pfBlockerNG v2.0

This release brings several improvements and enhancements to the existing pfBlockerNG IP Download manager capabilities, and also introduces domain name blocking ("DNSBL") via Unbound DNS Resolver. Domain blocking can be used for ADvert servers, malicious domains and/or domain filtering.

DNSBL overview: When a DNS request is made for a domain that is listed in DNSBL, the request is redirected to a Virtual IP address where an instance of Lighttpd Web Server will collect the packet statistics and push a '1x1' GIF image to the Browser. Rejected domain activity can be viewed in the "Alerts" tab along with the IP Alerts.

Due to the increased security measures in Browsers, HTTPS alerts will not display the SRC IP or Requested URL, however, the Requested Domain name will be logged to the Alerts tab along with all HTTP alerts.

To reduce False Positives, the "Alexa" Top 1M sites can be used to suppress the most popular sites. Settings allow for the number of Top sites and which TLDs (.com, .org etc) to include in the Alexa Suppression list.

Improved Features

[ [color=red]cURL ]

PHP cURL library is now used to download all Lists/Feeds/Maxmind/Alexa files. This allows for increased security settings and collection of HTTP response codes. Allowed SSL Ciphers (TLSv1.2 and TLSv1) and default settings (SSL_VERIFYPEER, SSL_VERIFYHOST).

Added a "Flex" option to allow for the downgrade of the SSL connection, if required. The "Flex" option (when enabled) will downgrade on the following HTTP (RFC7231) response codes:

35 - GET_SERVER_HELLO:sslv3

51 - NO alternative certificate

60 - Local Issuer Certificate Subject

The following settings will be downgraded:

disable verifypeer

disable verifyhost

adds SSLv3 SSL Cipher.

(It is not recommended to use the "Flex" setting; however not all Lists/Feeds support the increased security measures. Expect overtime that these Lists/Feeds will improve their security.)

[ [color=red]Alerts Tab ]

The Alerts tab has been refactored. Improvements in efficiency and accuracy in the IP/CIDR for the reported Alerts. The Suppression Icon is now only visible for /32 and /24 CIDRS, all other suppression's require an 'Outbound' allow firewall rule to circumvent the blocklist. Hostnames for local devices are now displayed under each Alerted IP. When 'Filter options' are used, they will be preserved on page refreshes.

[ [color=red]Reputation ]

All reputation functions have been refactored and improvements made to the overall efficiency.

[[color=red] IP Parser ]

The IP parser has been converted to use String functions vs regex functions, for a significant improvement in efficiency.

[ [color=red]List/Feed Format ]

The package will now "automagically" determine what 'Format' is required to extract and parse any given URL.

[ [color=red]Firewall Rules ]

The "Firewall Rule" creation function has been improved. Please verify your firewall rules post installation to ensure they are as expected.

[ [color=red]Config Save ]

Only when changes are made to the settings, will pfBlockerNG save its settings to the pfSense config file. This will reduce the spammed backups that were being created at each hourly CRON task interval.

[ [color=red]XMLRPC ]

XMLRPC sync has been improved to include support for hostnames and IPv6 addresses.

[ [color=red]XSS potential ]

Fixed XSS potentials in several functions of the code.

New Features

[ [color=red]Whois ]

A whois feature has been added to convert an AS number into its respective IP Addresses. Entering a Domain name will also collect its host IP Address.

[ [color=red]CIDR Aggregation ]

Aggregation will optimize contiguous network prefixes in a List, and remove any superfluous prefixes which are already included in another prefix. Depending on the hardware used, Aggregation can use a significant amount of resources if the list being aggregated is large.

[ [color=red]Max daily download failure attempts ]

Allows for the configuration of a "max daily download failure threshold" for the CRON updates. If this setting is defined, attempts will be made to re-download up-to the threshold defined. The 'failed download' counters can be clearing in the widget.

[ [color=red]Restore previous download on failure ]

When enabled, the previously downloaded file contents are used on a download failure. (Defaulted to 'on')

[[color=red] Kill States ]

After a cron event or any 'Force' commands (when enabled), any IPs listed in any Blocklists; if found in the Firewall states will be cleared and logged. States removal can be bypassed on an alias by alias basis if required.

[[color=red] Tracker IDs ]

The pfBlockerNG Firewall Rules now include a 'Tracker ID', this ID is based upon the Alias name (Sum of the ASCII characters ORD values). This ID is a 10 digit number, prefixed with '177'. This ID will remain static unless the Alias name is changed. If the Firewall Logs are pushed to a remote syslog, you can use the Tracker ID as a reference to the pfBlockerNG Alias.

Further details are available in the following forum thread:

https://forum.pfsense.org/index.php?topic=86212.0