PfBlockerNG v2.0 w/DNSBL
-
Ensure that your LAN devices have their DNS settings set to only pfSense. If you ping the DNSBL VIP does it resolve? If you browse the the DNSBL VIP do you get the 1x1?
-
i can ping the VIP from my 192.1.6.2.xxx to the VIP http://10.10.10.1/.
If i load up the web page its blank.
Not seeing anything about a gif.
The only hint is <title>10.10.10.1 (1×1)</title>
This happens if it is blocking correctly or incorrectly.
It seems that everything works till the first cron job. After that if i want it to work i have to force update till the next cron job.
-
Can you follow the instructions in this post:
https://forum.pfsense.org/index.php?topic=102470.msg607864#msg607864
-
-
Can you follow the instructions in this post:
https://forum.pfsense.org/index.php?topic=102470.msg607864#msg607864
Thank you. It has been up for 3 cron jobs and is still working.
After the first reboot after the patch i did have to force update to get this to work the first time:
===[ DNSBL Process ]================================================
Missing DNSBL stats and/or Unbound DNSBL conf file - Rebuilding -
-
Hello all,
pfSense noob here. Using pfSense since November 2015. Full install of pfSense on SuperMicro A1SAi-27f0F, 16GM RAM. I am having a strange problem, and am not sure what I did. I was happily using pfBlocker_NG with DNSBL. I upgraded pfBNG from 2.04 to 2.05 four days ago. When I reboot, the LAN interface is now assigned the DNSBL Virtual IP (10.10.10.1) and not the 192.168.1.1 IP as specified under Interfaces: LAN. I have to manually "2) Set interface(s) IP address" in a ssh session, before I can log in to the GUI and disable DNSBL. Reboot, and the LAN gets the 192.168.1.1 IP. Same with 2.05 to 2.06. Did not have this issue with version 2.04. I would rather not wipe the box and start over, if someone might point me in another direction. Thanks in advance.
-
When I reboot, the LAN interface is now assigned the DNSBL Virtual IP (10.10.10.1) and not the 192.168.1.1 IP as specified under Interfaces: LAN.
I assume the LAN interface is DHCP? I have only seen this when another user used bridged interfaces… The DNSBL VIP is a virtual alias in the LAN interface... Maybe your LAN device is not getting an IP address before DNSBL executes?
There has not been any changes to that part of the code, but there is another release "2.0.6" which you can try...
-
Thank you! That is something I can try later tonight, at present three ethernet and four WiFi are all bridged, I will eliminate the bridge, and report back. Yes, LAN hands out IPs via DHCP. V. 2.06 also the same behavior as V. 2.05
-
Correction: the LAN interface (currently bridged) is assigned the static IP of 192.168.1.1, I needed to reread your question.
Thanks again. -
Correction: the LAN interface (currently bridged) is assigned the static IP of 192.168.1.1, I needed to reread your question.
Thanks again.If you want to continue bridging… Add another physical interface (without bridging) and assign the DNSBL VIP to that Interface. Just make sure to add firewall rules to allow other LAN addresses to access it...
Otherwise best to remove the bridge and use a more efficient hardware switch :)
-
I have this website which implements most of the content/features with iframes and it stops working when enabling DNSBL. I have added the addresses of the site and iframe's to the "Custom Domain Suppression" but the site simply refuses to load nothing but a white page where the iframe goes. tcpdump shows no activity when loading that site. None of the log files reveal nothing useful. Any way to debug it further?
-
Shopro,
Try to hit "F12" in the browser to open Dev mode, then goto the "console" tab to see additional details that might help diagnose. You can also run a tcpdump command as per the instructions in the DNSBL tab to sniff for dns requests.
-
Updating in the thread, BB :-* .
Yahoo complaining about certificates(pic00) is fixed by adding mail.yahoo.com and login.yahoo.com to the suppress list & 'Force Reload'.
I still have pic01, and I still have the strange NTP to the virtual IP:
| WAN | udp | 84.x.x.x:46231 (10.10.10.1:123) -> 195.200.224.66:123 | MULTIPLE:MULTIPLE |
No idea why, as 10.10.10.1 is completely isolated, my LAN is 192.x.x.x.
-
Mr J.,
If you run this command you will see which site is listing that domain:
grep "login.yahoo.com" /var/db/pfblockerng/dnsblorig/* /var/db/pfblockerng/dnsblorig/PhishTank.orig:3563722,https://login.yahoo.com:443/config/mail?.intl=au&.done=https%3A%2F%2Flogin.yahoo.com%3A443%2Fconfig%2Fmail%3F.intl%3Dau%26.done%3Dhttps%253A%252F%252Fau%252Dmg6.mail.yahoo.com%252Fneo%252Flaunch%253F.rand%253D7j0n99rj7v27t%2523address%23address#address,http://www.phishtank.com/phish_detail.php?phish_id=3563722,2015-10-30T15:52:31+00:00,yes,2016-02-17T06:23:42+00:00,yes,Other /var/db/pfblockerng/dnsblorig/PhishTank.orig:3507774,http://www.stmaria.cl/img/login.yahoo.com%20config%20mail%20.intl=hk.html,http://www.phishtank.com/phish_detail.php?phish_id=3507774,2015-10-03T14:14:09+00:00,yes,2015-10-12T19:54:23+00:00,yes,Other
Can also see if a domain is in the final dnsbl list:
grep "login.yahoo.com" /var/unbound/pfb_dnsbl.conf grep "login.yahoo.com" /var/db/pfblockerng/dnsbl/*
So from the first command above, you can see that login.yahoo.com is listed by PhishTank… That feed posts full URLs, so it can cause FPs... Its best to use that Feed with Alexa suppression. Also similar with OpenPhish and MPatrol... If your starting out with DNSBL, maybe disable those three lists, until you get more comfortable with it...
For your certificate issue: In Chrome you can clear the DNS Browser cache with this link:
chrome://net-internals/#dns
I am not sure if FireFox has something similar… You might also need to clear your Desktop and/or Browser DNS cache, since it might still have these blocked domains in the cache even tho you cleared it in DNSBL... Might also need to close and re-open the browser...
ipconfig /flushdns
Look at the post above yours, where i suggest using F12 Dev mode to help diagnose issues…
For your NTP issue, goto the tab Services: NTP, did you select the DNSBL VIP address?
-
Gracias Don BB ;D
Mr J.,
If you run this command you will see which site is listing that domain:
grep "login.yahoo.com" /var/db/pfblockerng/dnsblorig/* /var/db/pfblockerng/dnsblorig/PhishTank.orig:3563722,https://login.yahoo.com:443/config/mail?.intl=au&.done=https%3A%2F%2Flogin.yahoo.com%3A443%2Fconfig%2Fmail%3F.intl%3Dau%26.done%3Dhttps%253A%252F%252Fau%252Dmg6.mail.yahoo.com%252Fneo%252Flaunch%253F.rand%253D7j0n99rj7v27t%2523address%23address#address,http://www.phishtank.com/phish_detail.php?phish_id=3563722,2015-10-30T15:52:31+00:00,yes,2016-02-17T06:23:42+00:00,yes,Other /var/db/pfblockerng/dnsblorig/PhishTank.orig:3507774,http://www.stmaria.cl/img/login.yahoo.com%20config%20mail%20.intl=hk.html,http://www.phishtank.com/phish_detail.php?phish_id=3507774,2015-10-03T14:14:09+00:00,yes,2015-10-12T19:54:23+00:00,yes,Other
Can also see if a domain is in the final dnsbl list:
grep "login.yahoo.com" /var/unbound/pfb_dnsbl.conf grep "login.yahoo.com" /var/db/pfblockerng/dnsbl/*
So from the first command above, you can see that login.yahoo.com is listed by PhishTank… That feed posts full URLs, so it can cause FPs... Its best to use that Feed with Alexa suppression. Also similar with OpenPhish and MPatrol... If your starting out with DNSBL, maybe disable those three lists, until you get more comfortable with it...
That Feed was filtered via Alexa. Obviously it missed something one way or the other.
For your certificate issue: In Chrome you can clear the DNS Browser cache with this link:
chrome://net-internals/#dns
I am not sure if FireFox has something similar… You might also need to clear your Desktop and/or Browser DNS cache, since it might still have these blocked domains in the cache even tho you cleared it in DNSBL... Might also need to close and re-open the browser...
ipconfig /flushdns
I need to find out how to do that in FF. For now the problem was fixed with the Force Reload and the manual addition of the domains.
Look at the post above yours, where i suggest using F12 Dev mode to help diagnose issues…
To say it in the usa-kind-of-way: "like duh" ( ;D ).
Seriously, F12 Dev mode never showed me something useful.
For your NTP issue, goto the tab Services: NTP, did you select the DNSBL VIP address?
No sir, of course I did not. Should I? I understood the VIP address to be something like 'dev/null'; don't touch it, let it do its thing.
Gracias Don BB :-*
-
Thank you BBcan!
Perhaps what I did will help somebody else? What I did: per your suggestion, I got rid of the bridge. I had the bridge because I could not figure out how to get the three wireless APs (one ath/Atheros type PCIe card, and two run/Realtek type on USB) to connect. without it. Took me a few evenings to rethink everything, but now it seems to be working as I wish.
The SuperMicro A1SAi-27f0F has four ethernet, igb0 to igb4. My current configuration: WAN is assigned to igb0, igb1 to igb3 is configured as LAGG0. LAN is assigned to LAGG0. Three ports on my switch are also configured to match the LAGG. OPTx interfaces are assigned to each of the three wireless APs. Under Interfaces: LAN, I configured the "Static IPv4 configuration" to 192.168.x.x/16 instead of 192.168.x.x/24. Under Services: DHCP server, on the LAN tab I set a range of IPs to be served out that did not include all possible IPs in the 192.168.x.x/16 range. That made it possible for me to assign a separate range of IPs to be served out by each OPTx interface. Now, the LAN interface no longer gets assigned the DNSBL IP on reboot.
Off topic for this post, but it occurs to me that a useful feature would be the ability to create a network port from tha MAC of an AP that is not connected to the pfSense box, but hanging off a switch on another part of the network. Then you could assign an OPTx interface to it and a tab for it would show up under Services: DHCP server, like the tabs for the OPTx interfaces that are actually connected to the pfSense box. OK, is the abyss of my ignorance showing again? Is this what VLANs are for?
-
"Beware, even things on Amazon come with embedded malware…" Mike Olsen
http://artfulhacker.com/post/142519805054/beware-even-things-on-amazon-comehttps://blog.sucuri.net/2011/03/brenz-pl-is-back-with-malicious-iframes.html
This malicious domain is in DNSBL Feed - MDS - Malware Domains List :)
grep "brenz[.]pl" /var/db/pfblockerng/dnsbl/* /var/db/pfblockerng/dnsbl/MDS.txt:local-data: "brenz[.]pl 60 IN A 10.10.10.1"
Other recent articles of interest:
http://researchcenter.paloaltonetworks.com/2016/04/unit42-ramdo/
http://blog.talosintel.com/2016/04/nuclear-tor.html -
BBcan177
I haven't made any changes to my system for a few weeks… or at least since the recent pfBlockerNG updates. Now, in my IPv4 "Allow" rule you helped me setup, I can't make any changes. It keeps returning:
Header field cannot contain special or international characters.
So I backed out and just left the entries that were there and get the same return. The only non Alphas in the Headers are "." and "-". Both those have been there a couple months. Has something changed?
Rick
-
Hey Rick,
Yes I added input validation to that field recently… So you can use an "_" underscore instead of "-".