PfBlockerNG v2.0 w/DNSBL
-
Correction: the LAN interface (currently bridged) is assigned the static IP of 192.168.1.1, I needed to reread your question.
Thanks again.If you want to continue bridging… Add another physical interface (without bridging) and assign the DNSBL VIP to that Interface. Just make sure to add firewall rules to allow other LAN addresses to access it...
Otherwise best to remove the bridge and use a more efficient hardware switch :)
-
I have this website which implements most of the content/features with iframes and it stops working when enabling DNSBL. I have added the addresses of the site and iframe's to the "Custom Domain Suppression" but the site simply refuses to load nothing but a white page where the iframe goes. tcpdump shows no activity when loading that site. None of the log files reveal nothing useful. Any way to debug it further?
-
Shopro,
Try to hit "F12" in the browser to open Dev mode, then goto the "console" tab to see additional details that might help diagnose. You can also run a tcpdump command as per the instructions in the DNSBL tab to sniff for dns requests.
-
Updating in the thread, BB :-* .
Yahoo complaining about certificates(pic00) is fixed by adding mail.yahoo.com and login.yahoo.com to the suppress list & 'Force Reload'.
I still have pic01, and I still have the strange NTP to the virtual IP:
| WAN | udp | 84.x.x.x:46231 (10.10.10.1:123) -> 195.200.224.66:123 | MULTIPLE:MULTIPLE |
No idea why, as 10.10.10.1 is completely isolated, my LAN is 192.x.x.x.
-
Mr J.,
If you run this command you will see which site is listing that domain:
grep "login.yahoo.com" /var/db/pfblockerng/dnsblorig/* /var/db/pfblockerng/dnsblorig/PhishTank.orig:3563722,https://login.yahoo.com:443/config/mail?.intl=au&.done=https%3A%2F%2Flogin.yahoo.com%3A443%2Fconfig%2Fmail%3F.intl%3Dau%26.done%3Dhttps%253A%252F%252Fau%252Dmg6.mail.yahoo.com%252Fneo%252Flaunch%253F.rand%253D7j0n99rj7v27t%2523address%23address#address,http://www.phishtank.com/phish_detail.php?phish_id=3563722,2015-10-30T15:52:31+00:00,yes,2016-02-17T06:23:42+00:00,yes,Other /var/db/pfblockerng/dnsblorig/PhishTank.orig:3507774,http://www.stmaria.cl/img/login.yahoo.com%20config%20mail%20.intl=hk.html,http://www.phishtank.com/phish_detail.php?phish_id=3507774,2015-10-03T14:14:09+00:00,yes,2015-10-12T19:54:23+00:00,yes,Other
Can also see if a domain is in the final dnsbl list:
grep "login.yahoo.com" /var/unbound/pfb_dnsbl.conf grep "login.yahoo.com" /var/db/pfblockerng/dnsbl/*
So from the first command above, you can see that login.yahoo.com is listed by PhishTank… That feed posts full URLs, so it can cause FPs... Its best to use that Feed with Alexa suppression. Also similar with OpenPhish and MPatrol... If your starting out with DNSBL, maybe disable those three lists, until you get more comfortable with it...
For your certificate issue: In Chrome you can clear the DNS Browser cache with this link:
chrome://net-internals/#dns
I am not sure if FireFox has something similar… You might also need to clear your Desktop and/or Browser DNS cache, since it might still have these blocked domains in the cache even tho you cleared it in DNSBL... Might also need to close and re-open the browser...
ipconfig /flushdns
Look at the post above yours, where i suggest using F12 Dev mode to help diagnose issues…
For your NTP issue, goto the tab Services: NTP, did you select the DNSBL VIP address?
-
Gracias Don BB ;D
Mr J.,
If you run this command you will see which site is listing that domain:
grep "login.yahoo.com" /var/db/pfblockerng/dnsblorig/* /var/db/pfblockerng/dnsblorig/PhishTank.orig:3563722,https://login.yahoo.com:443/config/mail?.intl=au&.done=https%3A%2F%2Flogin.yahoo.com%3A443%2Fconfig%2Fmail%3F.intl%3Dau%26.done%3Dhttps%253A%252F%252Fau%252Dmg6.mail.yahoo.com%252Fneo%252Flaunch%253F.rand%253D7j0n99rj7v27t%2523address%23address#address,http://www.phishtank.com/phish_detail.php?phish_id=3563722,2015-10-30T15:52:31+00:00,yes,2016-02-17T06:23:42+00:00,yes,Other /var/db/pfblockerng/dnsblorig/PhishTank.orig:3507774,http://www.stmaria.cl/img/login.yahoo.com%20config%20mail%20.intl=hk.html,http://www.phishtank.com/phish_detail.php?phish_id=3507774,2015-10-03T14:14:09+00:00,yes,2015-10-12T19:54:23+00:00,yes,Other
Can also see if a domain is in the final dnsbl list:
grep "login.yahoo.com" /var/unbound/pfb_dnsbl.conf grep "login.yahoo.com" /var/db/pfblockerng/dnsbl/*
So from the first command above, you can see that login.yahoo.com is listed by PhishTank… That feed posts full URLs, so it can cause FPs... Its best to use that Feed with Alexa suppression. Also similar with OpenPhish and MPatrol... If your starting out with DNSBL, maybe disable those three lists, until you get more comfortable with it...
That Feed was filtered via Alexa. Obviously it missed something one way or the other.
For your certificate issue: In Chrome you can clear the DNS Browser cache with this link:
chrome://net-internals/#dns
I am not sure if FireFox has something similar… You might also need to clear your Desktop and/or Browser DNS cache, since it might still have these blocked domains in the cache even tho you cleared it in DNSBL... Might also need to close and re-open the browser...
ipconfig /flushdns
I need to find out how to do that in FF. For now the problem was fixed with the Force Reload and the manual addition of the domains.
Look at the post above yours, where i suggest using F12 Dev mode to help diagnose issues…
To say it in the usa-kind-of-way: "like duh" ( ;D ).
Seriously, F12 Dev mode never showed me something useful.
For your NTP issue, goto the tab Services: NTP, did you select the DNSBL VIP address?
No sir, of course I did not. Should I? I understood the VIP address to be something like 'dev/null'; don't touch it, let it do its thing.
Gracias Don BB :-*
-
Thank you BBcan!
Perhaps what I did will help somebody else? What I did: per your suggestion, I got rid of the bridge. I had the bridge because I could not figure out how to get the three wireless APs (one ath/Atheros type PCIe card, and two run/Realtek type on USB) to connect. without it. Took me a few evenings to rethink everything, but now it seems to be working as I wish.
The SuperMicro A1SAi-27f0F has four ethernet, igb0 to igb4. My current configuration: WAN is assigned to igb0, igb1 to igb3 is configured as LAGG0. LAN is assigned to LAGG0. Three ports on my switch are also configured to match the LAGG. OPTx interfaces are assigned to each of the three wireless APs. Under Interfaces: LAN, I configured the "Static IPv4 configuration" to 192.168.x.x/16 instead of 192.168.x.x/24. Under Services: DHCP server, on the LAN tab I set a range of IPs to be served out that did not include all possible IPs in the 192.168.x.x/16 range. That made it possible for me to assign a separate range of IPs to be served out by each OPTx interface. Now, the LAN interface no longer gets assigned the DNSBL IP on reboot.
Off topic for this post, but it occurs to me that a useful feature would be the ability to create a network port from tha MAC of an AP that is not connected to the pfSense box, but hanging off a switch on another part of the network. Then you could assign an OPTx interface to it and a tab for it would show up under Services: DHCP server, like the tabs for the OPTx interfaces that are actually connected to the pfSense box. OK, is the abyss of my ignorance showing again? Is this what VLANs are for?
-
"Beware, even things on Amazon come with embedded malware…" Mike Olsen
http://artfulhacker.com/post/142519805054/beware-even-things-on-amazon-comehttps://blog.sucuri.net/2011/03/brenz-pl-is-back-with-malicious-iframes.html
This malicious domain is in DNSBL Feed - MDS - Malware Domains List :)
grep "brenz[.]pl" /var/db/pfblockerng/dnsbl/* /var/db/pfblockerng/dnsbl/MDS.txt:local-data: "brenz[.]pl 60 IN A 10.10.10.1"
Other recent articles of interest:
http://researchcenter.paloaltonetworks.com/2016/04/unit42-ramdo/
http://blog.talosintel.com/2016/04/nuclear-tor.html -
BBcan177
I haven't made any changes to my system for a few weeks… or at least since the recent pfBlockerNG updates. Now, in my IPv4 "Allow" rule you helped me setup, I can't make any changes. It keeps returning:
Header field cannot contain special or international characters.
So I backed out and just left the entries that were there and get the same return. The only non Alphas in the Headers are "." and "-". Both those have been there a couple months. Has something changed?
Rick
-
Hey Rick,
Yes I added input validation to that field recently… So you can use an "_" underscore instead of "-".
-
Yes I added input validation to that field recently… So you can use an "_" underscore instead of "-".
Good to know. It does like the "" underscore but won't accept "." periods any more. Not complaining just letting you know… I had to remove ALL non-alpha characters to get the list to save even without adding anything new. Once saved without any non-alphas, I was able to add a Whois/ASN and in the header use a "" to get things to clean up verbiage.
Thanks,
Rick -
Hey Rick,
Previously it would strip out any special characters. So if you entered a Header as "example.list", it would change that to "examplelist".. With the input validation, it lets you know to avoid special or international characters and ask that you fix them before it will save…
-
I am really stuck… Have been searching for an answer for days now and I very seldom give up.
I have PFSense 2.2.6 with pfBlockerNG 2.0.6 installed on a VPS that only as a single WAN interface VTNET0
The aim of the server is simply to act as a remote inbound DNS server that blocks a range of blacklists via pfBlockerNG when queried otherwise it just delivers the usual DNS lookup.
I have an open port 53 for DNS resolver and that works just fine.
THE PROBLEM... pfBlockerNG refuses to LOG any ALERTS (alerts TAB) or ERRORS in LOG (logs TAB). It says those log files don't exist. (error.log dnsbl.log)
On the DNSBL Tab the "DNSBL Listening Interface" has [] nothing listed. Due to fact its looking for a LAN segment. So its not showing LOOPBACK or WAN of course.
I tried to create a VLAN but didn't help as that locked me out of the system and I had to recover via console. (webconfig jumped to VLAN and locked out WAN)
Snort works with logging and alerts just fine. And pfBlockerNG has all the other logs working just fine. The PFsense firewall log works but that doesn't show what is being blocked exactly.
So my conclusion is that it fails to show alerts and some logs due to the fact it can't bind with the LAN segment. I have no way of adding a LAN to this VPS.
Is there some kind of work around, patch or something I can do? I need to see whats being blocked in the ALERT section!
Please help :)
-
Hi MakesSense,
Can you not add a local interface just for DNSBL?
-
hi guys
Thx firstly for a very awesome addon! - will definitely see if company can forward some $$'s your way :)
i am firstly implementing some block lists to allow specific country access, and after a few recommendations on the forum i only added a permit rule for the countries where we require access from, specifically targeting a specific port alias set,
pfblocker config is set to permit inbound , with enable custom port checked and an alias loaded with the ports i want open.
This morning i notice some alerts, with a permit firing for ports that is not in the alias rule
eg port 443 / 100 is not on the alias list - only 5401
the firewall rules summary page seems to be ok :
but if i click on edit on one of the rules, it strangely does not show the port that is being blocked
PFblocker config (Countries -> Africa)
Can anyone recommend maybe what i could be missing?
Thx
EDIT
never mind , managed to solve this ( a little bit of reading helps)
changed the protocol to TCP/UDP ( not any), and reloaded everything. seems to be ok now :)
-
Hi MakesSense,
Can you not add a local interface just for DNSBL?
Hi BBcan177,
Unfortunately I can't seem to find any way to add a LAN interface on this VPS system.
Is there any way to fake one? or any other alternative ideas?
I have about 150 people using the pfSense/pfBlockerNG server now but really struggling to figure out what is blocking. -
Hi,
If pfBlockerNG could be configured to do online lookup against block lists like e.g. zen.spamhaus.org and bl.spamcop.net this would be a great new feature since these lists contains a lot more IP's then the drop lists. I'm currently using the Postfix Forwarder package for this but this package is no longer available since version 2.3.
-
I had a list in pfBlockerNG and I removed it. Its gone from the pfBlocker GUI, but it is still on my dashboard widget and I get these warnings all the time. Unresolvable destination alias 'pfB_iBlockYoyoAdServers' for rule 'pfB_iBlockYoyoAdServers auto rule' @ 2016-04-14 16:00:03
I tried update, cron and refresh all in pfBlockerNG
Ran:
pfctl -t pfB_iBlockYoyoAdServers -T killOutput: 0 table removed
Ran: pfctl -s all
Did not see a table with that nameI have tried to uninstall pfBlocker w/keep setting uncheck. The list is still there when I reinstall.
pfSense 2.3
-
I had a list in pfBlockerNG and I removed it. Its gone from the pfBlocker GUI, but it is still on my dashboard widget and I get these warnings all the time. Unresolvable destination alias 'pfB_iBlockYoyoAdServers' for rule 'pfB_iBlockYoyoAdServers auto rule' @ 2016-04-14 16:00:03
I tried update, cron and refresh all in pfBlockerNG
Ran:
pfctl -t pfB_iBlockYoyoAdServers -T killOutput: 0 table removed
Ran: pfctl -s all
Did not see a table with that nameI have tried to uninstall pfBlocker w/keep setting uncheck. The list is still there when I reinstall.
pfSense 2.3
I fixed my issue. I deleted the entries in Firewall >> Rules for LAN and WAN that reference the list I wanted to remove. The list is gone from the dashboard and I am not getting the error anymore.
-
Hello,
I have just built a clean install of 2.3 and install pfBlockerNG and added a bunch of lists from i-BlockList
However, I am getting these lists blocking DNS traffic to the router itself
I've worked around this with a permit rule at higher priority … but it doesn't seem to be the right solution. Does this imply one of the lists has the LAN's non-routable addresses in it?