PfBlockerNG
-
Maybe you'd rather post a screenshot of what you actually configured.
Some background on the setup with screenshots coming up :)
So, the setup is two pfSense boxes running the latest release connected to two separate cable connections. Both have a dynamic v4 WAN address and both have v6 through a tunnelbroker. THere is a v4 and v6 IPSEC VPN between the boxes. This is the XML RPC Sync settings I have for pfBlocker and this is what I have for syncing just the aliases with the pfSense XML RPC Sync.
As per this post in the docs, comunications between the pfSense boxes over IPSEC won't work without additional routes. With the routes in place, both the pfBlocker and system XML RPC sync work with the LAN IPv4 address (10.x.x.x) where the IPv6 address is in both screenshots BUT the routes break routing for some other machines that need to use the VPN so having them in full-time is not an option so my plan was to just shove the sync traffic over the WAN, either v4 or v6.
With the system sync settings, I can stick in an IPv6 address or a hostname and it works. With the pfBlocker sync, if I put in a v6 address as 2001:xxx:xxx:xxx::xxx (without []) I get this in the log:
php-fpm[63574]: /pkg_edit.php: [pfBlockerNG] XMLRPC syncing to https://2001:xxx:xxx:xxx::xxx:443.
To me, this looks like pfBlocker wants the literal address in the config as the system's sync gives this entry in the log and works:
php-fpm[46766]: /rc.filter_synchronize: Filter sync successfully completed with https://[2001:xxx:xxx:xxx::xxx]:443.
So I put in a literal address as [2001:xxx:xxx:xxx::xxx] in the pfBlocker sync settings and I get this entry in the logs:
php-fpm[24610]: /pkg_edit.php: [pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address or Port settings.
If I try a host name instead of the IPv6 literal address, I get the same error message. If I put in the public dynamic IPv4 address, it works. For clarity, I am NOT changing any sync settings apart from the destination address each time.
So, what works for the system sync is IPv4 address, v6 address and hostname. What works for me with the pfBlocker sync is IPv4 address only.
-
Try this with System Patches:
--- a/usr/local/pkg/pfblockerng/pfblockerng.inc 2015-10-24 23:39:52.249959365 +0200 +++ b/usr/local/pkg/pfblockerng/pfblockerng.inc 2015-10-24 23:39:52.274963703 +0200 @@ -2897,8 +2897,12 @@ } // Validate Replication Target IP Address and Port Settings - if (!is_ipaddr($sync_to_ip) || !is_port($port)) { - log_error("[pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address or Port settings."); + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + log_error("[pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address."); + $success = FALSE; + return $success; + } elseif (!is_port($port)) { + log_error("[pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target Port settings."); $success = FALSE; return $success; } @@ -2907,6 +2911,10 @@ if (empty($synctimeout)) { $synctimeout = 150; } + + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; + } $url = "{$protocol}://{$sync_to_ip}"; if ($port == "") { $port = $config['system']['webgui']['port']; };
-
With a literal v6 address, I now get:
php-fpm[17959]: /pkg_edit.php: [pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address.
With a non-literal address, it now works - thank you very much :)
-
Yeah, don't put literals there. (Also, if you could test with some hostname, would be appreciated.)
-
Yep, a host name now works as well according to the logs.
-
One minor thing. The header field was a little strange. Im used to a header meaning something to ignore as actual input. So my immediate intuition was to input something like a # because my lists did not load right and the force update said:
** TERMINATED - Header contains Blank/International/Special or SpacesBut I found in the forum that its a header like a description. So maybe a little description for header would be helpfull.
I was going to name it "filename" but I think it can also be misleading (users might think to enter the URL filename there)
There is a description of what a Header should be just above the URL settings in each alias. Suggestions are always welcome! :)
Header sounds like it's something too programmy. Why not just call it a label?
btw, I've been trying to add this ad blocking list because they have tons of formats yet get a download failed so I dunno
http://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintexthttp://pgl.yoyo.org/adservers/ – main page which offers various list formats and flags to reformat in different ways (csv, etc)
-
There should be no issue in downloading that yoyo list. Just use the "txt" format and ensure that you enter the header as something like "yoyo". Also ensure that you copy/paste the URL (paste as plain text). Check the pfblockerng.log file for other clues to the issue.
-
I can confirm yoyo list works. I'm using it.
http://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext
-
thanks. I'd been messing around with all of my lists last night for a while - finally started working once I stopped tinkering :)
-
has anyone seen this site?
http://iplists.firehol.org/Seems like their github page aggregates a lot https://github.com/firehol/blocklist-ipsets
plus it's nice to see how often lists are maintainedhttps://github.com/firehol/firehol/wiki/dnsbl-ipset.sh
-
I have a general question about PFblockerNG. When I'm in the IPv4 list and I want to make a custom list there's a section I can put IP's and it says:
"Please limit the size of the Custom List as this is stored as 'Base64' format in the config.xml file".
What's silly about that statement is it doesn't define a size recommendation. I think we can agree that size and one's opinion of what big is…is relative ;)
So...in the package maintainers view, how many entries would they recommend stopping at? With that; how many separate lists can I make for example, are multiple smaller lists more efficient than 1 large one and then another large one?
Example:
list1 = 10 IP networks
list2 = 10 IP networks
...and so forth for a total of 200 lists for 2000 IP's.or
list1 = 1000 IP networks
list2 = 1000 IP networks
...for a total of 2000 IP's.Are those the same thing and will effect performance the same way?
Thanks!
-
I have a general question about PFblockerNG. When I'm in the IPv4 list and I want to make a custom list there's a section I can put IP's and it says:
"Please limit the size of the Custom List as this is stored as 'Base64' format in the config.xml file".
What's silly about that statement is it doesn't define a size recommendation. I think we can agree that size and one's opinion of what big is…is relative ;)
So...in the package maintainers view, how many entries would they recommend stopping at? With that; how many separate lists can I make for example, are multiple smaller lists more efficient than 1 large one and then another large one?
Example:
list1 = 10 IP networks
list2 = 10 IP networks
...and so forth for a total of 200 lists for 2000 IP's.or
list1 = 1000 IP networks
list2 = 1000 IP networks
...for a total of 2000 IP's.Are those the same thing and will effect performance the same way?
Thanks!
Save your list as a file on pfSense and point pfBlockerNG to load it from the local path.
-
So…in the package maintainers view, how many entries would they recommend stopping at? With that; how many separate lists can I make for example, are multiple smaller lists more efficient than 1 large one and then another large one?
I have never really tested how many IPs can be saved into the Custom List, but I would assume you could put several thousand (or more) .. Not really recommended…
What fragged has said is appropriate, use the URL Localfile option to read larger lists...
But if your custom list is a few hundred, then thats fine...
-
Hello guys, I am looking for some insight as to what the heck I am doing wrong here.
I have rules.
I have pfblockerNG.
I need a rule above the block rules so I move it on top.Everything is fine until CRON runs then it moves my rule below the pfblockerNG rules.
I have a user traveling abroad and needs access in these countries so I wish to move access to something above.
This appears to be a bug in pfsense or pfblockerNG I am not sure, or my user error?
Please help
-
Hello guys, I am looking for some insight as to what the heck I am doing wrong here.
I have rules.
I have pfblockerNG.
I need a rule above the block rules so I move it on top.Everything is fine until CRON runs then it moves my rule below the pfblockerNG rules.
I would suggest to have a look at 'Rule Order' at the 'General' tab and think about it for a while…
-
Dougc420 I suspect you're making a "firewall rule" rather than an allow rule inside pfblockerNG's IPv4 list.
I made a similar mistake. In the config on pfblockerNG you can give it an order, if you select the default which is pfblocker > then firewall I think > then something else (there are 3 from memory) then this is the default behavior if you make a firewall rule.
What you need to do is go into the pfblockerNG IPv4 list > make a new list > in that list at the bottom you can put your IP's / networks you want to allow. Unfortunately if it's a country, you'll need to dig up the country list online (I think pfblockerNG uses maxmind). Copy > paste all those networks into the list > enable it and make sure it says allow both inbound and outbound (both).
Then it will work. With the default config you can't simply make a firewall rule and expect it to work.
I LOVE LOVE LOVE pfblockerNG, it's the best plugin for pfsense. I want to buy a T-Shirt if there is one :-)
-
So…in the package maintainers view, how many entries would they recommend stopping at? With that; how many separate lists can I make for example, are multiple smaller lists more efficient than 1 large one and then another large one?
I have never really tested how many IPs can be saved into the Custom List, but I would assume you could put several thousand (or more) .. Not really recommended…
What fragged has said is appropriate, use the URL Localfile option to read larger lists...
But if your custom list is a few hundred, then thats fine...
I want to block about 684 million IP's with the iphol.org block list. So; there will be a few in there :P
Looks like I might have to try it for giggles and see how it goes then report back!
-
Dude. That 'Custom List' shit is saved in config.xml… Breaking that won't be much of a giggle. Make a backup before trying.
-
I always backup, good suggestion.
So this is what I found when updating and trying this out:
"table-entries hard limit 2000000
Table Usage Count 540340"So out of all my lists including the custom one I rolled form firehol because I took out the private IP's and the 0.0.0.0/8 I've got 540,340 entries in a table that can take 2 million!
So the answer to how many you can pile in the pfblockerNG list seems to be 2 million entries.
I managed to do some magic on my other server to curl down the firehol github list then edit out the afore mentioned private IP's. I then shared it out on my wiki (that's protected to only let certain hosts look at it) and told it that it was a txt with a URL and boom…works like a charm, updates every 8 hours.
-
Hey guys, just wondering if something is wrong or if this is supposed to happen.
I'm using 5 of the aliases from BBcan's import script. I'm denying incoming (3 selected ports) and all outgoing using floating rules.
After a few days I have thousands of packets listed against a couple of the aliases and hundreds against the others. However in my firewall logs I only have 7 events (all outgoing).
All floating rules are set to log and the global logging setting in PFblocker is set to on as well.
I realise I only want limited firewall events to be able to sift through easily but I would have thought there would be a few more?