PfBlockerNG v2.0 w/DNSBL
-
The header is just a label for the feed… So it needs to be unique...
ie:
EasyList
EasyPrivacy -
here is additional list that can be add to DNSBL
http://www.securemecca.com/Downloads/hosts.txt
-
Thanks for pfBlockerNG. I make heavy use of it! I have recently enabled DNSBL and am having a strange issue: When I try to access the pfSense web GUI via hostname, I am redirected to the DNSBL VIP (10.10.10.1). When I "dig firewall.domain" the pfSense box (DNS server) returns the VIP first, and then the proper IP: 10.100.0.1.
I have Unbound set to disable forwarding and enable DHCP registrations and I have a host override for "firewall.domain" pointing to it's proper IP 10.100.0.1. DNSBL "Alerts" tab shows the following:
IF: Unknown
Source: Unknown
Domain/Referer|URI|Agent: firewall.domain Not available for HTTPS alerts
List: no matchAm I missing something in the Unbound configuration? Or is it a DNSBL setting I'm missing? All other local hosts are resolving without issue, it's just pfSense itself that exhibits this behavior.
-
When I try to access the pfSense web GUI via hostname, I am redirected to the DNSBL VIP (10.10.10.1). When I "dig firewall.domain" the pfSense box (DNS server) returns the VIP first, and then the proper IP: 10.100.0.1.
I have Unbound set to disable forwarding and enable DHCP registrations and I have a host override for "firewall.domain" pointing to it's proper IP 10.100.0.1. DNSBL "Alerts" tab shows the following:
IF: Unknown
Source: Unknown
Domain/Referer|URI|Agent: firewall.domain Not available for HTTPS alerts
List: no matchAm I missing something in the Unbound configuration? Or is it a DNSBL setting I'm missing? All other local hosts are resolving without issue, it's just pfSense itself that exhibits this behavior.
Check your NAT and DNS Host overrides… Don't add anything manually that points to the DNSBL VIP, as that is done by the pkg automatically... Also there are some issues with the Unbound DHCP reg checkboxes... Most leave those disabled...
If you still having issues, maybe try to post in the DNS/NAT forum sections, to see if others can offer any other advice.
-
Thanks BBcan177! What would cause the "IF" and "Source" alerts to be "Unknown" and the "List" entry to read "no match"? Is there a debug option I can enable? I've looked through the pfBlockerNG logs tab but maybe I missed a "verbose" option?
-
Unfortunately for HTTPS requests, the IF/SRC information is not available to log… If you want to see more information run a tcpdump or wireshark... There is some help text in the DNSBL tab...
-
Unfortunately for HTTPS requests, the IF/SRC information is not available to log… If you want to see more information run a tcpdump or wireshark... There is some help text in the DNSBL tab...
Understood. Thanks again for this package!
-
Thanks for your hard work BBcan177 DNSBL in now working on pfsense 2.3 :)
-
Hello,
I have just installed this package on a fresh install of pfSense 2.2.6, NanoBSD 4GB.
I followed your basic instructions and everything works, but after a reboot of the box the DNS Resolver Service fails to start with DNSBL enabled.
I do not have the log info at the moment, but I remember it was looking for a config file on /var that was no longer there.
Please Advise,
Thanks
-
Services-DNS Resolver Advanced: delete config entry (that file has been lost). Save. Start Resolver.
pfBlockerNG-Update: Force Update. -
I already know how to fix it like that but that requires manual intervention, after a reboot that's not very useful.
-
Hey Guys,
The latest version of pfsense/pfBlockerNG seems to have issues with the "ET IQRisk" list
I just updated my pfsense to the latest 2.2.6-RELEASE built on Mon Dec 21.
I noticed in the pfBlockerNG that my Alias for IQRisk only have an IP count of 1.
I review all the settings and they seemed to be messed up. Following the steps on the Repuation tab it says:
"Select the ET IQRisk' format. The URL should use the .gz File Type. Enter your "ETPRO" code in URL. Further information can be found @ ET IQRisk IP Reputation"
This format type is not longer listed and the help URL is no longer valid.Any thoughts on how to fix this? Did they remove support for this list?
Also posted via reddit on /r/PFSENSE
https://www.reddit.com/r/PFSENSE/comments/428ehb/latest_pfblockerng_et_iqrisk_format_missing/
-
**Update
After some messing around an point this to the file after stripping out the IPs it still has issues.
[ mine ] Downloading update .. 200 OK. completed .. Empty file, Adding '1.1.1.1' to avoid download failure.
maybe the file is has to much data and the download is timing out? leaving the file empty and failing to add any IPs.
-
Hi cipherson,
Emerging Threats was bought out by Proofpoint last year. I had a developer subscription to this list, but since it was bought out by Proofpoint, they didn't renew it, so if they made any changes, I am unable to help support any changes.
The previous URL used to be as follows (Changing the X's to your Proofpoint subscription id):
https://rules.emergingthreatspro.com/XXXXXXXXXXXXXXXX/reputation/iprepdata.txt.gzIf you enter that URL in the browser, does the file download? I would assume that the URL would have changed also.
If the URL is ok, post some screenshots of the Reputation tab (ET IQRISK) and obfuscate your Subscription ID…
-
Hey BBcan177
I can download the file fine by hand and the URL structure is the same.
The file format still also looks the same:
ip, category, score
I also downloaded the file, pulled out only the IP addresses and re-served the file on a local webserver just as an IP list and it has the same download issues.
During the update it hangs on the download of this large file (6.9 MB) for about 90 seconds with the following:
[ ETIQRisk ] Downloading update .. 200 OK.
Then says the file is empty:
Empty file, Adding '1.1.1.1' to avoid download failure.
So its not event getting to download the file correctly.
Anyway to debug the pull script? maybe add more verbose logging?
-
When you see "200 ok", that means that the file was downloaded successfully… So the issue is in the parsing of the file...
How many Lists did you select in the Reputation Tab - IQRisk Select Menu?
If you are using Country Blocking and other lists, it could also be that the IPs are duplicates which could report "1.1.1.1" which is an empty file placeholder... Maybe try to move the IQRisk as the first pfBNG Alias and execute a "Force Reload"...
-
Currently 20 in the list.
I lower it to 1 option and added the IQRISK to the top, disabled all CC and other IPv4 lists
Going to try a reinstall on this plugin to see if it helps
Output from Cron:
===[ Continent Process ]============================================
===[ IPv4 Process ]=================================================
[ ETIQRisk ] Downloading update .. 200 OK.. completed ..
Empty file, Adding '1.1.1.1' to avoid download failure.===[ Aliastables / Rules ]==========================================
No changes to Firewall rules, skipping Filter Reload
Updating: pfB_ETIQRisk
no changes.===[ FINAL Processing ]=====================================
cat: /var/db/pfblockerng/original/Block: No such file or directory
cat: All_custom.orig: No such file or directory
[ Original IP count ] [ 32 ]===[ Deny List IP Counts ]===========================
1 total
1 /var/db/pfblockerng/deny/ETIQRisk.txt====================[ Empty Lists w/1.1.1.1 ]==================
ETIQRisk
====================[ Last Updated List Summary ]==============
Jan 22 21:06 ETIQRisk
IPv4 alias tables IP count
–---------------------------
1IPv6 alias tables IP count
0
Alias table IP Counts
1 /var/db/aliastables/pfB_ETIQRisk.txt
pfSense Table Stats
table-entries hard limit 2000000
Table Usage Count 3725UPDATE PROCESS ENDED [ 01/22/16 21:07:30 ]
-
It's hard to troubleshoot without being able to test the file. I sent you a PM, if you are interested to do a TeamViewer session, I can see it live and be able to sort it out for you.
-
BBcan177 has fixed this issue!
-
Hi all
I seem to have a misconfiguration with the DNSBL. Specifically when Google tries to throw ads at me from their subsidiary Doubleclick I keep getting invalid certificate errors. Inspecting the certificate shows it looks like a generic certificate with all the default values you would expect from someone just hitting "OK" or something.
I've had a search around and I can't seem to find what's causing it.
Any suggestions?