pfBlocker blocking ipv4 addr not in blocklist

Networking & Firewalls
1

Here’s the block report:

Block

so it is indeed blocking 1.1.1.1, but when I download Snort_ipblocklist, that address is nowhere in the list. What am I missing? And who or why would they block cloudflare dns?

Side issue: I am using pfBlockerNG 3.2.8.

Should I be using pfBlockerNG-devel ?

2

Definitely use pfBlockerNG devel. As I understand it the non-devel version is no longer maintained. But I guess the bigger question for me is how did Snort get involved? Snort is an intrusion detection/prevention system, separate and apart from pfBlocker. When I check my pfBlocker feeds, Snort is not an option, but I don’t use Snort, I use Crowdsec. Do you have snort somehow feeding pfBlockerNG?

1 Like
3

It is under “Unknown User Defined Feeds”

image

4

Right, but as I understand it, you need to take some manual steps to get it there. Did you purposefully put it there?

1 Like
5

“God’s honest truth” I don’t remember, but I must have.

Not sure if it is really necessary with all the other lists…especially if it is blocking CloudFlare

6

My guess is that they are orphaned from previous versions of pfBlocker

7

I would do two things. First, I would ditch Snort. Snort can’t work on encrypted packets, and with >90% of your traffic being TLS encrypted, Snort isn’t going to be very effective unless you do SSL/TLS interception (which is complex, breaks things, and has its own security implications). If you want an IDS/IPS, I would advise you look at Crowdsec instead.

Second, you probably don’t want to send un-encrypted DNS traffic to Cloudflare. I force everything out to cloudflare encrypted. I also have firewall rules to block all external DNS, and I did a sink hole for the Firefox canary domain (DNS Host override to point use-application-dns.net to 0.0.0.0)

image
image1236×577 63.7 KB

image
image1194×544 48.9 KB

2 Likes
8

You probably enabled DoH/DoT/DoQ Blocking under DNSBL / DNSBL SafeSearch.

9

I don’t use that anymore, I broke too many of my IoT devices

10

Nothing under DNSBL Safe Search is enabled.

11

@Louie1961
I think the initial problem is solved. I disabled pfBlocker…cleared the storage then installed pfBlockerNG-devel. Thanks for the help.

Regarding your firewall rules: You have had no problems with IOT devices by blocking ports 853 and 443?

12

Oh it definitely messed up my IOT devices, that’s why they are on their own VLAN with different rules

1 Like