PfBlockerNG



  • I'm trying to whitelist access to a website behind my firewall to my own country only.

    When I create a Country list action as an 'alias permit' then use the resulting alias as the Source for the existing website NAT rule, it breaks my internal network access to the site. NAT Refelction is set to Enable (NAT + Proxy), what am i missing here?



  • I am starting to get errors. I guess the lists i am using are old. Where do i get the new list?

    pfblockerng.log

    
    [ Abuse_SSLBL ]		 Downloading update [ 01/02/16 6:01:12 ] .. 200 OK. completed ..
    
    [ dShield_Block ]	 Downloading update [ 01/02/16 6:01:13 ] . cURL Error: 51
    SSL: no alternative certificate subject name matches target host name 'feeds.dshield.org' Retry in 5 seconds...
    . cURL Error: 51
    SSL: no alternative certificate subject name matches target host name 'feeds.dshield.org' Retry in 5 seconds...
    . cURL Error: 51
    SSL: no alternative certificate subject name matches target host name 'feeds.dshield.org' Retry in 5 seconds...
    .. unknown http status code 
    
     [ pfB_PRI1 - dShield_Block ] Download FAIL [ 01/02/16 6:01:29 ]
      Firewall and/or IDS are not blocking download.
    
    The Following list has been REMOVED [ dShield_Block ]
    
    [ Snort_BL ]		 Downloading update [ 01/02/16 6:01:30 ] . cURL Error: 60
    SSL certificate problem: unable to get local issuer certificate Retry in 5 seconds...
    . cURL Error: 60
    SSL certificate problem: unable to get local issuer certificate Retry in 5 seconds...
    . cURL Error: 60
    SSL certificate problem: unable to get local issuer certificate Retry in 5 seconds...
    .. unknown http status code 
    
     [ pfB_PRI1 - Snort_BL ] Download FAIL [ 01/02/16 6:01:46 ]
      Firewall and/or IDS are not blocking download.
    
    The Following list has been REMOVED [ Snort_BL ]
    
    [ BBC_Goz ]		 exists. 
    [ Alienvault ]		 Downloading update  .. 200 OK.. completed ..
    
    

    error.log

    
    [ pfB_PRI1 - dShield_Block ] Download FAIL [ 01/03/16 20:11:11 ]
      Firewall and/or IDS are not blocking download.
    . unknown http status code 
    
     [ pfB_PRI1 - Snort_BL ] Download FAIL [ 01/03/16 20:11:28 ]
      Firewall and/or IDS are not blocking download.
    . unknown http status code 
    
     [ pfB_PRI3 - DangerRulez ] Download FAIL [ 01/03/16 20:11:47 ]
     [ 188.40.39.38 ] Firewall IP block found in: [ pfB_Top_v4 | 188.40.0.0/16 ]
    . unknown http status code 
    
     [ pfB_PRI3 - VMX ] Download FAIL [ 01/03/16 20:12:04 ]
     [ 195.209.40.11 ] Firewall IP block found in: [ pfB_Top_v4 | 195.208.0.0/15 ]
    . unknown http status code 
    
     [ pfB_PRI1 - dShield_Block ] Download FAIL [ 01/03/16 20:13:12 ]
      Firewall and/or IDS are not blocking download.
    . unknown http status code 
    
     [ pfB_PRI1 - Snort_BL ] Download FAIL [ 01/03/16 20:13:29 ]
      Firewall and/or IDS are not blocking download.
    . unknown http status code 
    
     [ pfB_PRI3 - DangerRulez ] Download FAIL [ 01/03/16 20:13:46 ]
     [ 188.40.39.38 ] Firewall IP block found in: [ pfB_Top_v4 | 188.40.0.0/16 ]
    . unknown http status code 
    
     [ pfB_PRI3 - VMX ] Download FAIL [ 01/03/16 20:14:08 ]
     [ 195.209.40.11 ] Firewall IP block found in: [ pfB_Top_v4 | 195.208.0.0/15 ]
    
    


  • You can change the Lists state to FLEX for those lists and see if this help.



  • PfBlockeNG sounds really great, but after reading through about 500 posts I found a few people requesting a shorter tutorial, but no one has responded to those request.

    Is there a concise guide to setting up and configuring PfblockerNG 2.0.4?  I could eliminate a lot of repetitive questions.

    I'd rather learn from the mistakes of others, than stay up to 2am trying figure out what setting I goofed.

    Thanks



  • Converting MaxMind Country databases for pfBlockerNG.
    This may take a few minutes…

    I just did fresh a install of pfSense after using the box for other stuff for a while and the converting the database process just hangs.  It didn't a few months ago.  I was running 2.2.5 the last time I had installed pfB so that and whatever has changed with the addon since a few months is really the only things that have changed in the process.

    This is a fast 50+MB connection and an Intel c2758 board so I can't think it's the equipment.  Logs aren't showing anything funky.  I've removed and reinstalled pfB a few times to see if something would change but the CPU is idle at this point and logs aren't indicating anything's going on at this point of the install.  I let it go about 20+ minutes on one attempt and just now let it sit there while I slept 7+ hours.

    I can clearly see the lists have downloaded to the box via ssh and I even looked at the github source and downloaded the country lists from the url's via my browser.

    edit- just redownloaded the pfSense iso, verified hash, reinstalled pfSense and still get the same hang



  • @BBCan17
    I've since reinstalled Firefox and started walking through all of my addons setting them back up how I had them.  So far I haven't seen it not install now.  Maybe either successfully installing it once from another browser is what fixed it or I haven't checked a setting in my add-ons that was causing the error or maybe something in my browser cache… no idea.  Kinda frustrating I haven't pinned it down but at least it wasn't a big deal I guess.  If something comes up I'll let you know because that's really odd.

    Thanks for the help!

    Also, I'm thinking of writing a tut at some point but I doubt it'll be concise as some would wish.  It's one of those apps I want to gush on about.  Besides, after using blockers for 10+ years they're handy but using >10 blocklists seems excessive prefer being conservative.



  • @BBcan177

    Hi I have just upgrqaded to pfsense 2.3B and am having a problem with the pfBlockerNG webserver service.
    The service will not start for some reason.  I do get a crash report from pfsense.

    					Crash report begins.  Anonymous machine information:
    
    amd64
    10.2-STABLE
    FreeBSD 10.2-STABLE #296 d8ff348(devel): Wed Jan  6 08:09:19 CST 2016     root@pfs23-amd64-builder:/usr/home/pfsense/pfsense/tmp/obj/usr/home/pfsense/pfsense/tmp/FreeBSD-src/sys/pfSense
    
    Crash report details:
    
    PHP Errors:
    [06-Jan-2016 10:10:32 America/Edmonton] PHP Stack trace:
    [06-Jan-2016 10:10:32 America/Edmonton] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng.php:0
    [06-Jan-2016 10:10:32 America/Edmonton] PHP   2\. sync_package_pfblockerng() /usr/local/www/pfblockerng/pfblockerng.php:101
    [06-Jan-2016 10:10:32 America/Edmonton] PHP   3\. pfb_create_dnsbl() /usr/local/pkg/pfblockerng/pfblockerng.inc:3031
    [06-Jan-2016 10:10:32 America/Edmonton] PHP   4\. link() /usr/local/pkg/pfblockerng/pfblockerng.inc:693
    [06-Jan-2016 10:15:00 America/Edmonton] PHP Stack trace:
    [06-Jan-2016 10:15:00 America/Edmonton] PHP   1\. {main}() /usr/local/www/pfblockerng/pfblockerng.php:0
    [06-Jan-2016 10:15:00 America/Edmonton] PHP   2\. pfblockerng_sync_cron() /usr/local/www/pfblockerng/pfblockerng.php:94
    [06-Jan-2016 10:15:00 America/Edmonton] PHP   3\. sync_package_pfblockerng() /usr/local/www/pfblockerng/pfblockerng.php:387
    [06-Jan-2016 10:15:00 America/Edmonton] PHP   4\. pfb_create_dnsbl() /usr/local/pkg/pfblockerng/pfblockerng.inc:3031
    [06-Jan-2016 10:15:00 America/Edmonton] PHP   5\. link() /usr/local/pkg/pfblockerng/pfblockerng.inc:693
    
    

    I have tried reinstalling, removing the package completely and then installing.

    It would be great if you could have a look at this.
    BTW Thanks for a great package.

    Dan



  • pfSense moved from lighttpd to nginx in the beta which broke pfBNG (along with all other packages relying on lighttpd). I believe the author is working on an update.

    https://forum.pfsense.org/index.php?topic=104854.0



  • Ok Thank you.
    Since the package was available for 2.3 I thought it was already done.



  • I'm getting this error in the update log

    ===[  DNSBL Process  ]================================================
    Missing DNSBL stats and/or Unbound DNSBL conf file - Rebuilding
    
    

  • Moderator

    Hi trumee,

    Some of those download fails are due to cURL errors. See the messages below. Set those to "Flex".

    @trumee:

    SSL: no alternative certificate subject name matches target host name 'feeds.dshield.org'
    SSL certificate problem: unable to get local issuer certificate Retry in 5 seconds…

    Also Dangerulez and VMX are being blocked by other Firewall Lists.

    [ pfB_PRI3 - DangerRulez ] Download FAIL [ 01/03/16 20:11:47 ]
    [ 188.40.39.38 ] Firewall IP block found in: [ pfB_Top_v4 | 188.40.0.0/16 ]

    [ pfB_PRI3 - VMX ] Download FAIL [ 01/03/16 20:12:04 ]
    [ 195.209.40.11 ] Firewall IP block found in: [ pfB_Top_v4 | 195.208.0.0/15 ]


  • Moderator

    @DLFerguRD:

    Hi I have just upgrqaded to pfsense 2.3B and am having a problem with the pfBlockerNG webserver service. The service will not start for some reason.  I do get a crash report from pfsense.

    @DougD:

    pfSense moved from lighttpd to nginx in the beta which broke pfBNG (along with all other packages relying on lighttpd). I believe the author is working on an update.

    https://forum.pfsense.org/index.php?topic=104854.0

    Yes the recent changes in pfense 2.3 from Lighttpd to NGINX broke the DNSBL feature… I will be submitting a PR to fix this up soon....


  • Moderator

    @varazir:

    I'm getting this error in the update log

    ===[  DNSBL Process  ]================================================
    Missing DNSBL stats and/or Unbound DNSBL conf file - Rebuilding
    
    

    Its not an error… Its just a notice to say that its rebuilding the database. Possibly due to a "Force Reload" or re-enabling pfBlockerNG... or adding/removing a DNSBL Alias/Feeds...



  • @BBcan177, this is going to take some explaining. :)  This feature affects other services, but let's just use AWS as an example.

    AWS controls (among many, many others) the entire 54.240.128.0/18 range, which means that all /24 ranges from 54.240.128.0/24-54.240.191.0/24 are included.  Since AWS allows others to use their servers, it's highly likely that many of those /24 ranges are going to be flagged.

    Let's say that 128, 129, 140, 141, 142, 143, 144 get flagged in a particular /24.  As far as AWS is concerned, there's no correlation which implies that 130, 139 or 145 are the same individual or group.  This is especially true for CloudFront where the IP assignments mean nothing.

    So the entire /24 net gets blacklisted when, in actuality, for these particular subnets, the relationships between IPs on the same /24 subnet is almost zero.

    What I'd like would be for a way to say: "Hey, go ahead and parse out something like this: https://ip-ranges.amazonaws.com/ip-ranges.json and, if the IPs are within those ranges, still blacklist them, but don't add them to the list for reputation processing."

    Thoughts?


  • Moderator

    @abujammy:

    What I'd like would be for a way to say: "Hey, go ahead and parse out something like this: https://ip-ranges.amazonaws.com/ip-ranges.json and, if the IPs are within those ranges, still blacklist them, but don't add them to the list for reputation processing."

    Hi abujammy, Its best to use the Country code exclusion for Reputation and add "USA" to the list of exclusions.



  • Wow! BBcan177. Wow.

    I've been gone for such a long time, I come back and pfBlockerNG is a hit! This is so cool. I'm so glad that you stepped up and helped move this idea. Thanks to Marcello Coutinho for helping me get pfBlocker (back when it was IP blocklist and country Block) off the ground from it's first inception back when it was release 0.1.

    This is absolutely awesome. And you gave throwback credit to me and Marcello Coutinho.

    Well done! This is why I love the pfsense community. We all work together to make our worlds better.


  • Moderator

    @tommyboy180:

    Wow! BBcan177. Wow.

    I've been gone for such a long time, I come back and pfBlockerNG is a hit! This is so cool. I'm so glad that you stepped up and helped move this idea. Thanks to Marcello Coutinho for helping me get pfBlocker (back when it was IP blocklist and country Block) off the ground from it's first inception back when it was release 0.1.

    This is absolutely awesome. And you gave throwback credit to me and Marcello Coutinho.

    Well done! This is why I love the pfsense community. We all work together to make our worlds better.

    Thanks… Most don't realize all the effort that goes into developing and maintaining a package with an ever changing landscape...  ;)  welcome back...



  • Hello,
    what did you prefere as blocked iplist?
    did you have some web service that you know where i can buy access to some blocklist that i can insert by URL and forget it?
    did you know also some of this service for Whitelist (like googlebot and similar)
    tnx for your help.

    Peppe



  • Is it possible to block a list of dynamic IP's but only specific ports?

    We get a lot of spam H.323 calls originating from AWS (185+ EC2 IP ranges) and DigitalOcean (10+ IP ranges) and others. We'd like to automate the blacklisting but only on port's 1503 and 1720.

    Expert Mode Question: Most of the originator calls are named "unknown" or "cisco" and it would be great to parse those out and block those, though I'm betting that's beyond the scope of pfBlockerNG.


  • Moderator

    @peppegate:

    Hello,
    what did you prefere as blocked iplist?
    did you have some web service that you know where i can buy access to some blocklist that i can insert by URL and forget it?
    did you know also some of this service for Whitelist (like googlebot and similar)
    tnx for your help.

    Peppe

    Here is link to a script to import ~50 blocklists…
    https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973

    I think there are some Whitelists available... But I don't have those URLs myself... Google search and/or hopefully other users can share some URLs for whitelisting...


  • Moderator

    @AmosK:

    Is it possible to block a list of dynamic IP's but only specific ports?

    We get a lot of spam H.323 calls originating from AWS (185+ EC2 IP ranges) and DigitalOcean (10+ IP ranges) and others. We'd like to automate the blacklisting but only on port's 1503 and 1720.

    Expert Mode Question: Most of the originator calls are named "unknown" or "cisco" and it would be great to parse those out and block those, though I'm betting that's beyond the scope of pfBlockerNG.

    You can use the "Adv. Inbound Firewall" rule settings to protect only certain ports/Dest IPs etc… I will be adding "Adv. Outbound Firewall" rule settings in the next release. You can also use "Alias" type rules, and manually create the firewall rules to suit more complex setups...



  • pfBlockcerNG IPv4-lists: Changes from script: as of 2016-01-18

    Re: https://forum.pfsense.org/index.php?topic=86212.msg510369;topicseen#msg510369

    After perusing the log from the CRON run for pfBlockerNG_import.php script as listed here, it appears that there are a couple changes that might reduce errors that I have documented below.

    Might want to delete the "no access," "discontinued" and "not found" or change status to "off."

    Cheers,

    Todd

    *Startlist


    as per: https://spyeyetracker.abuse.ch/ :

    SpyEye Tracker has been disconntinued. More information will follow soon on https://www.abuse.ch

    Thanks for all your support!



    as per: http://blog.snort.org/2015/09/ip-blacklist-feed-has-moved-locations.html :
    Wednesday, September 2, 2015
    IP Blacklist feed has moved locations!
    For those of you using the IP Blacklist feed on labs.snort.org, we've had to move the URL to the new link.
    You can find it at the following URL: http://talosintel.com/feeds/ip-filter.blf



    as per: http://www.infiltrated.net/blacklisted
    Forbidden
    You don't have permission to access /blacklisted on this server.



    as per: http://www.geopsy.org/blacklist.html
    Not Found
    The requested URL /blacklist.html was not found on this server.


    *Endlist



  • Is it possible to import "Easylist Germany" to "DNSBL Easylist" from AdBlock Plus into pfBlockerNG?

    Easylist Germany: https://easylist.adblockplus.org/de/



  • @BBCan17
    I am having trouble viewing the pfblockerNG alerts.

    On the main index page, I can see (for example) X packets for "pfB_NAmericav4" (I created an inbound rule/alias to block everything inbound on WAN that's not from United States).

    I can see that it blocked 475 packets.

    Clicking on it bring me to the alerts page, which says "Found 29 Alert Entries - Insufficient Firewall Alerts found."

    Why does it only find 29 of the 475 blocked packets?

    I've disabled remote logging for the moment to hopefully eliminate a variable. I've also
    -disenable/re-enable pfbng
    -force update
    -force cron
    -force reload
    -clear logs (from firewall settings tab)

    pics below


  • Moderator

    @oddworld19:

    I am having trouble viewing the pfblockerNG alerts.
    Why does it only find 29 of the 475 blocked packets?

    Hi oddworld19,

    The Alerts Tab takes its info from the pfSense Firewall Log. So if the Firewall log doesn't contain those Alerts, it won't show in the pfBNG Alerts Tab.

    You should disable the "Log Firewall Default Block" option. They are filling your log with unneeded data. You could keep the last two "Bogons" and "Private" as those shouldn't fill your logs as much.

    Then clear your firewall logs. Followed by Disable and Re-Enable of pfBlockerNG to clear the widget packet Counts and see how it goes from there.

    There is a also known issue that I reported to the Devs, but haven't had a response. But that is only specific if you define Ports in the firewall rules. From your post, it doesn't look like you have this issue.

    https://forum.pfsense.org/index.php?topic=99929

    update:

    The Widget has a customization setting to define the "Max packets for Alerts Tab pivot"… Make sure this is set to meet with your requirements.



  • The "IPv4 Custom list" seem to be inactive in pfBlockerNG. It worked fine before. I have several IPs I want to block manually in that list but it is not working. Force update and force reload has no effect. The custom list does not appear on the dashboard either. Anyone familiar with this?


  • Moderator

    @Ip:

    The "IPv4 Custom list" seem to be inactive in pfBlockerNG. It worked fine before. I have several IPs I want to block manually in that list but it is not working. Force update and force reload has no effect. The custom list does not appear on the dashboard either. Anyone familiar with this?

    Can you post a screenshot of the Alias? Did you select the "List Action" and define the "Alias" name?



  • @BBcan177:

    @Ip:

    The "IPv4 Custom list" seem to be inactive in pfBlockerNG. It worked fine before. I have several IPs I want to block manually in that list but it is not working. Force update and force reload has no effect. The custom list does not appear on the dashboard either. Anyone familiar with this?

    Can you post a screenshot of the Alias? Did you select the "List Action" and define the "Alias" name?

    Well, the alias name is kind of personal  ;). Contains one space but no "pfBlocker" or "pfB_". List action is "Deny Both".


  • Moderator

    @Ip:

    @BBcan177:

    @Ip:

    The "IPv4 Custom list" seem to be inactive in pfBlockerNG. It worked fine before. I have several IPs I want to block manually in that list but it is not working. Force update and force reload has no effect. The custom list does not appear on the dashboard either. Anyone familiar with this?

    Can you post a screenshot of the Alias? Did you select the "List Action" and define the "Alias" name?

    Well, the alias name is kind of personal  ;). Contains one space but no "pfBlocker" or "pfB_". List action is "Deny Both".

    Its probably not going to create the alias if its just a "single space" as the Alias name… Give it a proper name and it should be fine. It can't contain and special or International characters.



  • @BBcan177:

    @Ip:

    @BBcan177:

    @Ip:

    The "IPv4 Custom list" seem to be inactive in pfBlockerNG. It worked fine before. I have several IPs I want to block manually in that list but it is not working. Force update and force reload has no effect. The custom list does not appear on the dashboard either. Anyone familiar with this?

    Can you post a screenshot of the Alias? Did you select the "List Action" and define the "Alias" name?

    Well, the alias name is kind of personal  ;). Contains one space but no "pfBlocker" or "pfB_". List action is "Deny Both".

    Its probably not going to create the alias if its just a "single space" as the Alias name… Give it a proper name and it should be fine. It can't contain and special or International characters.

    I renamed it abc123 and now it appears as pfB_abc123 on my dashboard. Thanks!



  • Is spam404, one of the DNSBL feeds, gone?


  • Moderator

    @pfcode:

    Is spam404, one of the DNSBL feeds, gone?

    Would have been best to post this in pfBNG v2.0 thread:

    Looks like they moved the Spam404 feed to Github:
    https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt



  • @BBcan177:

    @pfcode:

    Is spam404, one of the DNSBL feeds, gone?

    Would have been best to post this in pfBNG v2.0 thread:

    Oops, sorry.



  • Hello ,

    is there a possibility to add the negate rule on ports also ? I don't want to block some ports , aka in the top 20 country list . I modified the xml  and the inc file but it seems to ignore the option. Is there an other file that I must change that makes the option work ? Thx.


  • Moderator

    @CIURI:

    Hello ,

    is there a possibility to add the negate rule on ports also ? I don't want to block some ports , aka in the top 20 country list . I modified the xml  and the inc file but it seems to ignore the option. Is there an other file that I must change that makes the option work ? Thx.

    Sure I can add that to the next release… I will also be adding "Adv. Outbound" settings with other additional options...

    Here is a screenshot of what to expect:
    http://i.imgur.com/XWqznm2.png


  • Moderator

    @BBcan177:

    @CIURI:

    Hello ,

    is there a possibility to add the negate rule on ports also ? I don't want to block some ports , aka in the top 20 country list . I modified the xml  and the inc file but it seems to ignore the option. Is there an other file that I must change that makes the option work ? Thx.

    Sure I can add that to the next release… I will also be adding "Adv. Outbound" settings with other additional options...

    Here is a screenshot of what to expect:
    http://i.imgur.com/XWqznm2.png

    Hi CIURI,

    I don't think there is an option to use "!" negate a Ports Alias in pfSense… You can edit an existing pfBNG Rule and see if you see it any different?



  • Hi all,

    I find my dropbox syncing is blocked.

    In logs I see

    IBlock_BT_Hijack list contains 162.125.0.0/24 which is used dropbox.

    How should I proceed to get dropbox working again.

    Thanks.



  • @pfsenseboonie:

    Hi all,

    I find my dropbox syncing is blocked.

    In logs I see

    IBlock_BT_Hijack list contains 162.125.0.0/24 which is used dropbox.

    How should I proceed to get dropbox working again.

    Thanks.


    You need to create a Permit Outbound pass rule for the IP of you seedbox
    or get an IP outside that range from your provider.



  • @RonpfS:

    @pfsenseboonie:

    Hi all,

    I find my dropbox syncing is blocked.

    In logs I see

    IBlock_BT_Hijack list contains 162.125.0.0/24 which is used dropbox.

    How should I proceed to get dropbox working again.

    Thanks.


    You need to create a Permit Outbound pass rule for the IP of you seedbox
    or get an IP outside that range from your provider.

    Just to be clear when I say dropbox I mean as in Dropbox the company
    Their client desktop app is trying to connect out to 162.125.17.0/24 and 162.125.32.0/24

    I've enabled suppression and manually added both above networks to pfBlockerNGSuppress Alias.  And then "reloaded"

    What I do not understand is your reference to a seedbox.  I am not sure if I have one of those or not … and yes I feel silly saying this.
    How/Where do I create this Permit outbound pass rule.  And how does pfBlockerNGSuppress tie in?

    I went ahead and creating a pass outbound in floating rules and moved it to the very top of the list.  I am not sure if this is what you meant or if it is correct.




  • Seedbox … Dropbox, whatever rock you boat  :P

    Did you read the section in the picture.

    It tell you NOT to use pfBlockerNGSuppress Alias in FW rules  :o
    It tell you that suppression ONLY work for /32 or /24 networks.
    IBlock_BT_Hijack specify 162.125.0.0/16, so the "+" icon is not available in the Alerts Tab,
    Putting  162.125.17.0/24 and 162.125.32.0/24 in pfBlockerNGSuppress  is useless.

    So move the 2 networks to a new alias pfBlockerWhiteList
    Create a FW rule on LAN pass pfBlockerWhiteList
    or on the floating tab selecting all LANs interfaces



Log in to reply