PfBlockerNG
-
pfBlockerNG is now version 2. You should go here: https://forum.pfsense.org/index.php?topic=102470.0
-
Somtimes the reporting of the Alerts misses the list matching! I had this problem today.
List 1 - Alias_Deny (De-Duplication enabled)
List 2 - Alias_NativeInterface 1
Block List 1The IP1 is in both lists, because Alias_Native does not passes by the De-Duplication process.
I had a hit on Interface 1 of IP1 and in the alert tab appeared the information that the hit is from List 2 (that does not even appears on the Interface)
Thank You all
-
Apologies as I'm new at this and I've read this full thread but am still not quite clear on the following …
I have created Deny Outbound rules on my interfaces (auto-rules) with no problems. Now I want to create rules to restrict inbound access to open ports. I understand I can do this a couple of ways (1) block country access to an alias containing the open ports, or (2) I could create a "permit inbound" rule with whitelisted countries to specific ports and destination IPs (and drop the normal PFsense NAT rules which currently allow anyone to access open ports).
However, I can't quite figure out how to physically implement either of these options. When I try to create the permit inbound rule (for example, with selected countries in North America), it creates the inbound rule but my prior deny outbound rule disappears. It seems that when I change my selections in pfB and save, it overwrites and replaces any prior rules created. I figure it must be something simple I'm doing wrong but I don't know what and can't seem to be able to create multiple different rules based on the same country list (with perhaps different selected countries from that list, for each of the rules)?
The only way I can almost do what I want is if I create all my rules as "Deny Both" and then in the advanced inbound rules, I list the alias for the open ports and the protocol(s). This has two problems though: I think I'm better to permit a small number of countries in rather than block a huge number of countries; and, I want fewer countries allowed in than I want to be able to go to on the outbound (I visit websites countries that have no need to access open ports). Doing it this way, the same country list is used both outbound and inbound.
Thanks
-
However, I can't quite figure out how to physically implement either of these options.
Hi rantech,
If you want to customize the rules, create a new Alias and in the "Source" field, add each of the Countries that you want to include in the Alias. Then manually create rules in the Firewall that references this Alias.
Please see the following links:
https://forum.pfsense.org/index.php?topic=102071.0
https://forum.pfsense.org/index.php?topic=86212.msg548324#msg548324
https://forum.pfsense.org/index.php?topic=86212.msg553921#msg553921 -
Is it possible to create two different alias from the same country list, one for inbound and a different one for outbound? Both that are logged and updated by pfB?
I think I would create the first alias and change the name and then create the second alias ?
-
Just create one pfBNG alias 'Alias Native' type and add the Countries. You can create as many rules based on this one alias.
-
I don't think I'm explaining well … For example, I actually want/need to have an two different alias for North America.
"Outbound_Block_North_America" would be a list that contains 60% of the countries and this will be countries I want to block outbound access to in North America. I will block only a few countries as I want to visit internet sites in most countries in North America. I would create a "Block outbound to Outbound_Block_North_America"
"Inbound_North_America" would be a list that contains only Canada and the United States since these are the only two countries in North America that should be allowed inbound. I would create a "Permit Inbound_North_America to Open_Ports" rule for these.
Just can't quite see how to create these two different Alias from North America and have them coexisting at the same time - maybe it's not possible? Apologies for dragging this out.
FYI: I'm not getting the "Alias Native" option in the drop down. I have only "Alias Block", "Alias Permit", and "Alias Match". I just installed pfBlocker this past week, into PFSense 2.2.4 (i386).
-
ok I misunderstood your questions the first time around. It seemed like you wanted to create two of the same Alias configurations… So what you are proposing is fine.
I notice in the Top20 tab that it is missing the "Alias Native" option. I will add that soon. However, the "native" option is available in all the other Continent tabs inc (v4/v6 tabs)
I suggest you make a new Alias (and not use the Continent tabs), and add the path to the CC folder directly, as per the following link:
https://forum.pfsense.org/index.php?topic=102071.msg569296#msg569296Then once the two aliases are created, run a "Force Update" to get those built. Then create your Firewall rules with your requirements and reference the appropriate alias.
-
Thanks - that does exactly what I want and worked fine! One minor thing to point out, the instructions for adding the country data to the list are:
"'Country code': /usr/pbi/pfblockerng-amd64/share/GeoIP/cc/US_v4.txt (Change 'US' to required code)"
However, depending on your hardware, you might need to change "amd64". In my case, it didn't work until I changed this to "i386".
Thanks again!
-
Thanks - that does exactly what I want and worked fine! One minor thing to point out, the instructions for adding the country data to the list are:
"'Country code': /usr/pbi/pfblockerng-amd64/share/GeoIP/cc/US_v4.txt (Change 'US' to required code)"
However, depending on your hardware, you might need to change "amd64". In my case, it didn't work until I changed this to "i386".
Thanks again!
I am running out of real estate on the pages to add more help text! Not that many people read it! :) Thanks for the feedback!
-
I suggest an improvement :
Add another tab (same as Proxy and Satellite), for blocking IP range by iana Regional Internet Registry (RIR)
(https://www.iana.org/numbers)
Attached, you'll find many lists filtered by RIR
Many thanks for your work.
Regards ;)AFRINIC.txt
APNIC.txt
ARIN.txt
LACNIC.txt
RIPE.txt
reserved.txt
bogon.txt
multicast.txt
others.txt -
@nl:
I suggest an improvement :
Add another tab (same as Proxy and Satellite), for blocking IP range by iana Regional Internet Registry (RIR)
Thanks for the suggestion nl,
I think it would be best for users who wish to use such lists, to just create a new Alias and add the URLs to the Source Fields as required… I would rather not create an additional tab.
-
Hello!
I just started using pfBlocker to block ads, but I'm getting this cert dialog on many websites
-
I just started using pfBlocker to block ads, but I'm getting this cert dialog on many websites
Well for one, www.google.com shouldn't be in the block list, unless you really are trying to block that domain? Check the Alerts Tab for additional details.
Safari and IE are not designed well in regards to HTTPs, best to use Chrome or FF. Also ensure your Safari version is up-to-date.
Please see the new thread for DNSBL, which might provide some more info:
https://forum.pfsense.org/index.php?topic=102470.0 -
I just started using pfBlocker to block ads, but I'm getting this cert dialog on many websites
Well for one, www.google.com shouldn't be in the block list, unless you really are trying to block that domain? Check the Alerts Tab for additional details.
Safari and IE are not designed well in regards to HTTPs, best to use Chrome or FF. Also ensure your Safari version is up-to-date.
Please see the new thread for DNSBL, which might provide some more info:
https://forum.pfsense.org/index.php?topic=102470.0Thanks for your reply! I checked deeply and there was a list that had google.com as the domain.
In any case, for domains that I WANT to block… should I accept the cert? It' just I'm a bit lost about what it means accepting it and why it shows up!
-
In any case, for domains that I WANT to block… should I accept the cert? It' just I'm a bit lost about what it means accepting it and why it shows up!
When the browser makes an HTTPs request to a domain that is blacklisted by DNSBL, The Resolver (Unbound) forwards the browser to the DNSBL webserver, however the browser sees that the DNSBL webservers certificate is not the same as the domain that it requested, so it reports the cert error. Other browsers like Chrome and Firefox, just drop the failed connection attempts. Safari and IE are always behind the times it seems. If Safari allows accepting the cert, then go ahead. It shouldn't tho as its not the correct certificate. The last thing that you want is to Man-In-The-middle the HTTPs traffic and impersonate a domain. Lots of bad things happen when you do that…
More details here:
https://forum.pfsense.org/index.php?topic=102470.msg573329#msg573329 -
Hil,
I want to allow NAT to my servers only from IPs in Brazil, so I use one country list (alias permit), and use that list as source on my NAT rule. Working as expected.
But I use DNS failover from DNS Made Easy, and monitoring from Uptime Robot, and both are been blocked.
For now I create a second alias, and setup a second NAT.
Are some way to merge both lists? When I try to create one new alias with both alias on, I receive one error that it's not possible because the to aliases are from different types.
Thanks
-
Are some way to merge both lists? When I try to create one new alias with both alias on, I receive one error that it's not possible because the to aliases are from different types.
Please see the following links:
https://forum.pfsense.org/index.php?topic=102071.0
https://forum.pfsense.org/index.php?topic=86212.msg548324#msg548324
https://forum.pfsense.org/index.php?topic=86212.msg553921#msg553921 -
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
-
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
Did you manually add the www. domain to a customlist? If so, make sure to select "Update custom list' at the bottom of the page before running a "Force Update"