IP Block List - Do I need pfBlockerNG to block IP Addresses?
-
Hello.
PFSense 2.8.1-RELEASEI have a rule that blocks all IP addresses from a specific list. This list is dynamic and continually grows as hackers attempt to compromise any of our websites.
I have a Firewall Rule set up that uses the list.
However, I just read that it needs to have pfBlockerNG for it to block the IP Addresses properly.I installed pfBlockerNG and do not see where I am supposed to add the IP Block List.
One last thing.
In the IP Block list section, it has this.Hint: Enter as many URLs as desired. After saving, the URLs will be downloaded and the items imported into the alias. Use only with small sets of IP addresses (less than 3000).
I have just checked the list, and it contains 3,127 unique IP addresses.
Do I need to split the list to a 3000 list limit?
If that is what needs to be done. How do I add additional lists?
Do I add each new list, separated with a comma?Thanks.
Wayne -
@carrzkiss if you have a list you can download via web you can use a URL table alias
https://docs.netgate.com/pfsense/en/latest/firewall/aliases-types.html#alias-types-url
Then just use in a rule.pfBlocker can set up custom feeds but it’s unnecessary. It has a large list of feeds though which may need their own processing.
-
@carrzkiss said in IP Block List - Do I need pfBlockerNG to block IP Addresses?:
I installed pfBlockerNG and do not see where I am supposed to add the IP Block List.
Go here :
Give it a name.
A description.
Click on the first blue round I marked image for help with the 'name' and description.
Click on the second blue round I marked image for help. This one tells you you can use a local file, on the pfSense file system, your own file with IPs.Take a look at the rest of the settings. You can select how and where this list should be used.
-
If you choose to use steveITS way, note you need to change the URL type to (table).
An example.
-
I use pfblocker for alias management.. While I do have some other just native aliases. I use pfblocker functionality to manage more complex lists.
Example - here is my scan deny alias, which contains some asn's and lists from different locations that scan for open ports like shodan, etc..
And use another list for stuff that need to allow, that might be blocked by list like scan deny - this list contains country based IP lists, and other lists provided by services like plex and monitoring to know if service is up, etc. Which I use to alert me if something goes down.
I don't really use any of the other features of pfblocker - but I do love its easy management of just native aliases.
You can also easy add just 1 off networks/ips etc.. to your alias you create in the bottom custom section
When bored or whatever I take a look at my firewall log - and notice something scanning but not in my scan deny list, I will look up the details and normally block the whole netblock, etc.
-
C carrzkiss referenced this topic on
-
Hello, @johnpoz
I have been working on the website and have just created a new database and completely recoded how I handle all website traffic.
I gather the USER_AGENT, check whether it is a BOT, and store the data in its own table.
And if it is regular traffic, I place its data in its own table.Since placing this new code on the live website, I looked at the regular visitors, and there are a lot of hits, coming fast, from Singapore with different IP Addresses.
The IP Addresses I checked are all listed with abuseipdb.com.From what I see in my database, there are no issues: no SQL Injection or XSS attacks. Just shows the URL the IP visited.
Looking at your screenshots, I see that you have the [ScanDeny].
Would these entries disrupt the good traffic, or would they only affect the bad traffic?I want to make sure I don't block someone who might be good, even if they were just hijacked to send random internet traffic through, or is that something I will just have to worry about later when it becomes an issue?
Thanks.
-
@carrzkiss depends on how you setup your rules.. Anything in scan deny is blocked outright - ie bad ip list.. If you make it through that filter, then my rules for actually talking to my service you have to be on allow list.
In my case US, belgium IPs - and known good IPs
But yes if your IP is on the bad list you are blocked, doesn't matter if your IP is from US or even if on the good list - if you are marked bad your not touching anything.
example: I block any IP from digital ocean - since there is zero chance anyone that I would want to talk to my services would ever being coming from DO.. Ever!! If they do too bad your blocked..
-
@johnpoz
I think what I might do, for testing, is create a list of IPs from the ones that are hitting from Singapore, and from other places that are doing what looks like a short burst of DDOS attacks. -
@carrzkiss do you have valid users in Singapore? If not block the whole range of their IPs. This is really easy to do with pfblocker.
If all you want to do is some block lists of ips or ranges that you don't like what they are doing - that can be done with just the native alias lists functions built right into pfsense.
But yeah that is a good start. Just put your bad list of ips either on the top of your wan interface rule set - before your allows for your port forwards. Or put such list in your floating tab.
Unless your userbase is really global - its much easier to just use allow lists for the countries you want to allow. This can filter many many of the bad guys with 1 simple rule and filter list.
