabled it but it keeps blocking sites. Like www.nvidia.com etc. But once i disabled the floating rules it works againedit2:
i did disabled pfblockerng totally. removed all files manually so it has to re-download all files when enabled again. restarted the system. enabled it again ( with floating rules also enabled). so it downloaded all rules again that i have. i checked www.pfsense.org and it didnt work same for nvidia.com. When i disabled floating rules it instantly worked.i have reputation also enabled. But i haven't checked any of the countries on that page and left the standard settings.
What i trying to do what to see if i can get the pfblocker working over VPN. if i connect to the vpn on my phone it also uses the blocklists
i have enabled route all traffic over vpn. -
its blocking all Europe countries every its enabled to block those countries .
That's extremely surprising that it's doing what you told it to do… ::) ;D If you don't want to block those, then don't block those. (Not to mention the endless explanations on this thread about defaulty deny and how NOT to (ab)use the country lists.)
i've configured it to not block europe at all !
but it still blocking countries in europe
Germany, Spain, UK,…... Europe filter is not selected and not enabled. -
i've configured it to not block europe at all !
You told us the exact opposite earlier. Perhaps, post in some of internation forums in your native language.
-
@Music:
i don't have country blocking enabled at all. But PFsense did block the forums.pfsense IP. which is on the United States list from i-blocklist
United States:208.123.64.0-208.123.95.255
Several of the IBlock lists should be used with caution. They are intended for specific setups. There is a script that is posted in the thread for other lists that are available. Also you shouldn't use "IBlock/other Country specific blocklists" as Maxmind is a more reliable and reputable Country list to use.
When i disabled the floating rules in pfblocker settings site worked again. when i put it on floating again it still works the site. maybe after a while it starts blocking again.
All blocks are shown in the "Alerts Tab". Please refer to that tab to find out which List is causing the false positives.
i have reputation also enabled. But i haven't checked any of the countries on that page and left the standard settings.
For "Reputation", I would recommend whitelisting USA and Canada at a minimum.
-
I am using pfblockerng and blocking all country which I don't do business with .
Europe is not blocked . This weekend I am away to Germany " which is not blocked "
Right now I am on the hotel but the connection to the server behind pfsense is blocked .
Why it's blocking Germany IP even i don't block Germany country on pfblockerng?
IP where I am connecting from is
62.143.80.249Is this ip on a different categories ?
If you run this command, it should report that IP as belonging to Germany (DE):
(Change the path to -i386 as required)grep "^62.143." /usr/pbi/pfblockerng-amd64/share/GeoIP/*
/usr/pbi/pfblockerng-amd64/share/GeoIP/DE_v4.txt:62.143.0.0/16
/usr/pbi/pfblockerng-amd64/share/GeoIP/Europe_v4.txt:62.143.0.0/16Also check the pfBNG Log tab, and see the Maxmind Log for the last updated timestamp.
-
I had an issue with how the auto rule order works, my details rules include individual destination along with the ports where the general rule is any destination on a limited port (i.e 80 and 443). None of the rule order options worked so used "Alias Deny" on all the pfBlockerNG rules to could achieve:
- pfsense Pass/Match (Detailed rules) > pfBlockerNG Block/Reject > pfsense Pass/Match (General Rules)
It seems logical to have detail allow rules followed by pfBlockerNG block rules before allowing destination ANY rules, did I miss an option to have it work in this order?
Thanks
Tony -
@Music:
i don't have country blocking enabled at all. But PFsense did block the forums.pfsense IP. which is on the United States list from i-blocklist
United States:208.123.64.0-208.123.95.255
Several of the IBlock lists should be used with caution. They are intended for specific setups. There is a script that is posted in the thread for other lists that are available. Also you shouldn't use "IBlock/other Country specific blocklists" as Maxmind is a more reliable and reputable Country list to use.
When i disabled the floating rules in pfblocker settings site worked again. when i put it on floating again it still works the site. maybe after a while it starts blocking again.
All blocks are shown in the "Alerts Tab". Please refer to that tab to find out which List is causing the false positives.
i have reputation also enabled. But i haven't checked any of the countries on that page and left the standard settings.
For "Reputation", I would recommend whitelisting USA and Canada at a minimum.
The problem when it blocks those ips are when i have the floating rules enabled.
What is the difference between floating rules enabled and disabled. As i see in the rules the list gets moved from wan to floating but are the same.
Do the floating rules use a extra list that i can setup somewhere and/or remove/edit?Floating Rules can:
Filter traffic in the outbound direction (all other tabs are Inbound processing only)this might be it when it's enabled.
The reason i had it enabled was to test if i can use the blocklist when im connected with the vpn from my mobile. but i didn't see any change with it enabled or disabled.
-
I am using pfblockerng and blocking all country which I don't do business with .
Europe is not blocked . This weekend I am away to Germany " which is not blocked "
Right now I am on the hotel but the connection to the server behind pfsense is blocked .
Why it's blocking Germany IP even i don't block Germany country on pfblockerng?
IP where I am connecting from is
62.143.80.249Is this ip on a different categories ?
If you run this command, it should report that IP as belonging to Germany (DE):
(Change the path to -i386 as required)grep "^62.143." /usr/pbi/pfblockerng-amd64/share/GeoIP/*
/usr/pbi/pfblockerng-amd64/share/GeoIP/DE_v4.txt:62.143.0.0/16
/usr/pbi/pfblockerng-amd64/share/GeoIP/Europe_v4.txt:62.143.0.0/16Also check the pfBNG Log tab, and see the Maxmind Log for the last updated timestamp.
Thank you for your answer.
yes exactly the IP is from Germany, and i didn't block Germany at all.
when i was last weekend in Germany i couldn't log using VPN to the server. neither the OWA.
also on the same weekend users were on Spain and they couldn't VPN to the server.
after i called my wife and she started Teamviewer for me i've disabled the Pfblockerng the connections start working.this the Maxmind log i can find
MaxMind GeoLite Date/Time Stamps
MaxMind_v4 Last-Modified: Wed, 05 Aug 2015 02:35:49 GMT
Local_v4 Last-Modified: Wed, 05 Aug 2015 02:34:55 GMTMaxMind_v6 Last-Modified: Wed, 05 Aug 2015 02:35:47 GMT
Local_v6 Last-Modified: Wed, 05 Aug 2015 02:35:47 GMTThese Timestamps should match
-
It seems logical to have detail allow rules followed by pfBlockerNG block rules before allowing destination ANY rules, did I miss an option to have it work in this order?
If I am reading your request correctly, you are asking to sort the pfSense (Permit/Match) rules to be placed before and after the pfBNG rules… I would think it would be rather cumbersome and not sure if others would use it? For more complex setups, that is where the "Alias" type Rules are better utilized. If I have read this incorrectly, please let me know.
-
@Music:
What is the difference between floating rules enabled and disabled. As i see in the rules the list gets moved from wan to floating but are the same.
Floating Rules are processed before any other Interface rules. Rules are processed top to bottom. You can find more details in the pfSense Wiki documents.
I am not sure what you mean by:
Do the floating rules use a extra list that i can setup somewhere and/or remove/edit?"
Floating or other Firewall rules are both configured by the Alias "List Action" setting, and also by the "General Tab" settings for the Inbound/Outbound Interfaces.
-
yes exactly the IP is from Germany, and i didn't block Germany at all.
when i was last weekend in Germany i couldn't log using VPN to the server. neither the OWA.
also on the same weekend users were on Spain and they couldn't VPN to the server.From the data provided, the Maxmind database looks to be functioning properly.
When you are having these kinds of issues, you need to look at the pfBNG Alerts Tab. It will give you a summary of what is being blocked and by what List. Then you can start to see what to change.
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
-
Hi, are there any progress with the easylist integration? :)
Yes I hope to submit it soon. If you would like to help Beta test v2.0, please send me a PM.
Note: Came across this today:
http://www.webroot.com/blog/2015/08/19/adblocker-plus-puts-osx-at-risk/ -
@Music:
What is the difference between floating rules enabled and disabled. As i see in the rules the list gets moved from wan to floating but are the same.
Floating Rules are processed before any other Interface rules. Rules are processed top to bottom. You can find more details in the pfSense Wiki documents.
I am not sure what you mean by:
Do the floating rules use a extra list that i can setup somewhere and/or remove/edit?"
Floating or other Firewall rules are both configured by the Alias "List Action" setting, and also by the "General Tab" settings for the Inbound/Outbound Interfaces.
i did read about the floating rules. But im still puzzled by how some ip's are blocked when i enabled the floating rules. While the rule lists are the same. But i don't need to use floating rules so its all good now :)
-
yes exactly the IP is from Germany, and i didn't block Germany at all.
when i was last weekend in Germany i couldn't log using VPN to the server. neither the OWA.
also on the same weekend users were on Spain and they couldn't VPN to the server.From the data provided, the Maxmind database looks to be functioning properly.
When you are having these kinds of issues, you need to look at the pfBNG Alerts Tab. It will give you a summary of what is being blocked and by what List. Then you can start to see what to change.
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
Ive checked the alert tab and there was nothing maybe because i've disabled the log ? i am not logging anything at all.
Do you mean change list action from deny inbound to permit inbound ?
Doing so is going to still filter the traffic ? -
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
Ive checked the alert tab and there was nothing maybe because i've disabled the log ? i am not logging anything at all.
Do you mean change list action from deny inbound to permit inbound ?
Doing so is going to still filter the traffic ?In the "General" tab, you can enable "Global" logging so that any blocks that occur due to pfBNG are visible to the Firewall and pfBNG Alerts log. You can also enable logging individually in each pfBNG Alias. Without enabling logging, you can't diagnose any False positives.
Its not really recommended to block the world, and allow just a few Countries. Whats best, is to invert this approach and make a "Permit Inbound" just for the select few Countries that you want to allow access to the Open WAN ports.
-
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
Ive checked the alert tab and there was nothing maybe because i've disabled the log ? i am not logging anything at all.
Do you mean change list action from deny inbound to permit inbound ?
Doing so is going to still filter the traffic ?In the "General" tab, you can enable "Global" logging so that any blocks that occur due to pfBNG are visible to the Firewall and pfBNG Alerts log. You can also enable logging individually in each pfBNG Alias. Without enabling logging, you can't diagnose any False positives.
Its not really recommended to block the world, and allow just a few Countries. Whats best, is to invert this approach and make a "Permit Inbound" just for the select few Countries that you want to allow access to the Open WAN ports.
Thank you so much for your answer.
i am trying to understand something here.
let take China as example . i don't do business with China, none from China need to reach my OWA or VPN server.
Deny all inbouw from China isn't a good idea ?
Can you explain why not deny the inbound ? -
Thank you so much for your answer.
i am trying to understand something here.
let take China as example . i don't do business with China, none from China need to reach my OWA or VPN server.
Deny all inbouw from China isn't a good idea ?
Can you explain why not deny the inbound ?I've posted in this thread a few times and also in Reddit. Here is a one link:
https://www.reddit.com/r/PFSENSE/comments/39253d/the_amount_of_hostile_traffic_on_my_home_network/
Basically, The Inbound (WAN) is implicitly blocking any unsolicited packet. If you open up a Port of the WAN, then you can protect that opened port using the "Adv. Inbound Settings" so that the firewall rule only fires when its a packet to the specific opened port.
As per my post above, if you have an Open WAN port, you can further protect that port with a "Permit Inbound" (select few Countries to allow) rule to only those Specific Open WAN ports. This is that same as blocking all Countries and allowing a few to pass. Its also more efficient, as pfSense packet filter doesn't need to process thru thousands of IPs for each packet analysis.
So if you create a Firewall rule on the WAN with "Deny Inbound" or "Deny Both" and you do not have any open WAN ports, its a complete waste of processing power. All its doing is filling your widget and Logs with spam for packets that are already going to be blocked by the pfSense Implicit block rule.
Most people forget that they need to protect the Outbound (LAN) just as much as the Inbound (WAN). So a "Deny Outbound" to China/Russia would be a good thing if you have no reason for a device on the LAN to talk to those IPs.
pfBlockerNG is also more than a Country Blocker, it can download Feeds of known malicious IPs and protect the network from talking to those IPs. I wrote a script thats available in this thread for 50+ IP Lists.
Its also important to view the pfBNG alerts log and see why things are getting blocked. So don't fill your log with un-necessary data as it will overwhelm you with too much data and you will miss the events that are important to see.
-
Thank you so much for your answer.
i am trying to understand something here.
let take China as example . i don't do business with China, none from China need to reach my OWA or VPN server.
Deny all inbouw from China isn't a good idea ?
Can you explain why not deny the inbound ?I've posted in this thread a few times and also in Reddit. Here is a one link:
https://www.reddit.com/r/PFSENSE/comments/39253d/the_amount_of_hostile_traffic_on_my_home_network/
Basically, The Inbound (WAN) is implicitly blocking any unsolicited packet. If you open up a Port of the WAN, then you can protect that opened port using the "Adv. Inbound Settings" so that the firewall rule only fires when its a packet to the specific opened port.
As per my post above, if you have an Open WAN port, you can further protect that port with a "Permit Inbound" (select few Countries to allow) rule to only those Specific Open WAN ports. This is that same as blocking all Countries and allowing a few to pass. Its also more efficient, as pfSense packet filter doesn't need to process thru thousands of IPs for each packet analysis.
So if you create a Firewall rule on the WAN with "Deny Inbound" or "Deny Both" and you do not have any open WAN ports, its a complete waste of processing power. All its doing is filling your widget and Logs with spam for packets that are already going to be blocked by the pfSense Implicit block rule.
Most people forget that they need to protect the Outbound (LAN) just as much as the Inbound (WAN). So a "Deny Outbound" to China/Russia would be a good thing if you have no reason for a device on the LAN to talk to those IPs.
pfBlockerNG is also more than a Country Blocker, it can download Feeds of known malicious IPs and protect the network from talking to those IPs. I wrote a script thats available in this thread for 50+ IP Lists.
Its also important to view the pfBNG alerts log and see why things are getting blocked. So don't fill your log with un-necessary data as it will overwhelm you with too much data and you will miss the events that are important to see.
well explained,
thank you so much sir for your time explaining this to me , much appreciate.
will change the deny inbound to permitted inbound.
i've noticed Germany and spain are on the top 20 spammers country and i've blocked those countries this probably why everything was blocked.
i've changed the deny inbound nu to permitted inbound.
if the only different between Permitted inbound and deny inbound that the firewall will scan those IPs on each packet will be sent and use a lot of power.
using Deny inbound or permitted abound are both are good choses the only different is power that the firewall will use.
