You may want to check out the more recent guides I wrote for the updated
version of these scripts:
www.geoghegan.ca/unbound-adblock.html
www.geoghegan.ca/pfbadhost.html
On 08/24/18 06:32, jin&hitman&Barracuda wrote:
Hello
Thanks for sharing all those informations. I've been looking a way to
create a blacklist and you sent this mail just on time. Your web page
help me a lot.
On the OpenBSD your script do all jobs but on linux based systems I
wrote a shell script for update iptables rules.
http://analog-radyo.blogspot.com/2018/08/dynamic-block-list-on-linux-iptables.html
Jordan Geoghegan <jgeoghega...@gmail.com
<mailto:jgeoghega...@gmail.com>>, 30 Ara 2017 Cmt, 01:52 tarihinde
şunu yazdı:
Hi everyone,
Due to the number of people who have requested my add-blocking
scripts,
I figured I would also post them to @misc so anyone can easily enjoy
network-wide bad-host/add-blocking.
I won't go into detail on how to set up routing/dhcp/unbound/anchors
etc, for that see: https://www.openbsd.org/faq/pf/example1.html
I've included some example files from my an Edgerouter I have set
up .
They are trimmed down for brevities sake; the conf files are not
production ready, these are merely examples.
This setup is easily customizable, if you come across any other block
lists you prefer, then they can be dropped in no problem. I chose
to use
solely the StevenBlack hosts file because it is a master list
compiled
from all the major banlists found in popular blocking products
such as
uBlock Origin, Addblock Plus et al. I also chose this file because
it is
filtered for duplicates as unbound(8) is said to struggle when
there are
redundancies in the blocklists, I'm told -- though I've never had
any issue.
You're going to have to read the scripts and create the
directories the
scripts are calling and edit the anchor macros to fit your interface
layout (I doubt everyone here is running cnmac0 as egress) and
also will
have to make the scripts executable and set them to run at regular
intervals with crontab, ideally nightly.
I didn't make these scripts intelligent because I figured it was
simpler
to just run mkdir once rather than add extra lines to the script.
I know the pf.conf is fairly long, I thought I would show an
example of
my prio and queing setup as an example, or conversely to see if
anyone
can poke any holes in it.
All the relevant bits regarding the anchors and blocklists are
found at
the end of the pf.conf file. See below that for the anchor conf files
we're calling as well.
Hope this helps,
Jordan Geoghegan
First, the scripts:
*DNS addblock script:*
StevenBlack.sh:
cd /var/unbound/etc/banlist && \
ftp
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts && \
cat hosts | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\"
redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > ads.conf
rcctl reload unbound
###
*IP based malicious IP blocking:*
banlist.sh:
cd /etc/blocklist && ftp https://www.binarydefense.com/banlist.txt\
&& <https://www.binarydefense.com/banlist.txt%5C&&;> ftp
https://rules.emergingthreats.net/blockrules/compromised-ips.txt\
&&
<https://rules.emergingthreats.net/blockrules/compromised-ips.txt%5C&&;>
ftp https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt\
&&
<https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt%5C&&;>
ftp
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset\
&&
<https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset%5C&&;>
pfctl -a banlist -f /etc/banlist.conf
###
As you can see, we are going to have to make an anchor in pf called
'banlist' and modify the unbound.conf to load our banlist 'ads.conf'
If that's all you need, then you're pretty much good to go. If you
would
like to see my example conf files, see below.
*
Example unbound.conf:*
# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
server:
interface: 172.17.17.1
interface: 127.0.0.1
access-control: 172.17.17.0/24 <http://172.17.17.0/24> allow
access-control: 172.17.0.0/24 <http://172.17.0.0/24> allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
include: /var/unbound/etc/banlist/ads.conf
forward-zone:
name: "."
forward-addr: UR.DNS.GO.HERE
forward-addr: UR.DNS.GO.HERE
###
*Example pf.conf:*
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
#
ext_if="{ cnmac0 }"
int_if="{ cnmac1 cnmac2 }"
lan_if="{ cnmac1 }"
wifi_if="{ cnmac2 }"
goodguys="{ 172.17.17.0/24 <http://172.17.17.0/24> }"
wifiguys="{ 172.17.0.0/24 <http://172.17.0.0/24> }"
chromecast="{ 172.17.0.12 172.17.0.13 172.17.0.23 }"
xbox360="{ 172.17.0.19 }"
printer="{ 172.17.0.17 }"
Jordan="{ XXX.XX.XXX.XX }"
table <martians> { 0.0.0.0/8 <http://0.0.0.0/8> 10.0.0.0/8
<http://10.0.0.0/8> 127.0.0.0/8 <http://127.0.0.0/8>
169.254.0.0/16 <http://169.254.0.0/16> \
172.16.0.0/12 <http://172.16.0.0/12> 192.0.0.0/24
<http://192.0.0.0/24> 192.0.2.0/24 <http://192.0.2.0/24>
224.0.0.0/3 <http://224.0.0.0/3> \
192.168.0.0/16 <http://192.168.0.0/16> 198.18.0.0/15
<http://198.18.0.0/15> 198.51.100.0/24 <http://198.51.100.0/24> \
203.0.113.0/24 <http://203.0.113.0/24> }
# Queue List [ Download ]
queue download on cnmac2 bandwidth 70M max 70M
queue media-down parent download bandwidth 20M min 5M max 20M
burst 24M for 200ms
queue xbox-down parent media-down bandwidth 4M max 4M burst 8M for
200ms
queue chrome-down parent media-down bandwidth 16M max 16M burst
20M for 225ms
queue std-down parent download bandwidth 50M min 5M max 50M burst
70M for 500ms default
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to
(egress:0)
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block quick inet6
block all
# A bit of edgy prio and bandwidth queuing, I felt like taking pf
out for a test drive here
pass in on $lan_if from $goodguys tag LAN set prio 6
pass in on $wifi_if from $wifiguys tag WIFI modulate state set
queue std-down
pass in on $wifi_if from $chromecast tag CHROME modulate state set
prio 2 \
set queue chrome-down
block out on $lan_if tagged WIFI
block out on $lan_if tagged CHROME
antispoof for { egress cnmac0 cnmac1 cnmac2 lo0 }
pass in quick on $ext_if from $Jordan to any tag Jordan
block in on $ext_if proto { tcp udp } from any to any port ssh !
tagged Jordan
pass out on $ext_if inet
# Printers Ruleset | Block Printer on Egress && allow
$goodguys subnet
block out on $ext_if from $printer to any
pass out quick on $wifi_if from $goodguys to $printer
# Spammers
anchor banlist
load anchor banlist from "/etc/banlist.conf"
# DNS Redirect
anchor dns
load anchor dns from "/etc/dns-redirect.conf"
###
*Anchor banlist.conf:*
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
## Spammers ##
table <banlist> persist file "/etc/blocklist/banlist.txt"\
file "/etc/blocklist/compromised-ips.txt"\
file "/etc/blocklist/emerging-Block-IPs.txt"\
file "/etc/blocklist/firehol_level3.netset"
block in on egress from <banlist> to any
block out log on egress from any to <banlists>
####
*Anchor dns-redirect.conf:***
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
wifi_lan="{ cnmac2 }"
# DNS Redirect
pass in on $wifi_lan proto { tcp udp } from any to \
{ 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 209.244.0.3 } port
53 \
tag google rdr-to 172.17.17.1
# I added this because several devices were aggressively pinging
8.8.8.8 on my network and it was annoying me
pass in on $wifi_lan from any to \
{ 8.8.8.8 8.8.4.4 } \
tag google rdr-to 172.17.17.1
--
/There is no place like "/home"/
/Tuco (Benedicto Pasifico Juan Maria) Ramirez/
