Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNG Stripping 0s from Downloaded IP List

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dillbilly
      last edited by

      Top Edit: I'm using an Alias Native list action

      I've off and on used Team Cymru's IPv4 and IPv6 fullbogon lists with first pfBlocker and now pfBlockerNG, but since around the time of the release of 2.2.3 pfBlockerNG has been exhibiting a behavior that is causing it to fail to load my list. It could also be that the list changed, and I don't really know, but zeros are being stripped from imported IP addresses, causing me issues with at least two address in the list, as shown below.

      The list as it is downloaded from Cymru has the following entries to start

      0.0.0.0/8
      2.56.0.0/14
      5.45.32.0/20
      5.133.64.0/18
      5.180.0.0/14
      5.199.184.0/21
      5.252.0.0/15
      10.0.0.0/8
      31.13.184.0/21
      

      When I view the file as it exists on the server it is

      /8
      2.56.0.0/14
      5.45.32.0/20
      5.133.64.0/18
      5.180.0.0/14
      5.199.184.0/21
      5.252.0.0/15
      1/8
      31.13.184.0/21
      

      As a result I get the error:

      no IP address found for /8pfctl: cannot load /var/db/aliastables/pfB_CymruBogon4.txt: No error: 0

      Is anyone aware of a fix or workaround for this? I could manually download the list and pull the offending addresses, but Cymru updates their list every 4 hours, and I have it updated daily, so making it a hand's on task isn't something I want to pursue.

      Edit: I just went through the whole list quickly to see which others are problematic and found:

      127.0.0.0/8 -> /8
      160.0.0.0/16 -> 16/16
      170.0.0.0/16 -> 17/16
      240.0.0.0/4 -> 24/4
      

      And yet others like

      143.0.0.0/16
      156.0.0.0/16
      165.0.0.0/16
      168.0.0.0/16
      192.0.0.0/24
      224.0.0.0/4
      

      imported correctly

      1 Reply Last reply Reply Quote 0
      • F
        f34rinc
        last edited by

        Are you using the full bogons ipv4 in plan text format?  When you are viewing the file on the server is it the deny file that has the invalid IP address?

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          I can confirm that there is a parsing error for IPs with "0.0.0.0" and "127.0.0.0". These IPs shouldn't be used in a typical Blocklist as it can cause Routing issues. IBlock also seems to add these IPs to some of their lists from time to time, which can cause issues.

          The Bogons list is also provided for in pfSense (IPv4 and v6) and it collects this feed from the Team Cymru site also.

          I have sent dillbilly a patch last night and am waiting for some feedback before I post this to a PR. The patch takes into consideration CIDRs for these two IPs.

          pfblockerng.inc changes to lines 1441 and 1442

          $pfb_ipreg[3] = "#127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*#$i";
          $pfb_ipreg[4] = "#^0\.0\.0\.0.*#$i";
          

          Note - pfBNG v2.0 (Dev) is using string functions instead of regex so it is not affected.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            And another note - stop using the damned Team Cymru's thing, it's NOT usable as is… You have actually usable copies in /etc/bogons and /etc/bogonsv6, use those instead. With 0.0.0.0 and RFC1918 stripped out of it. Heck, when you go to Interfaces - WAN (or whatever else) and scroll to the bottom, you can tick a checkbox there. Why pfBNG alias???

            1 Reply Last reply Reply Quote 0
            • D
              dillbilly
              last edited by

              @f34rinc:

              Are you using the full bogons ipv4 in plan text format?  When you are viewing the file on the server is it the deny file that has the invalid IP address?

              Yes, that is the list I've been using. It's the alias file that's showing the mangled addresses.

              Why pfBNG alias???

              I have rules in place for particular networks to allow traffic to !bogon. Using the Cymru list allowed me to have a single rule that would allow traffic to everywhere except local networks (of which I have several) and bogons.

              I'm about to implement BBcan177's patch, and will report back with the results.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.