PfBlockerNG Stripping 0s from Downloaded IP List



  • Top Edit: I'm using an Alias Native list action

    I've off and on used Team Cymru's IPv4 and IPv6 fullbogon lists with first pfBlocker and now pfBlockerNG, but since around the time of the release of 2.2.3 pfBlockerNG has been exhibiting a behavior that is causing it to fail to load my list. It could also be that the list changed, and I don't really know, but zeros are being stripped from imported IP addresses, causing me issues with at least two address in the list, as shown below.

    The list as it is downloaded from Cymru has the following entries to start

    0.0.0.0/8
    2.56.0.0/14
    5.45.32.0/20
    5.133.64.0/18
    5.180.0.0/14
    5.199.184.0/21
    5.252.0.0/15
    10.0.0.0/8
    31.13.184.0/21
    

    When I view the file as it exists on the server it is

    /8
    2.56.0.0/14
    5.45.32.0/20
    5.133.64.0/18
    5.180.0.0/14
    5.199.184.0/21
    5.252.0.0/15
    1/8
    31.13.184.0/21
    

    As a result I get the error:

    no IP address found for /8pfctl: cannot load /var/db/aliastables/pfB_CymruBogon4.txt: No error: 0

    Is anyone aware of a fix or workaround for this? I could manually download the list and pull the offending addresses, but Cymru updates their list every 4 hours, and I have it updated daily, so making it a hand's on task isn't something I want to pursue.

    Edit: I just went through the whole list quickly to see which others are problematic and found:

    127.0.0.0/8 -> /8
    160.0.0.0/16 -> 16/16
    170.0.0.0/16 -> 17/16
    240.0.0.0/4 -> 24/4
    

    And yet others like

    143.0.0.0/16
    156.0.0.0/16
    165.0.0.0/16
    168.0.0.0/16
    192.0.0.0/24
    224.0.0.0/4
    

    imported correctly



  • Are you using the full bogons ipv4 in plan text format?  When you are viewing the file on the server is it the deny file that has the invalid IP address?


  • Moderator

    I can confirm that there is a parsing error for IPs with "0.0.0.0" and "127.0.0.0". These IPs shouldn't be used in a typical Blocklist as it can cause Routing issues. IBlock also seems to add these IPs to some of their lists from time to time, which can cause issues.

    The Bogons list is also provided for in pfSense (IPv4 and v6) and it collects this feed from the Team Cymru site also.

    I have sent dillbilly a patch last night and am waiting for some feedback before I post this to a PR. The patch takes into consideration CIDRs for these two IPs.

    pfblockerng.inc changes to lines 1441 and 1442

    $pfb_ipreg[3] = "#127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*#$i";
    $pfb_ipreg[4] = "#^0\.0\.0\.0.*#$i";
    

    Note - pfBNG v2.0 (Dev) is using string functions instead of regex so it is not affected.


  • Banned

    And another note - stop using the damned Team Cymru's thing, it's NOT usable as is… You have actually usable copies in /etc/bogons and /etc/bogonsv6, use those instead. With 0.0.0.0 and RFC1918 stripped out of it. Heck, when you go to Interfaces - WAN (or whatever else) and scroll to the bottom, you can tick a checkbox there. Why pfBNG alias???



  • @f34rinc:

    Are you using the full bogons ipv4 in plan text format?  When you are viewing the file on the server is it the deny file that has the invalid IP address?

    Yes, that is the list I've been using. It's the alias file that's showing the mangled addresses.

    Why pfBNG alias???

    I have rules in place for particular networks to allow traffic to !bogon. Using the Cymru list allowed me to have a single rule that would allow traffic to everywhere except local networks (of which I have several) and bogons.

    I'm about to implement BBcan177's patch, and will report back with the results.