PfBlockerNG


  • Banned

    I want to clarify my understanding of blocking and whitelisting here. I'm running a home network with no open WAN ports.

    I have turned off default allow any lan, anti lockout rules, put up a floating block everything rule and write a couple LAN pass rules to allow the ports I need.

    On pfBNG I'm using a bunch of lists the BBCan177 suggested. I'm also using DNSBL lists he suggested and the easy lists. Finally I have the top20 spammers country lists. ALL of these rules are LAN deny outbound.

    I see everywhere that you should not block the world and only allow what you need, but it seems like that is directed to setups with open WAN ports. Is LAN deny outbound for country lists valid? I am getting a lot of blocks for the top spammers country lists.


  • Moderator

    @pfBasic:

    I am getting a lot of blocks for the top spammers country lists.

    If your just using the TOP20, that's not "Blocking the World"… Some users, are clicking every Country in every Continent except for a few, and that's what "B.T.W." was referencing...

    You can review the Alerts Tab, to see what's getting blocked... You can also refine the Alerts by using the "Alert Filter" tool.


  • Banned

    OK great, so setting up my pfBNG rules as LAN deny outbound is ideal and I'm not just wasting processing power?


  • Moderator

    @pfBasic:

    OK great, so setting up my pfBNG rules as LAN deny outbound is ideal and I'm not just wasting processing power?

    NP. ;)



  • @RonpfS:

    Check the installation logs, /var/log/pfblockerng/*, Dashboard for crash report etc.
    and look here https://forum.pfsense.org/index.php?topic=102470.msg647719#msg647719

    Been a busy week not had any time to dig into the issue yet. 
    Looks like many people are having to change or increase memory limits and PHP stuff?
    I'm guessing that may be the direction that I may need to go?

    Please forgive my newbieness here but isn't the point of an installable package that they should just work?
    Should not the package install itself modify memory settings as/if needed? and anything else?

    I don't have any other packages installed nor am I doing anything crazy memory hungry. 
    Wasn't going to do anything fancy with the blocker either just wanted to try it out and only have it block the "top ten" fist and see how that worked.

    I'm also reading that uninstalling the package and/or reinstalling it is an absolute NO-NO and can break things even worse!!!  WTF! :) 
    So being a package I'm not able to just uninstall it or reinstall it.   
    I'll reference this if need be but right now I just noticed mention of it in a few threads I read.





  • Is there any real documentation for this package?

    I installed it and all it seemed to do was destroy DNS lookups for all clients, including the firewall itself, for about 45 minutes.  The configuration page is a huge array of settings that are unexplained.  The package doesn't seem to be doing anything at all.  There are no new rules in the firewall, there seems to be no way of viewing any block lists at all.  I can't even find any obvious setting to tell it which sources to use.  Serously, where did everyone learn how to use this?



  • @metalliqaz:

    Is there any real documentation for this package?

    I installed it and all it seemed to do was destroy DNS lookups for all clients, including the firewall itself, for about 45 minutes.  The configuration page is a huge array of settings that are unexplained.  The package doesn't seem to be doing anything at all.  There are no new rules in the firewall, there seems to be no way of viewing any block lists at all.  I can't even find any obvious setting to tell it which sources to use.  Serously, where did everyone learn how to use this?

    Start with the first pages of each of these threads:
    pfBlockerNG
    pfBlockerNG v2.0 w/DNSBL
    pfBlockerNG v2.1 w/TLD
    And over time ;) why not read all pages.

    Also there are plenty of Information boxes on almost every page, click on them.
    And start slowly, go with one feature at a time, IPV4, IPV6, GeoIP, DNSBL until you get things running.

    Go to Firewall / pfBlockerNG / Log Browser, there you can see the log file and pfBlockerNG files. Also visit the Diagnostics /Tables.






  • Those are only useful if you already know the function of the config page in the first place.

    Firewall / pfBlockerNG / Update / Update Settings:

    Well, it obviously schedules a cron job, but what does the cron job do?  No indication whatsoever.
    What's the difference between update, cron, and reload?  No idea.

    Firewall / pfBlockerNG / Alerts / Alert Settings:

    Well, each category gets a number.  What that number means is not explained.  Doesn't seem to matter though, because there is nothing in any alert queue.

    Firewall / pfBlockerNG / Alerts / IPv4:

    What does this do? It's just an "Add" button.  Probably IPv4 rules?  Okay lets make a rule, click Add:
    Good lord.  Apparently I need to find lists myself, unlike ABP in my browser.  What format does it need? What are valid sources? What is the purpose of country codes?

    Can you, being serious and honest with yourself, say that anyone could come in completely cold and actually be able to configure something that works?

    Nah, I don't have time.  The mysterious disruption of DNS site-wide gives me an uneasy feeling, and the lack of documentation and a homepage seals it.



  • Again if you clicked on some infobox you would get many answers.
    As for finding the lists, yes I could go thru the posts and fetch them to you, but you are probably able to do that on you own.



  • metalliqaz does have a point.

    Digging through forum threads is never a fun task.

    It would be really good to have detailed info on package configuration and updated lists in one place.



  • @BBcan177:

    Its what "Open Source" is all about, and I encourage more people to get involved.



  • @doktornotor:

    @Asterix:

    Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.

    Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.

    If everything is blocked on WAN-inbound per default / implicit, what is there reason (need) of having two recommended / additional rules on WAN ?

    1. Block private networks and loopback addresses
    2. Block boon networks

    Unless you have some "allow from any“ rule …

    Do you mean on WAN-interface or on LAN-interface ?

    Thanks a lot in advance !



  • It's either a bug or a feature (old IT joke from when I was younger  ;D ).




  • I have some alerts like that in dnsbl.log, last one was Aug 9

    DNSBL Reject HTTPS,Aug 09 19:21:32,watson.microsoft.com
    

    That was probably with pfBlockerNG-2.1.1_1, what version are you using now?

    From the Info infoblock under Firewall / pfBlockerNG / DNSBL

    So not a bug or a feature, more a limitation of the pfBlockerNG DNSBL Web Server.




  • Just finished to read the whole thread, uff ..
    Thanks to BBCan for the package and this thread, I am quit new to pfSense so I learned a lot!

    WAN = INbound, don’t BLOCK the world, the world ist blocked by default, PASS only what you need and take care on that …
    LAN = OUTbound, PASS what you need first and BLOCK all afterwards.

    That two rules are most important to me, afterwards I can take care on the scenarios I need.

    Thanks once again !!



  • Maybe there is one who is able to answer to me why are there two BLOCK-rules, bogon-networks and private-networks if the WAN is BLOCKED by default …?

    Thanks again in advance !!

    @coliflower:

    @doktornotor:

    @Asterix:

    Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.

    Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.

    If everything is blocked on WAN-inbound per default / implicit, what is there reason (need) of having two recommended / additional rules on WAN ?

    1. Block private networks and loopback addresses
    2. Block boon networks

    Unless you have some "allow from any“ rule …

    Do you mean on WAN-interface or on LAN-interface ?

    Thanks a lot in advance !



  • Those can be enabled/disabled on the interface itself.

    These are ip-addresses that should never exist on the WAN side (with the execption if you have a router on the WAN side that's not in bridge mode)



  • Thank you digdug3 !

    That helped finally:

    execption if you have a router on the WAN side that's not in bridge mode


  • Moderator

    Arbor Networks Feeds discontinued:
    https://forum.pfsense.org/index.php?topic=122237.0



  • I know that this thread is a little older now.
    I utilized the php script that Dok presented.
    Should I go through and delete the failed downloads or what?
    [ pfB_MAIL - ToastedSpam ] Download FAIL [ 03/19/17 18:50:22 ] 
    [ pfB_MAIL - VirBL ] Download FAIL [ 03/19/17 18:45:01 ]
    [ pfB_SEC1 - MalwareGroup ] Download FAIL [ 03/19/17 18:35:56 ]
    [ pfB_PRI3 - Geopsy ] Download FAIL [ 03/19/17 18:35:33 ]
    [ pfB_PRI3 - VMX ] Download FAIL [ 03/19/17 18:35:31 ]
    [ pfB_PRI3 - DangerRulez ] Download FAIL [ 03/19/17 18:35:03 ]
    [ pfB_PRI2 - HoneyPot ] Download FAIL [ 03/19/17 18:34:41 ]
    [ pfB_PRI1 - dShield_Block ] Download FAIL [ 03/19/17 18:33:09 ]
    [ pfB_PRI1 - Abuse_Spyeye ] Download FAIL [ 03/19/17 18:32:51 ]
    [ pfB_MAIL - URIBL ] Download FAIL [ 03/19/17 18:29:37 ]
    [ pfB_MAIL - ToastedSpam ] Download FAIL [ 03/19/17 18:29:35 ]
    [ pfB_MAIL - VirBL ] Download FAIL [ 03/19/17 18:25:05 ]
    [ pfB_SEC1 - MalwareGroup ] Download FAIL [ 03/19/17 18:15:43 ]
    [ pfB_PRI3 - Geopsy ] Download FAIL [ 03/19/17 18:15:03 ]
    [ pfB_PRI3 - VMX ] Download FAIL [ 03/19/17 18:14:55 ]
    [ pfB_PRI3 - DangerRulez ] Download FAIL [ 03/19/17 18:14:17 ]
    [ pfB_PRI2 - HoneyPot ] Download FAIL [ 03/19/17 18:13:51 ]
    [ pfB_PRI1 - dShield_Block ] Download FAIL [ 03/19/17 18:11:35 ]



  • I went through each one that failed, retried them, and disabled the ones that failed again,
    Then I attempted to go to each site, and if the site was no longer in existence, then I deleted.
    Answered my own question without getting yelled at!


  • Moderator

    @mtarbox:

    I went through each one that failed, retried them, and disabled the ones that failed again,
    Then I attempted to go to each site, and if the site was no longer in existence, then I deleted.
    Answered my own question without getting yelled at!

    The script is a little dated. Some feeds have changed…. some down... so always best to open the site in a browser and check it out....

    The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.



  • The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.

    +1 from me for that! This might be a cool rich Option for us all, to get taps named like Malware, Virus, ect.
    and insert there the links or URLs to several lists and perhaps a little "+" button to create his own new tap!
    Perhaps I mean ;)



  • Dropbox is block.  NET::ERR_CERT_AUTHORITY_INVALID

    grep result.

    grep "dropbox.com" /var/unbound/pfb_dnsbl.conf
    local-data: "dl.dropbox.com 60 IN A 10.10.10.1"
    local-data: "dropbox.com.azamgold.com 60 IN A 10.10.10.1"
    local-data: "dropbox.com.paki-library.com 60 IN A 10.10.10.1"
    local-data: "dropbox.com.sexvoorlichting.com 60 IN A 10.10.10.1"
    local-data: "www.dropbox.com 60 IN A 10.10.10.1"

    It seems Iblock is causing the issue. DNSBL alerts says the domain is already in the whitelist.

    And now google is doing the same thing.


  • Moderator

    @SLIMaxPower:

    Dropbox is block.  NET::ERR_CERT_AUTHORITY_INVALID

    grep result.

    grep "dropbox.com" /var/unbound/pfb_dnsbl.conf
    local-data: "dl.dropbox.com 60 IN A 10.10.10.1"
    local-data: "dropbox.com.azamgold.com 60 IN A 10.10.10.1"
    local-data: "dropbox.com.paki-library.com 60 IN A 10.10.10.1"
    local-data: "dropbox.com.sexvoorlichting.com 60 IN A 10.10.10.1"
    local-data: "www.dropbox.com 60 IN A 10.10.10.1"

    It seems Iblock is causing the issue. DNSBL alerts says the domain is already in the whitelist.

    And now google is doing the same thing.

    IBlock feeds are IP based… What your showing here is from DNSBL...

    grep "dropbox" /var/db/pfblockerng/dnsbl/*
    

    If you have "dropbox.com" in the whitelist, that won't remove "www.dropbox.com"
    Re-edit the DNSBL Whitelist and remove the dropbox entry, then use the Alerts Tab "+" whitelist icon to whitelist it again…. You can also whitelist all sub-domans if you wish... Follow the whitelist prompts.



  • The firewall is now integrated into the home network.

    iBlock lists have been disabled as this was causing too many https blocks.

    Firewall IPv6 stuff:

    Jun 3 16:59:23 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:42220   [2600:1406:32::43]:53 UDP
    Jun 3 16:59:23 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:34926   [2600:1401:2::43]:53 UDP
    Jun 3 16:59:23 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:65407   [2600:1408:1c::43]:53 UDP
    Jun 3 16:59:23 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:53784   [2600:1480:1::43]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:33499   [2a01:111:2032:1::5]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:58694   [2620:0:37::53]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:52594   [2620:0:32::53]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:29910   [2600:1480:1::c0]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:64372   [2600:1406:32::c2]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:4792   [2600:1480:e800::c0]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:56634   [2620:0:32::53]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:62068   [2620:0:34::53]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:33253   [2600:1401:1::41]:53 UDP
    Jun 3 16:59:22 ► WAN Block all IPv6 (1000000004)   [fd2a:bc2b:39d8:0:215:17ff:fe93:cc34]:6709   [2600:1401:2::42]:53 UDP



  • I just installed pfBlockerNG and tried to configure pfBlockerNG, IPV4, and DNSBL using google searches.  Needless to say, I followed some contradicting and outdated "tutorials".  So I decided that I will start at the beginning of this thread and read the entire thread before I try to configure anything.

    To revert my pfSense back to prior installing and configuring pfBlockerNG and all the other components (i.e. IPV4, DNBL), I uninstalled pfBlockerNG and deleted all the auto generated rules and aliases.  Is there anything else I need to undo?


  • Moderator

    @mifronte:

    To revert my pfSense back to prior installing and configuring pfBlockerNG and all the other components (i.e. IPV4, DNBL), I uninstalled pfBlockerNG and deleted all the auto generated rules and aliases.  Is there anything else I need to undo?

    There are notes in the General tab on how to do that… Uncheck "Enable" and "Keep" then save... This will clear out all the downloaded files... Then re-enable both followed by a Force Update command....

    If you want to start from complete scratch. Then Uncheck "Keep",  save, uninstall the pkg. Then re-install it ...

    Hope that helps!



  • Having a problem with GSN Gaming Casino on Facebook with pfblockerNG enabled on my server. Tried whitelisting everything I thought could be the cause but still not getting through. Has this been reported by anyone else and/or resolved? I did a fairly extensive search but didn't turn up anything useful (to me) about how to allow the traffic.



  • Issue with pfBlockerNG + Unbound + DNSBL when RAM Disk is enabled.

    Unbound fails to start after system reboot with RAM Disk enabled.
    User must force Update + Reload CRON for Unbound to successfully startup.

    The file '/var/unbound/pfb_dnsbl.conf' is removed upon system reboot with RAM Disk enabled thus forced CRON to regenerate file is the only way to get Unbound started again.

    We need the option to move this file inside pfBlocker's settings OR an option to preserve this file (and other settings/caches within pfBlocker) across system reboots when RAM Disk is enabled.

    Please as this currently requires manual user input every time the machine is rebooted to restore services!!


  • Banned

    Hmmm, I'm using pfBNG, DNSBL, Unbound - Resolving, and RAM disks and I don't have to do any of that, not for a normal reboot, a hard shutdown, or a power outage.

    I do have servicewatchdog monitoring Unbound, but that wouldn't Force Update & Reload.

    I am using 2.4.0 BETA, possibly something has been changed there that allows this to work?


  • Moderator

    @kklouzal:

    Issue with pfBlockerNG + Unbound + DNSBL when RAM Disk is enabled.

    Unbound fails to start after system reboot with RAM Disk enabled.
    User must force Update + Reload CRON for Unbound to successfully startup.

    The file '/var/unbound/pfb_dnsbl.conf' is removed upon system reboot with RAM Disk enabled thus forced CRON to regenerate file is the only way to get Unbound started again.

    We need the option to move this file inside pfBlocker's settings OR an option to preserve this file (and other settings/caches within pfBlocker) across system reboots when RAM Disk is enabled.

    Please as this currently requires manual user input every time the machine is rebooted to restore services!!

    See the following open Redline:  https://redmine.pfsense.org/issues/6603
    This can only be fixed in the pfSense Unbound code.



  • @BlueKobold:

    The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.

    Any update on progress on that? Just curious, it sounds to be a very nice addition…


  • Moderator

    @occamsrazor:

    @BlueKobold:

    The next version of the package will have an automated Feeds Management Tab, which should make this process easier to manage.

    Any update on progress on that? Just curious, it sounds to be a very nice addition…

    I took some holiday time but hopefully in the next few weeks if all goes as plan.



  • I'm not sure if this is necessarily the best place to ask/report this, but in the process of attempting to reduce the maximum log file size below the current minimum of 5000 lines, I believe that I have discovered that this limit is only enforced every time the pfBlockerNG cron task executes.  This determination was made experimentally as well as by taking a look at where pfb_log_mgmt is called in https://github.com/pfsense/FreeBSD-ports/blob/75dcc67f66100f7ef6bbf201c6562bdcb02c3177/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc  I don't claim to know the best approach to improving this, but if the cron job frequency is set to a relatively long interval and the network size is relatively large, it appears that the associated log files could easily grow well beyond their configured limits.  I realize that it would be impractical to provide a hard guarantee that the log files will never exceed their configured sizes even for a brief time period, but I wonder whether it would be feasible to trim them every minute, for example, as opposed to it being tied to the main cron job interval.  Or I could be totally off base here and missing or failing to understand something obvious, so if that's the case, apologies in advance :)  Thanks to all the pfBlockerNG devs; it's a great package and very much appreciated.



  • @BBcan177:

    @Mr.:

    Some weird stuff  ???

    Hey Mr. J.

    You are mixing some things up here  :)

    The pfBlockerNGSuppress alias does not need to be referenced to any Firewall Rules.

    Suppression -

    Suppression process occurs when Lists are downloaded from the Threat Sources.

    When a List is downloaded, if the list contains 1.2.3.4/32 and the Suppress Alias has 1.2.3.4/32, then this IP is suppressed from the Blocklist.

    If a list has 1.2.3.4/32 and the Suppress Alias has 1.2.3.0/24, then this IP is suppressed from the Blocklist.

    If a list has 1.2.3.4/24 and the Suppress Alias has 1.2.3.4/32, then the Single 1.2.3.4/32 is suppressed, and all of the other IPs in this Range are added to the Blocklist.

    When you click on the "+" icon in the Alerts tab, it will add the IP to the Suppress Alias, and also removes the IP from the Aliastable. However, the Suppressed IP is still in the Blocklist, and will be removed from the List at the Next Cron Update for the particular List. This will prevent these Suppressed IPs from being blocked.

    Whitelisting -

    When you whitelist, you are creating a new pfBNG alias and typically set it for "Permit Outbound". You can enter the Whitelisted IPs in the custom Box in the alias.

    The best method is to suppress the IP above. But if you have a Block occuring from a CIDR under a /24, you can't suppress that (ie /20 etc…) To overcome that, you need to allow the IP "Permit Outbound" which will create a state in the pfSense State table that allows the return of that IP without being Blocked by the pfBNG Block/Reject rules. In the Alerts Tab, you can see the List that Blocked the IP, if no IP is shown below the List, then the Block occurred by a /32 Blocklist entry. If its blocked by a CIDR, it will show the IP and CIDR below the List. You then can decide if its a /24 to use Suppression, or use the Whitelist for other CIDR ranges.

    Other questions -

    The Permit Rules need to be above the Block/Reject rules. Ensure that in the Alias, you set "Logging" or enable Global logging in the General Tab which will enable Logging for all Aliases globally.

    When you add a manual Rule, it can't have "pfB_" in the description, these will be removed by the Cron task each hour. To create "Alias" type rules, you need to enter the Description starting with "pfb_" (Lowercase)… This is explained in detail in the Alias "List Action" Section.

    You cannot Use Domain names with pfBlockerNG currently. You will need to convert the domain into an IP and add that to a Custom list. In v2.0 I will also have Domain Name Blocking (DNSBL).

    You can use a service like Hurricane Electric to collect IPs for Domain names that are changing more frequently and collect the list with the "html" format.

    http://bgp.he.net/search?search[search]=twitter&commit=Search
        http://bgp.he.net/search?search[search]=facebook&commit=Search
        http://bgp.he.net/search?search[search]=spotify&commit=Search
        http://bgp.he.net/search?search[search]=dropbox&commit=Search

    Please advise  https://forum.pfsense.org/index.php?topic=137017.0

    Thank you.



  • Hello friends, i love this package but i have one question or one suggestion to add

    I see in the queues of my mail server, mails in queue because can not connect to ip x.x.x.x , i not view this ip in country list ipv4 denegated, but maybe is in my personal ipv4 lists (dshield, etc..)  and the question is:

    How can i check if one ip is denegated in pfblockerng ???  there's no search ip engine ???



  • pfBlockerNG has an issue in the new 2.4.0 and 2.4.1 version of Pfsense, It has updated to BSD 11.1 from 11.0 and now if you have pfBlockerNG installed it will "Eventually" Lock up the whole kernal with a 502 Bad Gateway error.  Here is a connected thread on this issue.

    https://forum.pfsense.org/index.php?topic=137103.0


  • Banned

    @BreeOge:

    It has updated to BSD 11.1 from 11.0 and now if you have pfBlockerNG installed it will "Eventually" Lock up the whole kernal with a 502 Bad Gateway error.  Here is a connected thread on this issue.

    Humpf… 502 Bad Gateway is not a kernel message. It comes from nginx. Has nothing to do with kernel really.


Log in to reply