next »

[tommyboy180]

Just like PeerGuardian2 the IP-Blocklist package can block ranges of IPs from lists or manual input. This is a Global IP blocking package.

Info:
This package uses the pf (pfctl) to block IP addresses. For each IP range or list added a pf table is made and applied to the firewall to prevent traffic from being sent to and traffic from being received from the target. You can either enter an IP range manually (experimental) or add a list from sites like iblocklist.com.
Tested on 1.2.2 and 1.2.3 with FF only. IE not supported.

Limits:
Lists can have any extension BUT if the list is compressed only .gz is supported.
Long lists take more ram (not much)

Format
The lists must be in the PeerBlock or PeerGuardian2 format.
Single IP Example: NAS:192.168.1.110-192.168.1.110
Range IP Example: HOME:192.168.1.0-192.168.1.255

FAQ:
Q: How do I know if the list got applied?
A: The package web interface will display the current status.

Q: I notice a performance drop with network traffic after applying
A: When applying the list at the system has to download and process the list. This should only take less than 2 mins.

Q: I have the "Enable" check box checked but I don't think its blocking any IPs
A: Any Errors will be at the bottom of the page when you press Save/Update

Q: My list site only give dynamic links to lists (I can't get a direct link to the file)
A: You need a direct link to the file in order for the package to work. Use a download manager like FF has. Download the file then go back to the download manager and copy the file link. Paste that into the package. File upload may be in the future.  

Q: Where can I get lists to block SPAM and other bad IPs?
A: http://www.iblocklist.com/lists.php

Q: I think I can improve your package or add features, how can I help?
A: Send me a PM

[simby]

and where is packet to download?

[jigpe]

Thanks for the file Gonna test this out this afternoon. I'll let you know the updates
Thanks again. Great job

jigp
1.2.2

[Cino]

I can't seem to locate this package, is it called : 'URL Table Aliases'?

[tommyboy180]

Version 0.1.5 is complete. This update uses pf tables as the blocking method. This brings a huge performance boost but uses more ram. New screen shot added.

Package will be committed soon. Just trying to get a hold of a DEV to commit. I also have some new updates to the package, one update will let you process a level1 list in 2 seconds and apply it immediately!

Thank you jim-p for the idea.

You can download the packages right now while you wait for a DEV to commit them. http://www.tomschaefer.org/temp/pfsense/packages/

[Cino]

i installed 0.1.5 and when i try to start it i get this error: ipblocklist.conf:8: cannot define table ipblocklist: Cannot allocate memory

Running 1.2.3.. Lots of add ons, squid, squidguard,snort. i have 1.7g free of memory

[tommyboy180]

I am working on an update. I think the big lists are hitting a ceiling. I should have 0.1.6 out here soon, at-least within the week.

[Cino]

Its a limit on the system i think

# pfctl -sm
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000


would need to increase table-entries somehow... I'm playing URL Table Aliases and notice I get the error with Level1 list

[tommyboy180]

Update 0.1.6 released.

[Supermule]

Release notes??

[tommyboy180]

0.1.6 Release Notes:
Introduction
IP-Blocklist is a global IP blocking package. The package is designed to import IP lists in the format of “Descption:xx.xx.xx.xx-xx.xx.xx.xx” This is the format that PeerGuardian2 uses. Therefore, this package is a PeerGuardian2 solution at the gateway/router level.

What’s New
0.1.6 doesn’t overwrite or interfere with your existing firewall rules. 4 lines are inserted into the pf config file that allows pf to block the IPs in your list. pf is resync’d  with the pf config file. Building a pf table allows you to block thousands and thousands of IP addresses in a matter of seconds. The manual IP blocking feature still uses IPFW

Security considerations
This package gives you the power to completely block a range of networks and IPs, be careful not to block DNS servers, internal IPs, and other IPs/Networks that you rely on.

Contributed Software
   Perl IP to CIDR converter edited for this package. Original code at: http://www.bluetack.co.uk/forums/index.php?showtopic=18081&pid=84901&st=0&#entry84901
   IP2CIDR Perl script from Guy Patterson. Website: www.nullamatix.com

Requirements
   This package installs Perl and the NET CIDR Perl module. Lists can be found at iblocklist.com

Upgrading from any version to latest
Please uninstall your previous version before installing the new version. Upgrading without uninstalling will lead to unknown/unwanted effects.

To-Do list
   Script does not apply blocklist on startup.
   Large lists hit a hard limit set by the pf config file.

[Cino]

Have you been able to get one of the dev to add it to the package manager? My dumba$$ did something to the globals.inc file and now i can't access my box...lol... have to wait till i get home and do a quick rebuild.....

[tommyboy180]

I am still trying to get a hold of a dev. I have emailed them and contacted them on the freenode chat room.

I can email you a globals.inc file if you need. PM me.

[tommyboy180]

Version 0.1.9 is complete.

Changes:

• If enabled the block list will apply on start-up.
• Fixed "out of memory" errors. You can now have a lvl1,2,&3 list applied at the same time. New limit is 900,000 entries
• Removes duplicate entries to speed up process

This version is considered very stable. I have tested on 1.2.2 and 1.2.3.

[Supermule]

Nice work Tommy!!

Have you had any luck getting hold of the dev's??

Version 0.1.9 is complete.

Changes:

• If enabled the block list will apply on start-up.
• Fixed "out of memory" errors. You can now have a lvl1,2,&3 list applied at the same time. New limit is 900,000 entries
• Removes duplicate entries to speed up process

This version is considered very stable. I have tested on 1.2.2 and 1.2.3.