PfBlockerNG v2.0 w/DNSBL
-
Not sure if anyone else saw the pfSense newsletter today ;D the package pfBlockerNG is going to be the topic for this months pfSense Hangout Friday, April 29th, 2016 at 1PM CDT/2PM EDT
BBCan177 will be providing an overview of the package, how-to's, and taking questions from the audience.
This should be really good reference material for anyone looking for a basic setup, overview of how the package works.
-
I'm having issues retrieving updates from dshield.org.
In the log I found:
Failed to connect to feeds.dshield.org port 80: Connection refused Retry in 5 seconds... . cURL Error: 7 Failed to connect to feeds.dshield.org port 80: Connection refused Retry in 5 seconds... . cURL Error: 7 Failed to connect to feeds.dshield.org port 80: Connection refused Retry in 5 seconds... .. unknown http status code
I have set up pfBlocker to get updates from:
http://feeds.dshield.org/top10-2.txtAnyone know why it is failing?
-
I'm having issues retrieving updates from dshield.org.
I have set up pfBlocker to get updates from:
http://feeds.dshield.org/top10-2.txtThat link loads ok for me…
Change the "State" to "Off" for a day, then re-enable it... Maybe they are rate-limiting you...
Also best to use the "Download Failure Threshold" and set it to say (4). -
Ok, thanks. Gonna have a look!
-
Is it possible to import and export individual pfBlockerNG IPV4 aliases?
I ask because I am in the process of creating an alphabetized-by-continent IPV4 alias for with one country per line, allowing each country to be toggled on/off. The beginning of the alias is shown below:I want to be able to create multiple instances of it, each with different names for use with different rules (e.g. "No_Email_Countries", "No_FTP_Countries", "No_HTTP_Countries," etc.). With more than 250 lines when it is all done, I am not willing to re-enter the entire thing in order to make a duplicate for another purpose.
Nor do I want to have to reenter the entire list if Zimbabwe decides to become Aaritania or a new country is added to the ISO 3166 country code list. (It's easy to just delete a country. So, for example, I have no problem with Guinea invading, and taking the territory of, Sierra Leone – as long as it doesn't change its name and, hence, where it needs to sort in my alias. Unfortunately, I doubt that I will be able to force all countries to restrict their political and military actions to ones which minimize the impact on my pfBlockerNG IPV4 aliases.)
So I would like to be able to export the alias as XML, edit the XML file (change the alias name, add a country, etc.), and then re-import it.
It looks like this in the config.xml file:
<config><aliasname>Countries_I_Do_Not_Trust</aliasname> <row><format>auto</format> <state>Disabled</state> <url>/usr/local/share/GeoIP/cc/Africa_v4.txt</url> <header>__AFRICA_ALL__</header></row> <row><format>auto</format> <state>Enabled</state> <url>/usr/local/share/GeoIP/cc/DZ_v4.txt</url> <header>Algeria</header></row> <row><format>auto</format> <state>Disabled</state> <url>/usr/local/share/GeoIP/cc/AO_v4.txt</url> <header>Angola</header></row> <row><format>auto</format> <state>Disabled</state> <url>/usr/local/share/GeoIP/cc/BJ_v4.txt</url> <header>Benin</header></row> <row><format>auto</format> <state>Disabled</state> <url>/usr/local/share/GeoIP/cc/BW_v4.txt</url> <header>Botswana</header></row> <row><format>auto</format> <state>Disabled</state> <url>/usr/local/share/GeoIP/cc/BF_v4.txt</url> <header>Burkina_Faso</header></row> ...</config>
What I don't want to do is backup my entire configuration, edit the XML file manually, pasting in 1.5K line sections at a time for each instance of this alias, and then restore the entire configuration. Not only is that time-consuming, I will eventually screw something up and then very bad things will result.
So is exporting/importing practical or should I just abandon this effort?
-
Could you be so kind a create a PAC file which could help with DNSBL and squid?
Lets say we have these IPs:
pfsense LAN-IP: 192.168.10.1 /24
pfsense WAN-IP: 192.168.178.254 /24
DNSBL VIP: 10.123.123.123Could you show me a PAC file which will make sure that every connection to the internet will be checked against DNSBL?
To be honest I even don't understand (but I've to admit that I didn't spent lot of time on this specific issue) what the problem is with .pac file.
Let me explain :
- when you configure explicit proxy, .pac file will tell your browser when to go direct or when use proxy.
- because you are using explicit proxy, DNS resolution, when using proxy, is done at proxy level and DNS relies on pfSense to resolve names and block or not IPs.
Thus because I don't understand what problem is, I can't really help with proxy.pac design yet. But feel free to explain and I'll do my best with proxy.pac ;)
-
I have disabled DNSBL in the pgblockerNG menu. However, i restart pfsense DNSBL service shows up as Running under Status>Services. Is this a bug?
-
Further I created a new PAC file with the help of some websites on the internet. Tested the PAC file with some "testing" tools I found on the web, too.
Again I'm confused because I don't understand the link between pac file and pfBlockerNG.
- Pac file will tell your browser when to go direct or through proxy
- when going thought proxy, DNS resolution is handled by your proxy server (and therefore underlying system)
This means that for anything that is not "local" (plus perhaps some exceptions if you allow direct access for Windowsupdate e.g. ::) ), name resolution is done by proxy server.
BTW, when going direct, name resolution id most likely done by your main DNS that is, I guess pfSense tooBecause of this, I don't understand why .pac file would impact pfBlockerNG. I'm not saing there is no link but I just don"t understand. If you could explain, it would be nice ;)
-
Anyone else experience that pfBlockerNG doesn't work on 2.3 if using floating rules? After the last update, I noticed all my rule counts were ZERO hits on the pfBlocker widget. So I tried going to a website on a blocked country, and it did not block.
Then tried:
1. Disabled the floating rules option (saved), forced an update, and then tried the website again and it was blocked.
2. Then re-enabled floating rules (saved), forced an update, tried the website again and it was NOT blocked.
3. Disabled the floating rules option (saved), forced an update, and then tried the website again and it was blocked.So, seems on my system at least the floating rules simply do not work. I can't tell if this is a 2.3 issue or a pfBlocker issue though.
Jason Bottjen
I do a bunch of traffic shaping with floating rules, and they all show hits. Remember, last rule wins for floating, which is the opposite of non-floating rules.
-
Anyone else experience that pfBlockerNG doesn't work on 2.3 if using floating rules? After the last update, I noticed all my rule counts were ZERO hits on the pfBlocker widget. So I tried going to a website on a blocked country, and it did not block.
Then tried:
1. Disabled the floating rules option (saved), forced an update, and then tried the website again and it was blocked.
2. Then re-enabled floating rules (saved), forced an update, tried the website again and it was NOT blocked.
3. Disabled the floating rules option (saved), forced an update, and then tried the website again and it was blocked.So, seems on my system at least the floating rules simply do not work. I can't tell if this is a 2.3 issue or a pfBlocker issue though.
Jason Bottjen
I do a bunch of traffic shaping with floating rules, and they all show hits. Remember, last rule wins for floating, which is the opposite of non-floating rules.
unless you have quick match enabled, right?
-
@irj972:
unless you have quick match enabled, right?
Right.
-
Hi,
I am not sure if I found a little bug in the GUI:
In pfblockerng general settings I configured CRON settings like this:
once a day :15 0 3When going to services –> cron I can see this - which is correct I assume:
15 3 * * * root /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1BUT when I go to pfblockerng --> Updates I can see this:
Status NEXT Scheduled CRON Event will run at 01:15 with 01:44:46 time remaining.
Refresh to update current status and time remaining.
PS: At the moment it is 11:30 pm on my system and pfsense GUI + CLI.Is there something wrong or did I miss some configuration in pfblockerng which is related to this time ?
PPS:
The redirect of DNSBL to the https VIP always shows an invalid certificate. As far as I can see this is because the CN in the cert is not the same as the blocked domain. I tried it with creating a wildcard certificate for some domains in the DNSBL like ".smaato.net" which showed a correct certificate for "c09.smaato.net" and so on. Tried with a wilcard certificate like ".net" but this did not work.So my question ist if it is possible after downloading all the DNSBL domains to copy all these domains into a file and the create one new certificate which contains all these domains as SAN in the certificate, them replace the "old" cert on "/var/unbound/dnsbl_cert.pem" with the new one. Further is it possible to add the "ssl.ca-file" parameter (https://redmine.lighttpd.net/projects/1/wiki/Docs_SSL) to the lighhtpd conf file?
Found some code here not sure if it can be used:
openssl req -batch -newkey rsa:2048 -sha1 -keyout priv-key.pem -out certreq.pem -config openssl-gwdg.cnf
#################################################################### [ req ] distinguished_name = req_distinguished_name string_mask = nombstr # The extensions to add to a certificate request req_extensions = v3_req # GWDG default options for certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NIEDERSACHSEN localityName = Your City localityName_default = GOETTINGEN 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Gesellschaft fuer wissenschaftliche Datenverarbeitung # Dieser Teil ist Optional und kann bei Bedarf einkommentiert werden # Wichtig: Es dürfen keine Sonderzeichen wie z.B. auch ein - oder _ dort vorkommen! # # organizationalUnitName = Organizational Unit Name (eg, section) # organizationalUnitName_default = AG A commonName = YOUR NAME commonName_max = 64 commonName_default = example.gwdg.de emailAddress = E-MAIL emailAddress_max = 64 emailAddress_default = support@gwdg.de [ v3_req ] subjectAltName = DNS:example.gwdg.de, DNS:www.example.gwdg.de, DNS:www2.example.gwdg.de ####################################################################
Don't know if there is a SAN limit per certificate but perhaps with wildcard it should reduce the amount.
Regards
-
Hi,
I am not sure if I found a little bug in the GUI:
In pfblockerng general settings I configured CRON settings like this:
once a day :15 0 3When going to services –> cron I can see this - which is correct I assume:
15 3 * * * root /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1BUT when I go to pfblockerng --> Updates I can see this:
Status NEXT Scheduled CRON Event will run at 01:15 with 01:44:46 time remaining.
Refresh to update current status and time remaining.
PS: At the moment it is 11:30 pm on my system and pfsense GUI + CLI.Is there something wrong or did I miss some configuration in pfblockerng which is related to this time ?
Thanks Nachtfalke, I posted a fix for this in pfBlockerNG v2.0.14 (for pfSense v2.3)
-
Hi again,
I am still facing problems with certificate errors on Google Chrome 50 and IE10 on Windows 7. I am running pfsense 2.3 and the most recent pfblockerng package.
To make sure that there aren't any side-effects with squid anymore I configured an "allow mc-pc to any" rule on the LAN interface, I disabled squid package and disabled squid configuration on my browser.
Further I uninstalled pfblockerng package with (Keep Settings enabled) and then removed all remaining files in "usr/local/pkg/pfblockerng/" and all pfblockerng related files (config + certificates) in "/var/unbound/".Then I did a reinstall of the pfblockerng package and I did a "Force Update All".
So I attached some screenshots which show the following:
1.) Which show tha I do not get any "IF" or "SOURCE" displayed for HTTPS requests
2.) I get a certificate warning with Google Chrome 50 and IE10 when accessing a website with https directly which is in the DNSBL
3.) When I accept the "insecure/untrusted" certificate then it will display an "IF" and "SOURCE" in the "Alerts" tab.
4.) Sometimes I am getting a HSTS error messageI know that pfblockerng / DNSBL will still block access to the websites on DNS level but it will not give my any visibility in the Alerts tab as long as the certificate problem exists.
So do you have the same problems?
Any ideas how to fix this?Kind regards :-)
-
When I enable DNSBL, local PCs show the yellow triangle exclamation mark, which indicate there is no internet connection. However the internet is connected. The yellow triangle icon goes away if I disable DNSBL.
Any one knows how to fix this issue?
-
When I enable DNSBL, local PCs show the yellow triangle exclamation mark, which indicate there is no internet connection. However the internet is connected. The yellow triangle icon goes away if I disable DNSBL.
Any one knows how to fix this issue?
Did you look at the Alerts tab for pfBlockerNG ?
That is where you will see what domain is blocked and to what list it belong to.
You can suppress that domain by clicking the "+" suppress icon. -
When I enable DNSBL, local PCs show the yellow triangle exclamation mark, which indicate there is no internet connection. However the internet is connected. The yellow triangle icon goes away if I disable DNSBL.
Any one knows how to fix this issue?
Did you look at the Alerts tab for pfBlockerNG ?
That is where you will see what domain is blocked and to what list it belong to.
You can suppress that domain by clicking the "+" suppress icon.I suppress couple domains and looks like the yellow triangle icon has gone away. Thanks!
Just wondering, is there any other way to solve this issue, like put the local PCs in a white list or something like that? -
I suppress couple domains and looks like the yellow triangle icon has gone away. Thanks!
Just wondering, is there any other way to solve this issue, like put the local PCs in a white list or something like that?I think you suppressed: www.msftncsi.com
Recent discussion here:
https://forum.pfsense.org/index.php?topic=111460.msg620939#msg620939The package doesn't have a built-in whitelist. Its up to the user to decide what to block.
-
I think you suppressed: www.msftncsi.com
You can suppress the verification site(s?) or you can kill the verification by disabling "EnableActiveProbing" in the registry on Windows systems.
Rick
-
Hi,
After upgrading to 2.0.14 I'm still experiencing a lot of errors related to the blocklists:
There were error(s) loading the rules: /tmp/rules.debug:344: macro 'pfB_DNSBLIP' not defined - The line in question reads [344]: block in log quick on $WAN reply-to ( em1 x.x.x.x ) inet from $pfB_DNSBLIP to any tracker 1770008414 label "USER_RULE: pfB_DNSBLIP auto rule"
There were error(s) loading the rules: /tmp/rules.debug:328: macro 'pfB_DNSBLIP' not defined - The line in question reads [328]: block in log quick on $WAN reply-to ( em1 x.x.x.x ) inet from $pfB_DNSBLIP to any tracker 1770008442 label "USER_RULE: pfB_DNSBLIP auto rule"
There were error(s) loading the rules: /tmp/rules.debug:39: cannot load "/var/db/aliastables/pfB_PRI3.txt": No such file or directory - The line in question reads [39]: table persist file "/var/db/aliastables/pfB_PRI3.txt"
If I do a forced reload of the DNSBL, most errors are gone, but they keep coming back, especially after an update of the rules. It seems to have started after I did the first update after the version that came with the pfsense 2.3 package…
Hope this can be fixed!
using the latest pfsense 2.3, pfBlockerNG 2.0.14 with DNSBL, two servers in a CARP failover configuration (but not syncing pfBlockerNG, if I do that the IP address of the DNSBL is duplicated leading to other errors)