PfBlockerNG v2.0 w/DNSBL
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
Can't seem to find a download link. Are they commercial?
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
Can't seem to find a download link. Are they commercial?
Add the following to DNSBL
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txtIn case you don't have this in IPv4 (PRI1)
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt -
Add the following to DNSBL
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txtIn case you don't have this in IPv4 (PRI1)
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txtSo DNSBL will accept a list containing a full URL (http://malware.example.com/path/to/badfile.exe) ? I wasn't aware of that and only added the DOMBL.txt as a feed in DNSBL and IPBL.txt(as IPv4 list)
-
So DNSBL will accept a list containing a full URL (http://malware.example.com/path/to/badfile.exe) ? I wasn't aware of that and only added the DOMBL.txt as a feed in DNSBL and IPBL.txt(as IPv4 list)
DNSBL will parse each line and extract the Domain…
This is similar to other lists like PhishTank/OpenPhish/Malware Patrol... There can be some FPs with the three that I mentioned here, because of the fact that they post URLs... So Alexa whitelist can be useful for these types of lists... But generally most of those Domains/URLs you'd want to avoid....
The RW URL list shouldn't be whitelisted with Alexa tho...
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
Can't seem to find a download link. Are they commercial?
Add the following to DNSBL
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txtIn case you don't have this in IPv4 (PRI1)
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txtThank you ;)
-
DNSBL will parse each line and extract the Domain…
This is similar to other lists like PhishTank/OpenPhish/Malware Patrol... There can be some FPs with the three that I mentioned here, because of the fact that they post URLs... So Alexa whitelist can be useful for these types of lists... But generally most of those Domains/URLs you'd want to avoid....
The RW URL list shouldn't be whitelisted with Alexa tho...
Thank you for the reply and that is great. I just added https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt to my DNSBL.
One other question, I missed the pfBlockerng hangout but I did watch it afterwards. In it, I believe you said that you would post your recommended blocklists. Is there such a CURRENT compilation on the forum? I have been hunting them down for over a month now and cannot seem to find a "one list of lists to rule them all." I am currently using the ones from jflsakfja's posts but those posts are over a year old I think and I never did find his complete list of lists. I think he posted that he was going to include them in his suricata guide - which does not appears as though it will be completed.
-
So DNSBL will accept a list containing a full URL (http://malware.example.com/path/to/badfile.exe) ? I wasn't aware of that and only added the DOMBL.txt as a feed in DNSBL and IPBL.txt(as IPv4 list)
DNSBL will parse each line and extract the Domain…
This is similar to other lists like PhishTank/OpenPhish/Malware Patrol... There can be some FPs with the three that I mentioned here, because of the fact that they post URLs... So Alexa whitelist can be useful for these types of lists... But generally most of those Domains/URLs you'd want to avoid....
The RW URL list shouldn't be whitelisted with Alexa tho...
Thanks for clearing up, I wasn't aware of that either and just skipped the URL blocklists 8)
@khanman, thanks for the hint about pfBlockerNG hangout! Going to watch in a minute!
-
Hi BBcan177, first of all I'm a big fan of you awesome pfsense package, great work! I'm using your plugin for a couple of weeks now but I noticed some strange behaviour with DNSBL. Some fqdn's get blocked sometimes even if they are added to the global whitelist, this is not always the case. The only way to fix this was to completely set the List Action box to disabled to get things working again. After switching it back to unbound it didn't get blocked. In this particulair case it's analytics.twitter.com
The block is added to the alert log, even at this point it says it's already added to the whitelist. Why does it block this fqdn?
-
Is there such a CURRENT compilation on the forum?
This post has instructions on how to get a script that I wrote a year ago…. There are some changes to that list since, but its a start.
https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973
I will try to make a new script at some point....
-
Did you originally click the "+" suppress icon? or did you manually add the Domain to the DNSBL Whitelist?
When you click the "+" icon, it should remove the domain from the DNSBL database, and add it to the Whitelist to prevent it from getting added at a Cron event… If you manually add a domain to the whitelist, then you need to run a "Force Reload - DNSBL" for it to be removed...
Keep in mind, that your browser/OS might be caching the DNSBL VIP address for that domain. Might have to clear the browser Cache and OS cache...
You can use this link for Chrome:
chrome://net-internals/#dns -
Stupid question… I have pfBlockerNG with dnsbl running and a custom domain suppression/whitelist that was created using the plus signs in the alerts for dnsbl.
Even the fqdn is added to this list and I do a dns resolution, it gets the 10.10.10.1 address and not the proper IP. It's as if dnsbl or pfblocker isn't seeing this whitelist.
Does anybody know how I can resolve this?
Thanks!
-
have you force reloaded on the Update Tab?
-
have you force reloaded on the Update Tab?
I most definitely did. The exclusion list has been sitting in there for months and never worked. I just got motivated to look into why it's not working today.
-
have you force reloaded on the Update Tab?
I most definitely did. The exclusion list has been sitting in there for months and never worked. I just got motivated to look into why it's not working today.
What kind of Domain are you suppressing?
Can you grep for it:
grep "example.com" /var/db/pfblockerng/dnsbl/*.txt grep "example.com" /var/db/pfblockerng/dnsblalias/*.txt
-
Ive just noticed an annoying bug when pressing save on the Firewall/pfBlockerNG/Edit/IPv4 page if there are any errors all your data gets wiped out :-(
Can you please leave the data so if can be corrected?
Thanks
Rob
-
is it possible to whitelist with placeholders?
for example whitelist video.domain.com*
or how would i do that correctly?because i have a domain where videos are not playable and it looks like this -> video.domain.com/abc=43 and the id's always change.
-
Windows is showing the "no internet access" icon when I'm connected to my home network(see image). I noticed that when I disable DNSBL, windows says I do have "internet access". How should I solve this?
Maybe windows does a dns test which gets blocked by the DNSBL.
![No intenet access.png](/public/imported_attachments/1/No intenet access.png)
![No intenet access.png_thumb](/public/imported_attachments/1/No intenet access.png_thumb)
![No intenet access.png](/public/imported_attachments/1/No intenet access.png)
![No intenet access.png_thumb](/public/imported_attachments/1/No intenet access.png_thumb) -
Already discussed @BBcan177:
I suppress couple domains and looks like the yellow triangle icon has gone away. Thanks!
Just wondering, is there any other way to solve this issue, like put the local PCs in a white list or something like that?I think you suppressed: www.msftncsi.com
Recent discussion here:
https://forum.pfsense.org/index.php?topic=111460.msg620939#msg620939The package doesn't have a built-in whitelist. Its up to the user to decide what to block.
-
Okay thanks for the reply!
I added " www.msftncsi.com/" to the DNSBL supression list and did a "Reload All", but that didn't solve the issue. When I browse to "www.msftncsi.com/" it still gets blocked. I also killed firewall states, disabled and enabled pfblocker and DNSBL. That too didn't work. How should I proceed?
I already had one domain listed in the domain supression list, and that also still gets blocked. Maybe I have some setting wrong?