PfBlockerNG
-
Try this with System Patches:
--- a/usr/local/pkg/pfblockerng/pfblockerng.inc 2015-10-24 23:39:52.249959365 +0200 +++ b/usr/local/pkg/pfblockerng/pfblockerng.inc 2015-10-24 23:39:52.274963703 +0200 @@ -2897,8 +2897,12 @@ } // Validate Replication Target IP Address and Port Settings - if (!is_ipaddr($sync_to_ip) || !is_port($port)) { - log_error("[pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address or Port settings."); + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + log_error("[pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address."); + $success = FALSE; + return $success; + } elseif (!is_port($port)) { + log_error("[pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target Port settings."); $success = FALSE; return $success; } @@ -2907,6 +2911,10 @@ if (empty($synctimeout)) { $synctimeout = 150; } + + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; + } $url = "{$protocol}://{$sync_to_ip}"; if ($port == "") { $port = $config['system']['webgui']['port']; };
-
With a literal v6 address, I now get:
php-fpm[17959]: /pkg_edit.php: [pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address.
With a non-literal address, it now works - thank you very much :)
-
Yeah, don't put literals there. (Also, if you could test with some hostname, would be appreciated.)
-
Yep, a host name now works as well according to the logs.
-
One minor thing. The header field was a little strange. Im used to a header meaning something to ignore as actual input. So my immediate intuition was to input something like a # because my lists did not load right and the force update said:
** TERMINATED - Header contains Blank/International/Special or SpacesBut I found in the forum that its a header like a description. So maybe a little description for header would be helpfull.
I was going to name it "filename" but I think it can also be misleading (users might think to enter the URL filename there)
There is a description of what a Header should be just above the URL settings in each alias. Suggestions are always welcome! :)
Header sounds like it's something too programmy. Why not just call it a label?
btw, I've been trying to add this ad blocking list because they have tons of formats yet get a download failed so I dunno
http://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintexthttp://pgl.yoyo.org/adservers/ – main page which offers various list formats and flags to reformat in different ways (csv, etc)
-
There should be no issue in downloading that yoyo list. Just use the "txt" format and ensure that you enter the header as something like "yoyo". Also ensure that you copy/paste the URL (paste as plain text). Check the pfblockerng.log file for other clues to the issue.
-
I can confirm yoyo list works. I'm using it.
http://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext
-
thanks. I'd been messing around with all of my lists last night for a while - finally started working once I stopped tinkering :)
-
has anyone seen this site?
http://iplists.firehol.org/Seems like their github page aggregates a lot https://github.com/firehol/blocklist-ipsets
plus it's nice to see how often lists are maintainedhttps://github.com/firehol/firehol/wiki/dnsbl-ipset.sh
-
I have a general question about PFblockerNG. When I'm in the IPv4 list and I want to make a custom list there's a section I can put IP's and it says:
"Please limit the size of the Custom List as this is stored as 'Base64' format in the config.xml file".
What's silly about that statement is it doesn't define a size recommendation. I think we can agree that size and one's opinion of what big is…is relative ;)
So...in the package maintainers view, how many entries would they recommend stopping at? With that; how many separate lists can I make for example, are multiple smaller lists more efficient than 1 large one and then another large one?
Example:
list1 = 10 IP networks
list2 = 10 IP networks
...and so forth for a total of 200 lists for 2000 IP's.or
list1 = 1000 IP networks
list2 = 1000 IP networks
...for a total of 2000 IP's.Are those the same thing and will effect performance the same way?
Thanks!
-
I have a general question about PFblockerNG. When I'm in the IPv4 list and I want to make a custom list there's a section I can put IP's and it says:
"Please limit the size of the Custom List as this is stored as 'Base64' format in the config.xml file".
What's silly about that statement is it doesn't define a size recommendation. I think we can agree that size and one's opinion of what big is…is relative ;)
So...in the package maintainers view, how many entries would they recommend stopping at? With that; how many separate lists can I make for example, are multiple smaller lists more efficient than 1 large one and then another large one?
Example:
list1 = 10 IP networks
list2 = 10 IP networks
...and so forth for a total of 200 lists for 2000 IP's.or
list1 = 1000 IP networks
list2 = 1000 IP networks
...for a total of 2000 IP's.Are those the same thing and will effect performance the same way?
Thanks!
Save your list as a file on pfSense and point pfBlockerNG to load it from the local path.
-
So…in the package maintainers view, how many entries would they recommend stopping at? With that; how many separate lists can I make for example, are multiple smaller lists more efficient than 1 large one and then another large one?
I have never really tested how many IPs can be saved into the Custom List, but I would assume you could put several thousand (or more) .. Not really recommended…
What fragged has said is appropriate, use the URL Localfile option to read larger lists...
But if your custom list is a few hundred, then thats fine...
-
Hello guys, I am looking for some insight as to what the heck I am doing wrong here.
I have rules.
I have pfblockerNG.
I need a rule above the block rules so I move it on top.Everything is fine until CRON runs then it moves my rule below the pfblockerNG rules.
I have a user traveling abroad and needs access in these countries so I wish to move access to something above.
This appears to be a bug in pfsense or pfblockerNG I am not sure, or my user error?
Please help
-
Hello guys, I am looking for some insight as to what the heck I am doing wrong here.
I have rules.
I have pfblockerNG.
I need a rule above the block rules so I move it on top.Everything is fine until CRON runs then it moves my rule below the pfblockerNG rules.
I would suggest to have a look at 'Rule Order' at the 'General' tab and think about it for a while…
-
Dougc420 I suspect you're making a "firewall rule" rather than an allow rule inside pfblockerNG's IPv4 list.
I made a similar mistake. In the config on pfblockerNG you can give it an order, if you select the default which is pfblocker > then firewall I think > then something else (there are 3 from memory) then this is the default behavior if you make a firewall rule.
What you need to do is go into the pfblockerNG IPv4 list > make a new list > in that list at the bottom you can put your IP's / networks you want to allow. Unfortunately if it's a country, you'll need to dig up the country list online (I think pfblockerNG uses maxmind). Copy > paste all those networks into the list > enable it and make sure it says allow both inbound and outbound (both).
Then it will work. With the default config you can't simply make a firewall rule and expect it to work.
I LOVE LOVE LOVE pfblockerNG, it's the best plugin for pfsense. I want to buy a T-Shirt if there is one :-)
-
So…in the package maintainers view, how many entries would they recommend stopping at? With that; how many separate lists can I make for example, are multiple smaller lists more efficient than 1 large one and then another large one?
I have never really tested how many IPs can be saved into the Custom List, but I would assume you could put several thousand (or more) .. Not really recommended…
What fragged has said is appropriate, use the URL Localfile option to read larger lists...
But if your custom list is a few hundred, then thats fine...
I want to block about 684 million IP's with the iphol.org block list. So; there will be a few in there :P
Looks like I might have to try it for giggles and see how it goes then report back!
-
Dude. That 'Custom List' shit is saved in config.xml… Breaking that won't be much of a giggle. Make a backup before trying.
-
I always backup, good suggestion.
So this is what I found when updating and trying this out:
"table-entries hard limit 2000000
Table Usage Count 540340"So out of all my lists including the custom one I rolled form firehol because I took out the private IP's and the 0.0.0.0/8 I've got 540,340 entries in a table that can take 2 million!
So the answer to how many you can pile in the pfblockerNG list seems to be 2 million entries.
I managed to do some magic on my other server to curl down the firehol github list then edit out the afore mentioned private IP's. I then shared it out on my wiki (that's protected to only let certain hosts look at it) and told it that it was a txt with a URL and boom…works like a charm, updates every 8 hours.
-
Hey guys, just wondering if something is wrong or if this is supposed to happen.
I'm using 5 of the aliases from BBcan's import script. I'm denying incoming (3 selected ports) and all outgoing using floating rules.
After a few days I have thousands of packets listed against a couple of the aliases and hundreds against the others. However in my firewall logs I only have 7 events (all outgoing).
All floating rules are set to log and the global logging setting in PFblocker is set to on as well.
I realise I only want limited firewall events to be able to sift through easily but I would have thought there would be a few more?
-
Hello guys, I am looking for some insight as to what the heck I am doing wrong here.
I have rules.
I have pfblockerNG.
I need a rule above the block rules so I move it on top.Everything is fine until CRON runs then it moves my rule below the pfblockerNG rules.
I would suggest to have a look at 'Rule Order' at the 'General' tab and think about it for a while…
unfortunately, The rule order is not very helpful. For example, I have a mail filter that I want to allow all inbound traffic. On another vlan I have a web server that I want pfblocker to block all the inbound traffic to. None of the "rule order" allow for that to happen. I need to custom sort my rules. If it reloads the order, It blocks inbound legit email.