Pfblocker not blocking?

jackyes89

Hi all,
I have some problem with pfBlockerNG.

i'm trying to block all traffic to and fom china with pfblockerNG.
So i set :
Inbound Interface WAN
Outbound Interface LAN
Rule Action Block (for both inbound and outbound)
i have add some ipv4 list (from iblocklist and blockliste.de)
in the "Asia" tab i select china and the Action to Deny both.

in firewall -> alias ->url i can see the alias:
pfB_Asia_v4
and the other for the ipv4 list

in firewall->rules->wan/lan
i can see the rules for asia and the others (with the red square for block), if i move the mouse on it it show the list of IP on it.

But when i try to surf a website from china or http://www.shortwave.be/gov.html to china i can surf on china site.

And sometime in pfblockerNG->allert in the deny table i can see some entries that i can find also in the suricata log (ssh scan for example)…so if the ip is in the blocklist should not get to suricata.

where i'm wrong?

(i have increded Firewall Maximum Table Entries to 100000000)

Thanks in advance
Sorry for my english  :(
Giacomo

doktornotor

The Chinese radios you linked are on a CDN. (Akamai CDN for one, their own for the other. Regardless, those don't resolve to "Chinese" IPs at all unless you are in China or around…) Definitely will not work. Test invalid.

jackyes89

You are right!
i'm trying also www.china.org.cn and i can surf it with no problem…
it is from Beijing or i'm wrong? how can i test the block rules?

doktornotor

I can see 180.210.224.0/19 on the CN_v4 list. (This is what it resolves to here, no idea about you.)

Is your goal to basically block *.cn for browsing? You can do that will a whole LOT less overhead and whole LOT more reliably by a wildcard DNS override.

jackyes89

No i would block trafic from china and the blocklist…to test it i try to surf chinese site but it's not the best way to test if it's working  :-[

jackyes89

ok after some other test it's working! Thanks  doktornotor!

but for:
sometime in pfblockerNG->allert in the deny table i can see some entries that i can find also in the suricata log (ssh scans for example)…so if the ip is in the blocklist should not get to suricata.

is this ok?

doktornotor

@jackyes89:

so if the ip is in the blocklist should not get to suricata.

Please, start a separate thread about Suricata in the proper forum section. (My assumption is that it's working exactly the other way round, snort/suricata gets hit before the pf rules, plus it's not inline in addition. At least that's what the maintainer suggests: https://forum.pfsense.org/index.php?topic=89463.msg495180#msg495180 – But then again, not using any of this IDS stuff here.)

jackyes89

sorry i supose that pf rules are the first and than suricata so if suricata make an alltert somthing is going wrong to pfblocker (suricata is working without problem).
Tank you again.

BBcan177

Please read the link that was posted by doktornotor (link to Bmeeks, maintainer of Snort/Suricata) as it explains the exact process correctly. The IDS is acting on a "Copy" of all packets.

If you have pfBlockerNG with a List like "ET Compromised" please do not also enable the "ET Compromised" Category in the IDS. As you are duplicating your efforts.

jackyes89

@BBcan177:

Please read the link that was posted by doktornotor (link to Bmeeks, maintainer of Snort/Suricata) as it explains the exact process correctly. The IDS is acting on a "Copy" of all packets.

If you have pfBlockerNG with a List like "ET Compromised" please do not also enable the "ET Compromised" Category in the IDS. As you are duplicating your efforts.

Yes i disable it..the triggered rule is "ET SCAN Potential SSH Scan" ;)

thanks BBcan177 for pfblockerNG!

wheemer

I have PFBlockerNG enabled and I have russia, china and hong kong blocked.

However my emails software is still saying it's blocking chinese IPs that are trying to brute force password hack me.

I can also still browse chinese websites even though I have in and out blocked.

jackyes89

To simply test if the firewall is blocking a country:
Example for china  ;D
Google -> "china proxy list" -> ping one of the list
if you cant't ping it and you see the entry in the alert tab of pfblocker it's working…

For the website be sure that it's hosted in china. (or use a CDN?)

BBcan177

@wheemer:

I have PFBlockerNG enabled and I have russia, china and hong kong blocked.

However my emails software is still saying it's blocking chinese IPs that are trying to brute force password hack me.

I can also still browse chinese websites even though I have in and out blocked.

Hi wheemer,

Do you have any "Firewall Pass Rules" above the Block/Reject Rules that would allow those IPs thru? Floating Rules are processed first (top to bottom), then the Interface Firewall Rules (top to bottom) and typically on the First Rule Match thats found.