Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - RonpfS

Pages: [1] 2 3 4 5 ... 47
1
pfBlockerNG / Re: pfBlockerNG configuration for a newbie :)
« on: January 16, 2018, 07:56:07 pm »
Did you guys do anything to the lists?!?!?
You have to ask that question to the "guys" who maintain the lists.

Also, when the lists are reloaded, I see that the hard limit of domains is overpassed, could that be an issue too?

------------------------------------------
Assembling database... completed
Executing TLD
TLD analysis....xxxxxxxxxxx completed
** TLD Domain count exceeded. [ 400000 ] All subsequent Domains listed as-is **
Finalizing TLD...  completed
 ----------------------------------------
That's because you don't have enough memory to get a complete TLD set. So from Cron update to Cron Update, some more domains are converted to TLD and that may demand different whitelisting.

So look at the logs to see what lists were downloaded when steepto.com became blocked.

Try a Force Reload DNSBL to see if things change.

Lower the total number of DNSBL entries by removing some big lists.


2
IDS/IPS / Re: Upgrade Suricata 4.0.3
« on: January 16, 2018, 11:51:22 am »
It is out.  What version of pfSense are you running?  It should be showing up for all 2.4.x versions.  I'm not so sure about 2.3.x versions because there may be other port dependencies that are not satisifed in that older pfSense tree.

Bill
Under 2.3.5-RELEASE-p1 (amd64)  I have "Update available to 4.0.3"

3
pfBlockerNG / Re: pfBlockerNG & Firewall Aliases
« on: January 14, 2018, 11:49:39 pm »
There is probably some php system call available somewhere, look at the doc or open a question in General Questions or Firewalling sections of the forums.

4
pfBlockerNG / Re: pfBlockerNG & Firewall Aliases
« on: January 14, 2018, 08:04:49 pm »
Got the same issue here ... not all Aliases are in Tables

But when reading
Quote from: Diagnostics / Tables
Aliases become Tables when loaded into the active firewall ruleset. The contents displayed on this page reflect the current addresses inside tables used by the firewall.
You could define a "dummy" FW rules with your alias.  ;)

5
pfBlockerNG / Re: pfBlockerNG & Firewall Aliases
« on: January 14, 2018, 06:09:50 pm »
Go to Diagnostics / Tables, select the Alias name, copy , paste in you pfblockerNG table IPv4 Custom list

You could also use a local file. Click on the "i" infoblock when you are in the pfblockerng ipv4 table.

6
pfBlockerNG / Re: pfBlockerNG SoNewConn Issues
« on: January 05, 2018, 09:32:28 pm »
Do you have the Dashboard open all the time?
Or the pfblockerNG alerts tab with auto-refresh ?

7
pfBlockerNG / Re: pfBlockerNG SoNewConn Issues
« on: January 05, 2018, 09:03:58 pm »
Did you look at pfblockerng logs ? System, Resolver logs? etc

What's the size of you DNSBL db in regards to your memory?
I have about 1M DNSBL entries with 8 GB  of memory. When I was running on a 2.5GB system, I had to limit to about 400K.

What is your Resolver configuration?

9
pfBlockerNG / Re: DNSBL Not Blocking Ads or Yahoo
« on: January 04, 2018, 02:26:32 pm »
Your host has to use pfsense+DNSBL DNS Resolver service.
From a PC I get
Code: [Select]
C:\Users\User1>nslookup steepto.com
Server :   pfsense.local
Address:  172.xx.xxx.254

Nom :    steepto.com
Address:  10.10.10.1

10
pfBlockerNG / Re: Firewall Rules Order
« on: January 03, 2018, 12:28:41 pm »
You can adjust the FW Rules ordering in Firewall / pfBlockerNG / IP ; IP Interface/Rules Configuration ; Firewall 'Auto' Rule Order

11
pfBlockerNG / Re: pfBlockerNG configuration for a newbie :)
« on: January 03, 2018, 12:24:07 pm »
Here is my infoblock about TLD :
Quote
TLD
Enable This is an Advanced process to determine if all Sub-Domains should be blocked for each listed Domain.
Click infoblock before enabling this feature! 
This Feature is not recommended for Low-Perfomance/Low-Memory installations!
Definition: TLD -  represents the last segment of a domain name. IE: example.com (TLD = com), example.uk.com (TLD = uk.com)

The 'Unbound Resolver Reloads' can take several seconds or more to complete and may temporarily interrupt DNS Resolution until the Resolver has been fully Reloaded with the updated Domain changes. Consider updating the DNSBL Feeds 'Once per Day', if network issues arise.

When enabled and after all downloads for DNSBL Feeds have completed; TLD will process the Domains.
TLD uses a predetermined list of TLDs, to determine if the listed Domain should be configured to block all Sub-Domains.
The predetermined TLD list can be found in  /usr/local/pkg/pfblockerng/dnsbl_tld

To exclude a TLD/Domain from the TLD process, add the TLD/Domain to the TLD Exclusion. The specific Domain will be Blocked, but all other Sub-Domains will only be blocked if they are listed elsewhere. Whitelisting a Domain in the Custom Domain Whitelist can also be used to bypass TLD, however, the listed Domain will not be Blocked.

TLD Blacklist, can be used to block whole TLDs.  IE: xyz
TLD Whitelist is only used in conjunction with TLD Blacklist and is used to allow access to a Domain that is being blocked by a TLD Blacklist.

When Enabling/Disabling TLD, a Force Reload - DNSBL is required.

Once the TLD Domain limit below is exceeded, the balance of the Domains will be listed as-is. IE: Blocking only the listed Domain (Not Sub-Domains)
TLD Domain Limit Restrictions:

    < 1.0GB RAM - Max 100k Domains
    < 1.5GB RAM - Max 150k Domains
    < 2.0GB RAM - Max 200k Domains
    < 2.5GB RAM - Max 250k Domains
    < 3.0GB RAM - Max 400k Domains
    < 4.0GB RAM - Max 600k Domains
    < 5.0GB RAM - Max 1.0M Domains
    < 6.0GB RAM - Max 1.5M Domains
    < 7.0GB RAM - Max 2.5M Domains
    > 7.0GB RAM - > 2.5M Domains

Here is my infoblock about TLD Blacklist/Whitelist :
Quote
Note:
The TLD Blacklist is used to block a whole TLD (IE: pw).
The TLD Whitelist is used to allow access to the specific domain/sub-domains that is blocked by a TLD Blacklist; while blocking all others.
TLD Blacklist/Whitelist: A static zone entry is used in the DNS Resolver for this feature, therefore no Alerts will be generated.

Enter one   TLD  per line. ie: xyz
No Regex Entries and no leading/trailing 'dot' allowed!

TLD Blacklist is to use for TOP TLD  domains likes .ru .cn .pw etc. As stated no alerts are generated for these domains.

Your configuration doesn't even do that as the steepto.com isn't a Static zone. As it is now, only http://steepto.com will be blocked, not other subdomain.
If I look at my setup, all subdomains of steepto.com are blocked with a redirect zone
Code: [Select]
grep steepto.com /var/db/pfblockerng/dnsbl/*.txt /var/db/pfblockerng/dnsblorig/*.orig /var/unbound/pfb_dnsbl.conf /usr/local/pkg/pfblockerng/dnsbl_tld

/var/db/pfblockerng/dnsbl/EasyListWOE.txt:local-data: "steepto.com 60 IN A 10.10.10.1"
/var/db/pfblockerng/dnsblorig/ADs_SquidBL.orig:steepto.com
/var/db/pfblockerng/dnsblorig/ADs_hpHosts_ads.orig:127.0.0.1 imgg.steepto.com
/var/db/pfblockerng/dnsblorig/EasyListWOE.orig:||steepto.com^$third-party
/var/db/pfblockerng/dnsblorig/EasyList_French.orig:||steepto.com^$popup,third-party
/var/db/pfblockerng/dnsblorig/Malic2_JL_BD.orig:127.0.0.1 imgg.steepto.com
/var/db/pfblockerng/dnsblorig/Malic2_Quidsup_Trackers.orig:steepto.com
/var/unbound/pfb_dnsbl.conf:local-zone: "steepto.com" redirect local-data: "steepto.com 60 IN A 10.10.10.1"

So in you case if you want to block all subdomains, first remove steepto.com from the TLD Exclude list, run a Force Reload DNSBL, then see what is in pfb_dnsbl.conf, as long as it is in a table (dnsblorig) you should end up with something similar to my setup

If you don't have steepto.com in your table, you can add it to the table DNSBL Custom_List.

12
pfBlockerNG / Re: Can we create a diagnostic sticky?
« on: January 02, 2018, 09:06:54 pm »
You are using pfsense DNS Resolver ?
And you PCs are using pfsense for DNS service ?
Maybe post the logs after a Force Reload DNSBL ?

13
pfBlockerNG / Re: DNSBL Config Question
« on: January 02, 2018, 09:03:53 pm »
You select the Interfaces where devices use pfsense/DNSBL for DNS services resolution. This will create NAT rules to forward Web request to the VIP.
Please elaborate as I use it on all interfaces (I thought?) but this option only allows you to choose one from the drop down.
Yeah, I wasn't on the DNSBL tab at the time. So you select one of the LAN interfaces then  ;)

Quote from: tagit446
Have to admit this one confuses me due to the VPN.
I don't have VPNs here.


14
pfBlockerNG / Re: DNSBL Config Question
« on: January 02, 2018, 08:06:19 pm »
In "DNSBL Configuration" --> "DNSBL Listening Interface" - I have LAN1, LAN2 , W_LAN, ExpressVPN_NY and ExpressVPN_NJ. Does it matter which one I choose?
You select the Interfaces where devices use pfsense/DNSBL for DNS services resolution. This will create NAT rules to forward Web request to the VIP.

Quote from: tagit446
Same for "DNSBL Configuration" --> "DNSBL Firewall Rule" - I have the same options plus OpenVPN. Currently I have LAN1, LAN2 and W_LAN selected. The VPN runs on LAN2 and W_LAN Should they all be selected?
Select the interfaces that have devices using pfsense as the router for IP blocking.

Quote from: tagit446
For "DNSBL IP Firewall Rule Settings" --> "List Action" - Some tutorials i read say to set it to "Deny Both" and other tutorials say to set it to "Deny Outbound". Which setting is typically best?
Deny outbound should be enough if you have no open port on the WAN side as the default block rule already block traffic.

Deny both is when you have open port on the WAN side.

15
pfBlockerNG / Re: Can we create a diagnostic sticky?
« on: January 02, 2018, 07:57:15 pm »
The logs should tell you something

Pages: [1] 2 3 4 5 ... 47