Quick easy way to determine if an IP is on a pfBlocker-NG list?

jeffhammett · Nov 13, 2015, 5:24 PM

I have a number of block lists and geographic lists setup in pfBlocker-NG.

Every once in a while I'll see an IP has been blocked and want to determine if it is on a blocklist from pfBlocker-NG and if so which one, is there an easy/quick way to do so? Right now I am just hovering over the rule and manually looking at the IPs, but this is tedious.

Is there a log somewhere I can grep from the shell?

Edit: and does pfBlocker-ng keep a log of recent revisions to the blocklists? So if I see something was blocked yesterday, but the lists have updated since then I can see which list it was on previously?

BBcan177 · Nov 13, 2015, 5:29 PM

You should be able to see this in the pfBNG Alerts tab… v2.0 will have an improved lookup for CIDRs...

You can also grep from the shell..

cd /var/db/pfblockerng/deny/
grep "^1.2.3.4" *

Other examples:

grep "^1.2.3" *
grep "^1.2." *
grep "^1." *

add | grep '/' to only report CIDRs.