@Gertjan FWIW, the (apparent) default kern.ipc.maxsockbuf is also ~ 4 MB on CE. Presumably OP could've increased this value dramatically—in excess of 10 MB—to match Unbound's configured 'message cache size.' But that's as bad of an idea as arbitrarily increasing the latter in the first place.

@BBcan177 Thank you for the kind reminder; I am so accustomed to ensuring Save Settings is checked that I didn't follow your instructions properly (thanks @tinfoilmatt for uploading and highlighting the screen shot). I've properly followed the instructions and the update did not report and db problems. Thank you again! drac

@shady28 Are you maybe looking at IP block list feeds vs DNSBL feeds?

@fireodo thank you very much for the help I will look into the sanity check.

@vicking said in No blocks on IP: Is it a bad idea to have the action set to deny both instead of inbound only? Question is squarely for admin. Per the infoblock which explains, in part, the "Deny Inbound", "Deny Outbound", and "Deny Both" actions: 'Deny' Rules: 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are: Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction. In other words: When set to "Deny Inbound", incoming connection requests from WAN hosts are blocked and therefore no state will be created. However a LAN host can still establish state to an otherwise listed IP. If set to "Deny Outbound", outgoing connection requests from LAN hosts are blocked and therefore no state will be created. However an incoming connection request from an otherwise listed IP to an 'open' WAN port can still establish state. If set to "Deny Both", both incoming connection requests and outbound connections requests are blocked and therefore no state will be created regardless of connection direction.

@netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

@Gertjan yes, that was an example, a false positive from a list that is not being blocked anymore.

@Gertjan Thanks a lot for your help. This really helped me: I'm not using "pfSense pfBlocker Web server logging" (DNSBL Webserver/VIP ) as the "you are blocked web page" only shows up when the end browser user visits http sites, something that doesn't exist anymore on the Internet. All sites are https these days, and https sites can be redirected to "another https web server" like the "pfSense pfBlocker Web server". With that hint I was able to resolve my issue by: Unchecking the Python Group Policy Enable checkbox for the DNSBL Webserver Configuration on the DNSBL tab in pfblockerng. Checking the Permit Firewall Rules Enable checkbox and selecting the appropriate interfaces for the DNSBL Configuration on the DNSBL tab in pfblockerng. Forced Update | All. It now appears that all the blocked domains are appearing on the Alerts tab in pfblockerng. I couldn't find that host name in the "/var/db/pfblockerng/dnsbl/Max_MS.txt" file - where does your "/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:" come from ? I get that DNSBL, and 2 others, from the original maintainer (https://github.com/crazy-max/WindowsSpyBlocker): https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt. I really appreciate your help!

It's an issue with VIP creation code in PFBlockerNG. PFblockerNG support is working to remove the VIP creation code in pfBlockerNG and leaving that to pfSense to handle. Stay tuned. https://github.com/pfsense/FreeBSD-ports/pull/1427

Resurrecting this thread for two reasons: 1.) Because this is where I landed when newly confronted with the topic using pfBlockerNG-devel 3.2.10 on pfSense CE 2.8.1-RELEASE; and 2.) to confirm that the 'issue' and 'fix' here continue to be viable despite the TLD analysis function being considerably modified since the last post in September 2024. Current function @ L7255 of /usr/local/pkg/pfblockerng/pfblockerng.inc: // Determine max Domain count available for DNSBL TLD analysis (Avoid Unbound memory exhaustion) $pfs_memory = (round(get_single_sysctl('hw.physmem') / (1024*1024)) ?: 1000); $pfb['pfs_mem'] = [ '0' => '100000', '1500' => '150000', '2000' => '200000', '2500' => '250000', '3000' => '400000', '4000' => '600000', '5000' => '1000000', '6000' => '1500000', '7000' => '2000000', '8000' => '2500000', '12000' => '3000000', '16000' => '4000000', '32000' => '8000000' ]; if ($pfb['dnsbl_py_blacklist']) { array_walk($pfb['pfs_mem'], function (&$value) { $value = $value * 3; }); } foreach ($pfb['pfs_mem'] as $pfb_mem => $domain_max) { if ($pfs_memory >= $pfb_mem) { $pfb['domain_max_cnt'] = $domain_max; } } On a system with 32 GB of RAM attempting to 'analyze' over 24M but less than 27M domains, the line "'32000' => '8000000'" was changed to "'32000' => '9000000'" (i.e., permitting a maximum number of 27M domains to be 'analyzed') in order for the function to complete successfully. Analyzing (and then subsequently loading) precisely this number of domains... Original Matches Removed Final ---------------------------------------- 24270656 21017552 6463516 17807140 ----------------------------------------- ...results in Unbound's stable operational consumption of ~6 GB of RAM and any/all pfBlockerNG 'Reload' options consuming as much as ~6 GB of RAM, concurrently. Therefore one should only attempt this DNSBL hack if they're confident that their system has at least 13 GB of memory 'headroom' (taking into account normal system operation and any other resource-consuming, installed packages).

@Zaketis dedup is only Deny Feeds which would also include and GeoIP lists. Aggregation works in separate silos for each type ie: permit or deny etc...

Hello, The issue is resolved! Without me having to change anything / touch a thing , I tried adding an ASN this morning and it worked; the dropdown list appeared. Thank you very much to everyone who took the time to reply. Have a good day, everyone.