Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfblocker not blocking?

    pfSense Packages
    4
    13
    3772
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jackyes89 last edited by

      Hi all,
      I have some problem with pfBlockerNG.

      i'm trying to block all traffic to and fom china with pfblockerNG.
      So i set :
      Inbound Interface WAN
      Outbound Interface LAN
      Rule Action Block (for both inbound and outbound)
      i have add some ipv4 list (from iblocklist and blockliste.de)
      in the "Asia" tab i select china and the Action to Deny both.

      in firewall -> alias ->url i can see the alias:
      pfB_Asia_v4
      and the other for the ipv4 list

      in firewall->rules->wan/lan
      i can see the rules for asia and the others (with the red square for block), if i move the mouse on it it show the list of IP on it.

      But when i try to surf a website from china or http://www.shortwave.be/gov.html to china i can surf on china site.

      And sometime in pfblockerNG->allert in the deny table i can see some entries that i can find also in the suricata log (ssh scan for example)…so if the ip is in the blocklist should not get to suricata.

      where i'm wrong?

      (i have increded Firewall Maximum Table Entries to 100000000)

      Thanks in advance
      Sorry for my english  :(
      Giacomo

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        The Chinese radios you linked are on a CDN. (Akamai CDN for one, their own for the other. Regardless, those don't resolve to "Chinese" IPs at all unless you are in China or around…) Definitely will not work. Test invalid.

        1 Reply Last reply Reply Quote 0
        • J
          jackyes89 last edited by

          You are right!
          i'm trying also www.china.org.cn and i can surf it with no problem…
          it is from Beijing or i'm wrong? how can i test the block rules?

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            I can see 180.210.224.0/19 on the CN_v4 list. (This is what it resolves to here, no idea about you.)

            Is your goal to basically block *.cn for browsing? You can do that will a whole LOT less overhead and whole LOT more reliably by a wildcard DNS override.

            1 Reply Last reply Reply Quote 0
            • J
              jackyes89 last edited by

              No i would block trafic from china and the blocklist…to test it i try to surf chinese site but it's not the best way to test if it's working  :-[

              1 Reply Last reply Reply Quote 0
              • J
                jackyes89 last edited by

                ok after some other test it's working! Thanks  doktornotor!

                but for:
                sometime in pfblockerNG->allert in the deny table i can see some entries that i can find also in the suricata log (ssh scans for example)…so if the ip is in the blocklist should not get to suricata.

                is this ok?

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned last edited by

                  @jackyes89:

                  so if the ip is in the blocklist should not get to suricata.

                  Please, start a separate thread about Suricata in the proper forum section. (My assumption is that it's working exactly the other way round, snort/suricata gets hit before the pf rules, plus it's not inline in addition. At least that's what the maintainer suggests: https://forum.pfsense.org/index.php?topic=89463.msg495180#msg495180 – But then again, not using any of this IDS stuff here.)

                  1 Reply Last reply Reply Quote 0
                  • J
                    jackyes89 last edited by

                    sorry i supose that pf rules are the first and than suricata so if suricata make an alltert somthing is going wrong to pfblocker (suricata is working without problem).
                    Tank you again.

                    1 Reply Last reply Reply Quote 0
                    • BBcan177
                      BBcan177 Moderator last edited by

                      Please read the link that was posted by doktornotor (link to Bmeeks, maintainer of Snort/Suricata) as it explains the exact process correctly. The IDS is acting on a "Copy" of all packets.

                      If you have pfBlockerNG with a List like "ET Compromised" please do not also enable the "ET Compromised" Category in the IDS. As you are duplicating your efforts.

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • J
                        jackyes89 last edited by

                        @BBcan177:

                        Please read the link that was posted by doktornotor (link to Bmeeks, maintainer of Snort/Suricata) as it explains the exact process correctly. The IDS is acting on a "Copy" of all packets.

                        If you have pfBlockerNG with a List like "ET Compromised" please do not also enable the "ET Compromised" Category in the IDS. As you are duplicating your efforts.

                        Yes i disable it..the triggered rule is "ET SCAN Potential SSH Scan" ;)

                        thanks BBcan177 for pfblockerNG!

                        1 Reply Last reply Reply Quote 0
                        • W
                          wheemer last edited by

                          I have PFBlockerNG enabled and I have russia, china and hong kong blocked.

                          However my emails software is still saying it's blocking chinese IPs that are trying to brute force password hack me.

                          I can also still browse chinese websites even though I have in and out blocked.

                          1 Reply Last reply Reply Quote 0
                          • J
                            jackyes89 last edited by

                            To simply test if the firewall is blocking a country:
                            Example for china  ;D
                            Google -> "china proxy list" -> ping one of the list
                            if you cant't ping it and you see the entry in the alert tab of pfblocker it's working…

                            For the website be sure that it's hosted in china. (or use a CDN?)

                            1 Reply Last reply Reply Quote 0
                            • BBcan177
                              BBcan177 Moderator last edited by

                              @wheemer:

                              I have PFBlockerNG enabled and I have russia, china and hong kong blocked.

                              However my emails software is still saying it's blocking chinese IPs that are trying to brute force password hack me.

                              I can also still browse chinese websites even though I have in and out blocked.

                              Hi wheemer,

                              Do you have any "Firewall Pass Rules" above the Block/Reject Rules that would allow those IPs thru? Floating Rules are processed first (top to bottom), then the Interface Firewall Rules (top to bottom) and typically on the First Rule Match thats found.

                              "Experience is something you don't get until just after you need it."

                              Website: http://pfBlockerNG.com
                              Twitter: @BBcan177  #pfBlockerNG
                              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post