Something like Peerblock that runs ON your router...

gibber

Gawd
Joined
Jul 16, 2007
Messages
759
I've been searching, but haven't found this yet. Usually I'm good at "googling" things, but this has stumped me so far. :(

Today's routers are more than powerful enough - could someone tell me which router firmwares will load "block lists" for blocking "bad" IP ranges? (Want to block IPs of known: malware/spyware sources, SPAM senders, "bot net" bots, anti P2P, etc.).

Surely there must be some routers/firmwares which support this by now? :D

I know that most router's firmware GUIs ("web interface") will have a page where you can switch between whitelist or blacklist and manually add IPs, but if you could at least load them from a file, or specify a host to download them from, that would basically do what's needed to have something like a "Peerblock" shield protecting your whole LAN at the router.
 
Depends on what router you are trying to flash. DD-WRT may have that function on some of their firmwares(not sure as I do not follow development of DD-WRT).

Your best bet would to setup something like a PFSense box or buy Ubiquiti EdgeRouter that gives you a lot more functionality then just a flashed consumer router.
 
You should look into blocklists that are used for spam, like Spamhaus Zen. They include IPs that are known to be infected with malware/viruses/spam-sending things/botnets/etc. I use their blocklist, along with a few others, with an IPTables firewall wrapper called "ConfigServer Security and Firewall".
 
Depends on what router you are trying to flash.
Actually, what router I buy depends on what I find out through this thread - I posted the thread to try and help figure out which router to get. Other features I want in the router are: good 2.4Ghz "N" range and excellent NAS performance through a disk connected to the router's USB or eSATA port.

Your best bet would to setup something like a PFSense box or buy Ubiquiti EdgeRouter that gives you a lot more functionality then just a flashed consumer router.
Well, recent under $200 routers come with ~1Ghz or faster multi-core processors and a decent amount of RAM.

I suppose I could use one of my unused PCs hooked up to a gigabit switch, then I have to still add some kind of WAP. It will use more power, take up more room, possibly be less reliable.

Whoa, OK - I just looked up the Ubiquiti EdgeRouter Lite and it's only $100. I guess it would make more sense to use that, and a add a very basic WiFi router on the LAN side, let the EdgeRouter protect me from the WAN side... Will read about it more. Thanks.

You should look into blocklists that are used for spam, like Spamhaus Zen. They include IPs that are known to be infected with malware/viruses/spam-sending things/botnets/etc. I use their blocklist, along with a few others, with an IPTables firewall wrapper called "ConfigServer Security and Firewall".

How do you run this on your router? That is the key point of my post. I want an easy way to get these large block lists running on the router itself, so everybody behind it including wife/kids/guests, are all protected without me worrying if their PCs have been updated recently.
 
Actually, what router I buy depends on what I find out through this thread - I posted the thread to try and help figure out which router to get. Other features I want in the router are: good 2.4Ghz "N" range and excellent NAS performance through a disk connected to the router's USB or eSATA port.


Well, recent under $200 routers come with ~1Ghz or faster multi-core processors and a decent amount of RAM.

I suppose I could use one of my unused PCs hooked up to a gigabit switch, then I have to still add some kind of WAP. It will use more power, take up more room, possibly be less reliable.

Whoa, OK - I just looked up the Ubiquiti EdgeRouter Lite and it's only $100. I guess it would make more sense to use that, and a add a very basic WiFi router on the LAN side, let the EdgeRouter protect me from the WAN side... Will read about it more. Thanks.



How do you run this on your router? That is the key point of my post. I want an easy way to get these large block lists running on the router itself, so everybody behind it including wife/kids/guests, are all protected without me worrying if their PCs have been updated recently.


I currently use EdgeRouters everywhere, and just found this:
http://community.ubnt.com/t5/EdgeMAX/Using-spamhaus-lists/m-p/578909/highlight/true#M15197

I'm going to try to set it up soon, looks simple enough. The EdgeRouter Lite and UniFi AP are a good combination.
 
Question is what are you doing that you would want to block bad IP's in the first place? That's what a Firewall is intended to do, at least in the sense of blocking any traffic from outside that wasn't requested by the inside. Having a block list on a router for outside traffic isn't really going to do anything more (in general) because traffic that would normally get blocked would then have to be looked up again by a separate list to then drop it.

Any who. Second ERL. Cheap, solid community, and good software package that's constantly being updated.
 
Question is what are you doing that you would want to block bad IP's in the first place? That's what a Firewall is intended to do, at least in the sense of blocking any traffic from outside that wasn't requested by the inside. Having a block list on a router for outside traffic isn't really going to do anything more (in general) because traffic that would normally get blocked would then have to be looked up again by a separate list to then drop it.

Any who. Second ERL. Cheap, solid community, and good software package that's constantly being updated.

Unless an asset on his network got infected and the virus is calling out to said IPs and transferring his information off the asset...

I believe the OP is just looking for just an overall block of bad/suspicious IPs from entering his network along with calling out from his network since he stated he wanted a PeerBlock type blocking.

PeerBlock uses lists of IPs to block when calling out when downloading torrents .
 
Unless an asset on his network got infected and the virus is calling out to said IPs and transferring his information off the asset...

I believe the OP is just looking for just an overall block of bad/suspicious IPs from entering his network along with calling out from his network since he stated he wanted a PeerBlock type blocking.

PeerBlock uses lists of IPs to block when calling out when downloading torrents .


Yeah that's what I figured. Either running a server or has a bunch of people/devices on the network. It sounded more like this is a very small use (home) and IMHO it would be easier to just put clients you don't trust on their own network and those you do on their own LAN.
 
Yeah that's what I figured. Either running a server or has a bunch of people/devices on the network. It sounded more like this is a very small use (home) and IMHO it would be easier to just put clients you don't trust on their own network and those you do on their own LAN.

Exactly what I do :D. Wife and all other devices that want outside access are on the DMZ and everything else I actually do is on its on VLANs. But this is a whole different conversation that could be discussed.:p
 
PfSense does this, and it being on real hardware/os it is much more capable. You can find hardware for $50+ depending on your needs. Netgate has some kits you can score up, I think you can even add wireless if you want to go that route.
 
Yeah that's what I figured. Either running a server or has a bunch of people/devices on the network. It sounded more like this is a very small use (home) and IMHO it would be easier to just put clients you don't trust on their own network and those you do on their own LAN.

Thats a good plan to protect yourself from your clients, but it doesn't help protect your clients from themselves.
 
Cant speak for consumer toy firewalls but most real firewalls, Check Point, Fortinet, Juniper, PA .. etc, have the option to block connections to known malware and botnet command and control addresses. This feature is almost always subscription based.
 
PfSense does this, and it being on real hardware/os it is much more capable. You can find hardware for $50+ depending on your needs. Netgate has some kits you can score up, I think you can even add wireless if you want to go that route.

Ya was gonna say most open soruces ones like PFsense will do this, toss it on some old little box and get pfblocker.
 
Back
Top