PfBlockerNG
-
@Music:
i don't have country blocking enabled at all. But PFsense did block the forums.pfsense IP. which is on the United States list from i-blocklist
United States:208.123.64.0-208.123.95.255
Several of the IBlock lists should be used with caution. They are intended for specific setups. There is a script that is posted in the thread for other lists that are available. Also you shouldn't use "IBlock/other Country specific blocklists" as Maxmind is a more reliable and reputable Country list to use.
When i disabled the floating rules in pfblocker settings site worked again. when i put it on floating again it still works the site. maybe after a while it starts blocking again.
All blocks are shown in the "Alerts Tab". Please refer to that tab to find out which List is causing the false positives.
i have reputation also enabled. But i haven't checked any of the countries on that page and left the standard settings.
For "Reputation", I would recommend whitelisting USA and Canada at a minimum.
-
I am using pfblockerng and blocking all country which I don't do business with .
Europe is not blocked . This weekend I am away to Germany " which is not blocked "
Right now I am on the hotel but the connection to the server behind pfsense is blocked .
Why it's blocking Germany IP even i don't block Germany country on pfblockerng?
IP where I am connecting from is
62.143.80.249Is this ip on a different categories ?
If you run this command, it should report that IP as belonging to Germany (DE):
(Change the path to -i386 as required)grep "^62.143." /usr/pbi/pfblockerng-amd64/share/GeoIP/*
/usr/pbi/pfblockerng-amd64/share/GeoIP/DE_v4.txt:62.143.0.0/16
/usr/pbi/pfblockerng-amd64/share/GeoIP/Europe_v4.txt:62.143.0.0/16Also check the pfBNG Log tab, and see the Maxmind Log for the last updated timestamp.
-
I had an issue with how the auto rule order works, my details rules include individual destination along with the ports where the general rule is any destination on a limited port (i.e 80 and 443). None of the rule order options worked so used "Alias Deny" on all the pfBlockerNG rules to could achieve:
- pfsense Pass/Match (Detailed rules) > pfBlockerNG Block/Reject > pfsense Pass/Match (General Rules)
It seems logical to have detail allow rules followed by pfBlockerNG block rules before allowing destination ANY rules, did I miss an option to have it work in this order?
Thanks
Tony -
@Music:
i don't have country blocking enabled at all. But PFsense did block the forums.pfsense IP. which is on the United States list from i-blocklist
United States:208.123.64.0-208.123.95.255
Several of the IBlock lists should be used with caution. They are intended for specific setups. There is a script that is posted in the thread for other lists that are available. Also you shouldn't use "IBlock/other Country specific blocklists" as Maxmind is a more reliable and reputable Country list to use.
When i disabled the floating rules in pfblocker settings site worked again. when i put it on floating again it still works the site. maybe after a while it starts blocking again.
All blocks are shown in the "Alerts Tab". Please refer to that tab to find out which List is causing the false positives.
i have reputation also enabled. But i haven't checked any of the countries on that page and left the standard settings.
For "Reputation", I would recommend whitelisting USA and Canada at a minimum.
The problem when it blocks those ips are when i have the floating rules enabled.
What is the difference between floating rules enabled and disabled. As i see in the rules the list gets moved from wan to floating but are the same.
Do the floating rules use a extra list that i can setup somewhere and/or remove/edit?Floating Rules can:
Filter traffic in the outbound direction (all other tabs are Inbound processing only)this might be it when it's enabled.
The reason i had it enabled was to test if i can use the blocklist when im connected with the vpn from my mobile. but i didn't see any change with it enabled or disabled.
-
I am using pfblockerng and blocking all country which I don't do business with .
Europe is not blocked . This weekend I am away to Germany " which is not blocked "
Right now I am on the hotel but the connection to the server behind pfsense is blocked .
Why it's blocking Germany IP even i don't block Germany country on pfblockerng?
IP where I am connecting from is
62.143.80.249Is this ip on a different categories ?
If you run this command, it should report that IP as belonging to Germany (DE):
(Change the path to -i386 as required)grep "^62.143." /usr/pbi/pfblockerng-amd64/share/GeoIP/*
/usr/pbi/pfblockerng-amd64/share/GeoIP/DE_v4.txt:62.143.0.0/16
/usr/pbi/pfblockerng-amd64/share/GeoIP/Europe_v4.txt:62.143.0.0/16Also check the pfBNG Log tab, and see the Maxmind Log for the last updated timestamp.
Thank you for your answer.
yes exactly the IP is from Germany, and i didn't block Germany at all.
when i was last weekend in Germany i couldn't log using VPN to the server. neither the OWA.
also on the same weekend users were on Spain and they couldn't VPN to the server.
after i called my wife and she started Teamviewer for me i've disabled the Pfblockerng the connections start working.this the Maxmind log i can find
MaxMind GeoLite Date/Time Stamps
MaxMind_v4 Last-Modified: Wed, 05 Aug 2015 02:35:49 GMT
Local_v4 Last-Modified: Wed, 05 Aug 2015 02:34:55 GMTMaxMind_v6 Last-Modified: Wed, 05 Aug 2015 02:35:47 GMT
Local_v6 Last-Modified: Wed, 05 Aug 2015 02:35:47 GMTThese Timestamps should match
-
It seems logical to have detail allow rules followed by pfBlockerNG block rules before allowing destination ANY rules, did I miss an option to have it work in this order?
If I am reading your request correctly, you are asking to sort the pfSense (Permit/Match) rules to be placed before and after the pfBNG rules… I would think it would be rather cumbersome and not sure if others would use it? For more complex setups, that is where the "Alias" type Rules are better utilized. If I have read this incorrectly, please let me know.
-
@Music:
What is the difference between floating rules enabled and disabled. As i see in the rules the list gets moved from wan to floating but are the same.
Floating Rules are processed before any other Interface rules. Rules are processed top to bottom. You can find more details in the pfSense Wiki documents.
I am not sure what you mean by:
Do the floating rules use a extra list that i can setup somewhere and/or remove/edit?"
Floating or other Firewall rules are both configured by the Alias "List Action" setting, and also by the "General Tab" settings for the Inbound/Outbound Interfaces.
-
yes exactly the IP is from Germany, and i didn't block Germany at all.
when i was last weekend in Germany i couldn't log using VPN to the server. neither the OWA.
also on the same weekend users were on Spain and they couldn't VPN to the server.From the data provided, the Maxmind database looks to be functioning properly.
When you are having these kinds of issues, you need to look at the pfBNG Alerts Tab. It will give you a summary of what is being blocked and by what List. Then you can start to see what to change.
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
-
Hi, are there any progress with the easylist integration? :)
Yes I hope to submit it soon. If you would like to help Beta test v2.0, please send me a PM.
Note: Came across this today:
http://www.webroot.com/blog/2015/08/19/adblocker-plus-puts-osx-at-risk/ -
@Music:
What is the difference between floating rules enabled and disabled. As i see in the rules the list gets moved from wan to floating but are the same.
Floating Rules are processed before any other Interface rules. Rules are processed top to bottom. You can find more details in the pfSense Wiki documents.
I am not sure what you mean by:
Do the floating rules use a extra list that i can setup somewhere and/or remove/edit?"
Floating or other Firewall rules are both configured by the Alias "List Action" setting, and also by the "General Tab" settings for the Inbound/Outbound Interfaces.
i did read about the floating rules. But im still puzzled by how some ip's are blocked when i enabled the floating rules. While the rule lists are the same. But i don't need to use floating rules so its all good now :)
-
yes exactly the IP is from Germany, and i didn't block Germany at all.
when i was last weekend in Germany i couldn't log using VPN to the server. neither the OWA.
also on the same weekend users were on Spain and they couldn't VPN to the server.From the data provided, the Maxmind database looks to be functioning properly.
When you are having these kinds of issues, you need to look at the pfBNG Alerts Tab. It will give you a summary of what is being blocked and by what List. Then you can start to see what to change.
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
Ive checked the alert tab and there was nothing maybe because i've disabled the log ? i am not logging anything at all.
Do you mean change list action from deny inbound to permit inbound ?
Doing so is going to still filter the traffic ? -
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
Ive checked the alert tab and there was nothing maybe because i've disabled the log ? i am not logging anything at all.
Do you mean change list action from deny inbound to permit inbound ?
Doing so is going to still filter the traffic ?In the "General" tab, you can enable "Global" logging so that any blocks that occur due to pfBNG are visible to the Firewall and pfBNG Alerts log. You can also enable logging individually in each pfBNG Alias. Without enabling logging, you can't diagnose any False positives.
Its not really recommended to block the world, and allow just a few Countries. Whats best, is to invert this approach and make a "Permit Inbound" just for the select few Countries that you want to allow access to the Open WAN ports.
-
I would also recommend using a "Permit Inbound" Rule to the open WAN ports. This way you can "Allow" only the Countries you want, instead of trying to block the world.
Ive checked the alert tab and there was nothing maybe because i've disabled the log ? i am not logging anything at all.
Do you mean change list action from deny inbound to permit inbound ?
Doing so is going to still filter the traffic ?In the "General" tab, you can enable "Global" logging so that any blocks that occur due to pfBNG are visible to the Firewall and pfBNG Alerts log. You can also enable logging individually in each pfBNG Alias. Without enabling logging, you can't diagnose any False positives.
Its not really recommended to block the world, and allow just a few Countries. Whats best, is to invert this approach and make a "Permit Inbound" just for the select few Countries that you want to allow access to the Open WAN ports.
Thank you so much for your answer.
i am trying to understand something here.
let take China as example . i don't do business with China, none from China need to reach my OWA or VPN server.
Deny all inbouw from China isn't a good idea ?
Can you explain why not deny the inbound ? -
Thank you so much for your answer.
i am trying to understand something here.
let take China as example . i don't do business with China, none from China need to reach my OWA or VPN server.
Deny all inbouw from China isn't a good idea ?
Can you explain why not deny the inbound ?I've posted in this thread a few times and also in Reddit. Here is a one link:
https://www.reddit.com/r/PFSENSE/comments/39253d/the_amount_of_hostile_traffic_on_my_home_network/
Basically, The Inbound (WAN) is implicitly blocking any unsolicited packet. If you open up a Port of the WAN, then you can protect that opened port using the "Adv. Inbound Settings" so that the firewall rule only fires when its a packet to the specific opened port.
As per my post above, if you have an Open WAN port, you can further protect that port with a "Permit Inbound" (select few Countries to allow) rule to only those Specific Open WAN ports. This is that same as blocking all Countries and allowing a few to pass. Its also more efficient, as pfSense packet filter doesn't need to process thru thousands of IPs for each packet analysis.
So if you create a Firewall rule on the WAN with "Deny Inbound" or "Deny Both" and you do not have any open WAN ports, its a complete waste of processing power. All its doing is filling your widget and Logs with spam for packets that are already going to be blocked by the pfSense Implicit block rule.
Most people forget that they need to protect the Outbound (LAN) just as much as the Inbound (WAN). So a "Deny Outbound" to China/Russia would be a good thing if you have no reason for a device on the LAN to talk to those IPs.
pfBlockerNG is also more than a Country Blocker, it can download Feeds of known malicious IPs and protect the network from talking to those IPs. I wrote a script thats available in this thread for 50+ IP Lists.
Its also important to view the pfBNG alerts log and see why things are getting blocked. So don't fill your log with un-necessary data as it will overwhelm you with too much data and you will miss the events that are important to see.
-
Thank you so much for your answer.
i am trying to understand something here.
let take China as example . i don't do business with China, none from China need to reach my OWA or VPN server.
Deny all inbouw from China isn't a good idea ?
Can you explain why not deny the inbound ?I've posted in this thread a few times and also in Reddit. Here is a one link:
https://www.reddit.com/r/PFSENSE/comments/39253d/the_amount_of_hostile_traffic_on_my_home_network/
Basically, The Inbound (WAN) is implicitly blocking any unsolicited packet. If you open up a Port of the WAN, then you can protect that opened port using the "Adv. Inbound Settings" so that the firewall rule only fires when its a packet to the specific opened port.
As per my post above, if you have an Open WAN port, you can further protect that port with a "Permit Inbound" (select few Countries to allow) rule to only those Specific Open WAN ports. This is that same as blocking all Countries and allowing a few to pass. Its also more efficient, as pfSense packet filter doesn't need to process thru thousands of IPs for each packet analysis.
So if you create a Firewall rule on the WAN with "Deny Inbound" or "Deny Both" and you do not have any open WAN ports, its a complete waste of processing power. All its doing is filling your widget and Logs with spam for packets that are already going to be blocked by the pfSense Implicit block rule.
Most people forget that they need to protect the Outbound (LAN) just as much as the Inbound (WAN). So a "Deny Outbound" to China/Russia would be a good thing if you have no reason for a device on the LAN to talk to those IPs.
pfBlockerNG is also more than a Country Blocker, it can download Feeds of known malicious IPs and protect the network from talking to those IPs. I wrote a script thats available in this thread for 50+ IP Lists.
Its also important to view the pfBNG alerts log and see why things are getting blocked. So don't fill your log with un-necessary data as it will overwhelm you with too much data and you will miss the events that are important to see.
well explained,
thank you so much sir for your time explaining this to me , much appreciate.
will change the deny inbound to permitted inbound.
i've noticed Germany and spain are on the top 20 spammers country and i've blocked those countries this probably why everything was blocked.
i've changed the deny inbound nu to permitted inbound.
if the only different between Permitted inbound and deny inbound that the firewall will scan those IPs on each packet will be sent and use a lot of power.
using Deny inbound or permitted abound are both are good choses the only different is power that the firewall will use. -
just applied pfBlocker_import.php from post #600, thanks to BBcan177 and doktornotor and it went swimmingly well, aside form some failed downloads.
here's the smattering in case someone else is having same issue
[ pfB_PRI1 Abuse_Spyeye ] Download FAIL [ 08/22/15 20:02:47 ] [ pfB_PRI2 HoneyPot ] Download FAIL [ 08/22/15 20:03:03 ] [ pfB_PRI3 Infiltrated ] Download FAIL [ 08/22/15 20:03:08 ] [ pfB_PRI3 Juniper ] Download FAIL [ 08/22/15 20:03:24 ] [ pfB_SEC1 OpenBL ] Download FAIL [ 08/22/15 20:03:31 ] [ SFS_All ] file_get_contents(http://www.stopforumspam.com/downloads/bannedips.zip): failed to open stream: HTTP request failed! HTTP/1.1 503 Service Unavailable [ pfB_MAIL ToastedSpam ] Download FAIL [ pfB_MAIL SpamCop ] Download FAIL [ 08/22/15 20:03:51 ]
I suppose this is or can be one time event based on availability of the host, curious if you guys see similar results.
Anyway, Thanks for pfBlocker and especially keeping it up w pfBlockerNG, it's the first thing I setup after configuring my networks.<hat tip=""></hat>
-
When you have issues downloading Feeds, first review the logs to ensure that its not being blocked by another list or the IDS if enabled. You can also load the URL in a browser to get more information. Feeds change URLs from time to time. Feeds also go down.
Its important to donate to some of the Feeds that you rely on, as most do this as a Free service and everyone has bills to pay.
pfB_PRI1 Abuse_Spyeye
This Feed has been discontinued.pfB_PRI2 HoneyPot
Feed is temporarily under MaintenancepfB_PRI3 Infiltrated
Feed not in service.pfB_PRI3 Juniper
Feed not in Service.pfB_SEC1 OpenBL
This feed has some SSL issues from time to time. You can try with http://
But best to wait and see if it continues to have issues.SFS_All stopforumspam.com
This Feed rate limits. Please put it into its own Alias and set for Once per Day.pfB_MAIL ToastedSpam
Feed is temporarily down.pfB_MAIL SpamCop
Use this URL
https://www.spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt -
When you have issues downloading Feeds, first review the logs to ensure that its not being blocked by another list or the IDS if enabled. You can also load the URL in a browser to get more information. Feeds change URLs from time to time. Feeds also go down. Its important to donate to some of the Feeds that you rely on, as most do this as a Free service and everyone has bills to pay.
ok, thanks man. After turning off those lists and forcing a cron the log looks a lot cleaner, except for BBC_GOZ and Feodo_BAD returning empty lists. I gotta tell ya, before I refreshed, the number of hits shown on the dashboard panel was in the thousands for a couple of the aliases. I am a happy camper now.
I concur on donations to list maintainers. I gave a little something to another foss app I use to watch my cat door - zoneminder dvr. One year I was away for a couple weeks around xmas (I'm in a winter lattitude) and feline wasn't doing usual 40 round trips through door - I expected something, so I sent friend to check, sure enough it had got beat up by neighbour cat and was hiding in the basement. So free and open source software earned its keep again. Worthy of a few bucks.
More than likely I'll contrib to pfSense as the little router is/has done a stellar job. I showed another friend my pfSense setup, he pays the subscrip for a Sonicwall, he was impressed with pfS functionality.
-
Does "Enable Alias Table Popup" work for anyone as if i untick it and save not only does it have no effect but the tick is back when i got back into the settings on the homepage?
-
log looks a lot cleaner, except for BBC_GOZ and Feodo_BAD returning empty lists.
Use the following URL for BBC. It incorporates all of their IP lists into one IP feed:
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txtFollow that with a "Force Reload"