pfBlockerNG

• N

  Bypassing DNSBL for specific IPs
  • Ns8h

  5
  0
  Votes
  5
  Posts
  1148
  Views

  H

  Revisiting this thread as I needed to exclude my Roku devices on my network as they need to reach ad sites for the news feeds to work. (sucks) Getting it to work has raised some questions that maybe others can chime in on and maybe my configuration / findings may help others. I am using Cloudflares DNS over TLS hence the forward-zone configuration. In addition I run a Plex server at home and need to define the private-domain to allow internal resolution to a private IP address. I have three Roku devices that use the "bypass" view Everything else on my three network segments uses DNSBL to block ads. I have native IPv6 and hence need to add access control as some hosts use IPv6 for DNS transport. There are a number of host overrides configured to resolve private IP addresses and hidden hosts from the internal Intranet and not use the public IP addresses resolved by my external NS. Example of my custom options: - server: private-domain: "plex.direct" access-control-view: 192.168.1.51/32 bypass access-control-view: 192.168.1.61/32 bypass access-control-view: 192.168.1.83/32 bypass access-control-view: 2601:abcd:abcd:abc0::/64 dnsbl access-control-view: 2601:abcd:abcd:abc1::/64 dnsbl access-control-view: 2601:abcd:abcd:abc2::/64 dnsbl access-control-view: 192.168.1.0/24 dnsbl access-control-view: 192.168.2.0/24 dnsbl access-control-view: 192.168.3.0/24 dnsbl rrset-roundrobin: yes forward-zone: name: "." forward-ssl-upstream: yes # Cloudflare DNS forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853 forward-addr: 2606:4700:4700::1111@853 forward-addr: 2606:4700:4700::1001@853 view: name: "bypass" view-first: yes #include: /var/unbound/host_entries.conf view: name: "dnsbl" view-first: yes include: /var/unbound/host_entries.conf include: /var/unbound/pfb_dnsbl.*conf What I have found is if I use a 192.168.0.0/22 mask (CIDR) for the IPv4 subnets it does not work, I instead had to define each subnet with /24. Maybe a /16 would have worked? Same problem with IPv6. (note, the examples mask my real IPv6 prefix), I had to define multiple /64's as a single /62 did not work. The dnsbl view needed to have include: /var/unbound/host_entries.conf otherwise the host overrides did not resolve. For some reason however that was not required for the bypass view, which seems to operate quite happily without the include: hence it is commented out. Not what I expected. I also, had a number of issues, that I did not continue confirming exactly the behavior, when trying to format for readability the custom options by indenting some lines using spaces. This caused it to fail. so no leading spaces on any line. :-) unbound "view" is not very well documented, but does provide some potential for client specific workarounds that I've needed every now and then. Debug seems limited in the log files regarding matching of access-control-view and which view is being used. Maybe I had too much verbosity enabled and message were deep and I missed them? With multiple hosts for testing and having dig/nslookup forced to use IPv4 or IPv6 I was able to finally reproduce what I believe is a working config. Albeit with some configuration options that I don't fully understand why they work how they do. Will see how it goes . . . . If anyone can comment on the subnet masks and the include:
• 

  Support pfBlockerNG development!
  • ivor

  3
  2
  Votes
  3
  Posts
  2674
  Views

  A

  I can not wait to see how he is going to do the mass import for IP4 and DNSBL, I hope its just a simple text doc you can just upload just like you would a backup file on Ublock extension. Looking forward to it. I may have to get some more Ram lol only got 8 gig and I bet doing mass list imports will hit the Ram hard. Great work hope it's coming along well ;) Great job.
• K

  Thanks BBCAN177 !
  • Koent

  5
  0
  Votes
  5
  Posts
  2097
  Views

  S

  As pointed out to me in another post. https://forum.pfsense.org/index.php?topic=139634.0
• 

  PfBlockerNG v2.1 w/TLD
  • BBcan177

  122
  0
  Votes
  122
  Posts
  48107
  Views

  H

  I'm having problems with iOS 11.3 BETA. It seems that safari can't go to 0.0.0.0 and pages can't load. Solution was to reinstall package and use the VIP address, as I was using the certificate hack and 0.0.0.0.
• 

  PfBlockerNG v2.0 w/DNSBL
  • BBcan177

  1063
  0
  Votes
  1063
  Posts
  401422
  Views

  M

  @overloader is your php using opcache.validate_timestamps=0? If it doesn't opcache should be able to check the modified timestamp and regenerate the cache. I found out a little issue with a feed blocking it's own IP, funny. Info regarding the feed PRI4 - CCT_IP - https[:]//cybercrime-tracker[.]net/fuckerz.php - 213.186.33.3 I'll drop an email and report it directly to the list owner, till here easy. However the main gateway is still able to connect and download from that IP. pfSense gateway - pfBlockerNG Reports Sep 4 10:00:47 WIFI pfB_PRI4_v4 (1770006077) 192.168.20.103:44188 213.186.33.3:443 cluster015.ovh.net TCP:S pfSense test box on WIFI vlan - 192.168.20.103 - pfBlockerNG error.log [ pfB_PRI4_v4 - CCT_IP_v4 ] Download FAIL [ 09/04/18 10:00:53 ] Firewall and/or IDS (Legacy mode only) are not blocking download. Inbound interface is WAN Advanced inbound on OpenPorts alias Advanced outbound any any - as default Floating rules deny both directions Outbound interfaces, all including WAN Advance inbound/outbound as default Floating rules denying both directions Pinging the IP from WAN correctly fails so pfB rules are working, but why is it still able to download, or is pfBlockerNG able to circumvent it's own block lists. I was only able to found out the feed blocking it's own IP only because I was synching to the client. Cheers
• W

  PfBlockerNG
  • wbennett77

  1189
  0
  Votes
  1189
  Posts
  394501
  Views

  

  @BrettC: Hi, one thing i am noticing with pfBlockerNG is that it may be missing an end-double quote on its shell commands? No the quote is used in the grep command to find an exact match starting with the first quotation mark in the line…  The 502 error is being worked on...  The upcoming release doesn't seem to be affected by this and will hopefully be released shortly... Stay tuned!
• T

  Blocking Youtube Ads
  • thezfunk

  23
  0
  Votes
  23
  Posts
  1592
  Views

  T

  @sesipod Blocking Google's DNS servers did not stop my Android ads. I am telling you, I don't have issues on Windows machines with ads, it is just Android's YouTube app. In the last two weeks it has gotten worse. I now get an ad at almost every single video again. My FireTV, Firestick, Android phones and tablets with the Youtube app are unanfected by the blocking on my pfSense box. I have yet to take the time for packet capture deep dive. I just got OpenVPN working so I can route my traffic from my phone through home whenever I am out and I also implemented encrypted DNS. They were only mildly annoying before but the worse they intrude the more driven I am to shut them off. I am now considering a whole VPN solution for security reasons although I know that won't stop the Youtube ads.
• J

  Keeping google ad injections blocked but allow google shopping search results?
  • jacotec

  2
  0
  Votes
  2
  Posts
  50
  Views

  

  @jacotec said in Keeping google ad injections blocked but allow google shopping search results?: Is there ANY way to allow clicking on these search results but leaving the google advertise injections blocked? Something like "whitelist googleadservices if the host website is google.com"? No its one way or the other unfortunately... Just need to tell people to not click on the Google search results that have "AD" in the Title.
• R

  pfBlockerNG cURL 28 Error when updating DNSBL
  • retestreak

  4
  0
  Votes
  4
  Posts
  47
  Views

  

  @retestreak said in pfBlockerNG cURL 28 Error when updating DNSBL: [ raw.githubusercontent.com ] Domain listed in DNSBL Whitelist that domain from the Alerts tab.
• J

  Log Browser
  • JonH

  14
  0
  Votes
  14
  Posts
  288
  Views

  J

  @bfeitell said in Log Browser: but I am stuck on an older version of MacOS. Good reason not to update at this time.
• S

  GeoIP permit inbound is blocking
  • stefanl

  1
  0
  Votes
  1
  Posts
  49
  Views

  No one has replied

• 

  pfBlockerNG Wizard tool
  • BBcan177

  1
  8
  Votes
  1
  Posts
  172
  Views

  No one has replied

• R

  DNSBL modify default bloked webpage
  • rjabellax5

  34
  0
  Votes
  34
  Posts
  1147
  Views

  M

  @bbcan177 said in DNSBL modify default bloked webpage: To fix that Cert error for HTTPS sites, create a new DNSBL Group and add the domains that are causing issue to the customlist at the bottom of the page. Then disable logging and set the Order to "Primary" which will cause this Group to load first. Follow that with a Force Reload DNSBL... That will null block those domains to 0.0.0.0 and avoid the cert errors. The thing is that basically you will need to add all https sites in there (well, almost) as most of them are using HSTS for that matter nowadays. (facebook, google and almost all majors) No mentioning logging, alerts, etc... That's actually the exact reason, why i'm trying to get away from this bulky and messy squid+samba+squidguard construction. But here with lighthttpd you're using static private cert which is not trusted by local cert authorities. Why can't you consider to issue at least trusted with local CA cert? I'd imagine that'll help with majority if issues.... Also i've heard rumors from of this forum, that if we will be using the squid's way with auto generating valid subCA certs for users from local CA it "would be both complicated and slow." But squid had been working with that for years, I haven't noticed any issues with it's performance... (yes there is caching also, but still) Could you please comment? (I'm on latest dev 2.2.5_17 now)
• E

  Correct way to only allow my cellphone-openvpn to view LAN side ip cams
  • Ev4nsp479

  3
  0
  Votes
  3
  Posts
  110
  Views

  E

  Thank you.
• J

  PfBlockerNG Error
  • jlee18

  11
  0
  Votes
  11
  Posts
  144
  Views

  J

  its working now, i dont know what i did :)
• 

  pfBlockerNG-devel feedback
  • BBcan177

  77
  4
  Votes
  77
  Posts
  3319
  Views

  

  @yorke The sync is off by one, so its not critical in the sense that its still going to block the domains listed. There is a disrepancy of the number of domains listed in the Unbound DB vs the /dnsbl/ folder. I'd suggest a Force Reload and see if that fixes it.
• I

  Netflix outside VPN
  • ianp

  16
  0
  Votes
  16
  Posts
  442
  Views

  J

  please check this answer https://forum.netgate.com/topic/96636/netflix-vpn-block-how-to-fix/19
• R

  Not enough double u's?
  • Raffi_

  4
  0
  Votes
  4
  Posts
  120
  Views

  R

  Yup, "test.com" was in one of my lists. That explains it! pfblocker was doing its job. Thanks!
• A

  Stuck on booting up on console
  • anttechs

  2
  0
  Votes
  2
  Posts
  61
  Views

  

  Sure it's not the stuff listed about the console here? https://www.netgate.com/docs/pfsense/install/upgrade-guide.html?highlight=upgrading#upgrading-from-versions-older-than-pfsense-2-4-4
• R

  Checked "DNSBL Firewall Rules" however no floating rule added?
  • reilos

  3
  0
  Votes
  3
  Posts
  97
  Views

  R

  Hi @BBcan177, Yes, i did. I also tried deselecting either one and disabling and re-enabling it. @reilos said in Checked "DNSBL Firewall Rules" however no floating rule added?: I have pfBlocker running on 2 interfaces, which i have selected in the list behind the checkbox.
• S

  Blacklisting ALL domains and whitelist a selected few domains with pfBlockerNG
  • snarky

  5
  0
  Votes
  5
  Posts
  729
  Views

  S

  Hi everybody, I found indeed a solution to my problem and would like to share it here. It is not perfect, but what in this word is? My solution does not directly use pfSense. pfSense is only used to ... a) configure a special DNS server address for selected DHCP clients (smart TVs and the like) b) block access to the (uncensored) DNS resolver running on pfSense form said clients using the firewall The special standalone DNS server (a Raspberry Pi in my case) runs the dnsmasq service. dnsmasq has two very handy configuration options. The magic incantations are the "server" directive and the "address" directive. (Note: One could also run dnsmasq on pfSense - but in my setup I already use unbound on pfSense and didn't want to risk messing with everybody elses DNS resolution just for this.) With the server directive one can specify an address which we want to be resolved by a certain DNS server. The trick here: '#' as the target resolver means "use your configured standard server to forward the request to". Meaning: resolve normally. Im my case for Netflix I have: server=/netflix.com/# server=/netflix.ch/# server=/nflxext.com/# server=/nflximg.com/# server=/nflximg.net/# server=/nflxvideo.net/# server=/nflxso.net/# server=/netflix/# server=/cloudfront.net/# server=/d179kwmlpc4o47.cloudfront.net/# server=/d2s336w63pl2vv.cloudfront.net/# (the details seem to depend on geographic location - note I have a blanket "allow" for all of cloudfront.net here - the cloudfront host names are not necessarily stable) The "address" option can then be used to implement the "DNS black hole" functionality: address=/#/192.168.x.y OR - address=/#/ The first version makes dnsmasq return a fixed (fake) IP address for any DNS request not whitelisted using a server directive. The second returns NXDOMAIN instead of a wrong IP. I use the first. Look at the manpages of dnsmasq and dnsmasq.conf for details! For some of my "smart" devices to function, I need to allow additional domains. One Samsung TV for example needs access to the domain time.samsungcloudsolution.com (among others). Otherwise it will not believe that it has internet access and will simply refuse to start the Netflix app - stupid "smart" thing!! My solution kind of works, but adding a new "smart" device is always a hassle. And if you want to use another video streaming service, you have to find out the necessary domains to whitelist first. This is the solution I am using. I hope this will help someone. Andy
• E

  Is pfBlockerNG Devel stable?
  • emammadov

  23
  0
  Votes
  23
  Posts
  562
  Views

  

  @bbcan177 The list with which I am familar is pulled by uBlock Origin, but I cannot determine which exact list it is. I did find the following lists, and I expect one is the list pulled by uBO: https://www.zoso.ro/pages/rolist.txt https://www.zoso.ro/pages/rolist2.txt
• A

  Upgrade to newer pfblockerng have get error.
  • akong77

  2
  0
  Votes
  2
  Posts
  154
  Views

  G

  @akong77 said in Upgrade to newer pfblockerng have get error.: Hello, I upgrade lastest pfblockerng have got error.I use some command fix php error. ,,, ssh to pfsense cd /usr/local/lib/php/ ln -s 20170718/ 20131226 That is not a fix, it just messes up things more. https://forum.netgate.com/topic/135895/package-update-triggers-only-half-2-4-4-update
• A

  pfBlockerNG-devel 2.2.5_17: IP Alerts list (Deny) not showing alerts
  • Aritus

  7
  0
  Votes
  7
  Posts
  168
  Views

  

  @aritus On my box I have selected WAN for Inbound, and LAN for Outbound.
• A

  pfBlockerNG-devel 2.2.5_17 + 2.4.4 (Uncaught Fatal Error)
  • aograin

  2
  0
  Votes
  2
  Posts
  114
  Views

  A

  Ok, to anyone else running into this issue you need to ensure the "Keep Settings" is unchecked in the General Tab and then uninstall the package. Once that is done reinstall the package and it should work.
• Z

  Is Hiding DNSBL Alerts without Whitlisting Possible?
  • zskwrel

  5
  0
  Votes
  5
  Posts
  122
  Views

  Z

  Oh, I see what you mean now! Thanks again.
• 

  pfBlockerNG and 1.1.1.1 - possible solution.
  • dragoangel

  8
  0
  Votes
  8
  Posts
  164
  Views

  

  @BBcan177 P.S. after your post I launch update to devel version, and all goes smooth like a charm - need only to launch cron update from pfBlockerNG menu (i'm not use easylists), new menus, autocomplite for GeoIP, ASNs and other functions is awesome!
• Q

  PRIX
  • Qinn

  1
  0
  Votes
  1
  Posts
  195
  Views

  No one has replied

• P

  pfBlockerNG - 2.2.5_16 pfb_filter
  • Prometheus23

  17
  0
  Votes
  17
  Posts
  709
  Views

  

  Thanks
• W

  Advice - Allowing client to bypass pfblocker-ng
  • wesfox

  3
  0
  Votes
  3
  Posts
  116
  Views

  W

  @ronpfs said in Advice - Allowing client to bypass pfblocker-ng: There is one post here https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips That worked :) Thank you very much. For newbies like myself.. a little hint .. the custom option is at the end under DNS resolver.
• 

  Whitelisting From Alerts Page Not Working
  • ToTalChaos1010

  15
  0
  Votes
  15
  Posts
  262
  Views

  M

  Thanks, works perfectly now.
• S

  DNS over TLS - 2.4.3 to 2.4.4
  • smerm07

  4
  0
  Votes
  4
  Posts
  323
  Views

  

  No, you do not.
• V

  DNSBL (DEV) Stopped working after 2.4.4 upgrade
  • vito

  5
  0
  Votes
  5
  Posts
  191
  Views

  V

  I was able to get DNS resolver errors above corrected with this post https://forum.netgate.com/topic/106011/solved-pfblockerng-reloading-unbound-fails/11 After the above, resting Resolver settings (just clearing all setting then adding back the same settings) and a reboot it appears to be working again. Thanks for the help!
• C

  GeoIP and NAT
  • cgeo

  8
  0
  Votes
  8
  Posts
  107
  Views

  G

  @cgeo said in GeoIP and NAT: But my point remains. Shouldn't this be visible in the firewall logs ? You have the source IP alias already in the NAT rule, so it will not process the port redirect from IPs not covered in that alias. As such the firewall simply sees a connection from your LAN to your WAN address, this is allowed by the default LAN-to-any rule (if it still exists in your config), and so it wont be logged. With this config you simply try to connect to pfSense on a port that is likely not in use.
• 

  2.4.4 upgrade messed pfBNG (beta)?!
  • chudak

  4
  0
  Votes
  4
  Posts
  275
  Views

  B

  @bbcan177 Thanks BBcan177. This fixed it for me
• 

  maxmind.com blocked by QuidSup Trackers
  • Pucho

  3
  0
  Votes
  3
  Posts
  87
  Views

  

  Great, thanks! Completely overlooked it. I'll have a look at threat look up thing. I won't hesitate in the future to open a GitHub issue with the maintainers if after some investigation it turns out to be a false positive.
• V

  pfBlockerNG - Devel Feedback/Question - IPv4 lists no showing(yet blocks are happening)
  • Velcro

  4
  0
  Votes
  4
  Posts
  175
  Views

  

  With all the changes in PHP7, a commit was added to the installer code that created some empty XML tags. <config></config> This will be fixed in the next version which should be out soon. However, you can follow these steps below to fix this issue now: First make a backup of the config.xml from the: pfSense Diagnostics > Backup & Restore Tab: Then paste the following PHP code which will cleanup the empty XML tags into: pfSense > Diagnostics > Command Prompt > Execute PHP Commands: $upgrade_type = array('pfblockernglistsv4', 'pfblockernglistsv6', 'pfblockerngdnsblsettings', 'pfblockerngafrica', 'pfblockerngantarctica', 'pfblockerngasia', 'pfblockerngeurope', 'pfblockerngnorthamerica', 'pfblockerngoceania', 'pfblockerngsouthamerica', 'pfblockerngtopspammers', 'pfblockerngproxyandsatellite'); foreach ($upgrade_type as $type) { if (is_array($config['installedpackages'][$type]['config'])) { if (empty($config['installedpackages'][$type]['config'][0])) { unset($config['installedpackages'][$type]['config'][0]); print "\n| Removed | {$type} | Empty XML Tag"; } } } write_config('pfBlockerNG - Fix empty XML tags'); Then hit the Execute button for the code to run.
• V

  DNS SSL/TLS + pfBlockerNG -Develop + VLANs +Quad9 ?
  • Velcro

  4
  0
  Votes
  4
  Posts
  398
  Views

  D

  Looks like those forward and TLS settings are in the GUI: Enable Forwarding Mode Use SSL/TLS for outgoing DNS Queries to Forwarding Servers per: https://forum.netgate.com/topic/135974/dns-over-tls-2-4-3-to-2-4-4/2
• R

  pfBlockerNG-devel TLD
  • reg1982

  3
  0
  Votes
  3
  Posts
  133
  Views

  R

  @BBcan177 so I have "Mem: 5293M Active, 734M Inact, 3236K Laundry, 1055M Wired, 742M Buf, 764M Free Swap: 3881M Total, 94M Used, 3787M Free, 2% Inuse" This is a Qotom mini pc with one sodium memory slot. 8 gig was the max I could get. It seems to idle around 81% not sure if that will go up as more users are on my network. I am just wondering if it's hits 100% for some periods of time if this will cause issues. I remove squid as well and it went down to about 71% but I like squid for the built in virus scanner. I don't really need the proxy as I have a fast fiber internet connection but it's part of the package... If it stays at near 100% I will need try what you suggested with TLDs cn or ru... etc Thanks for the tips
• H

  pfBlockerNG firewall filter service stopped
  • harison

  2
  0
  Votes
  2
  Posts
  237
  Views

  G

  @harison said in pfBlockerNG firewall filter service stopped: What do think? thank I think you need glasses: https://forum.netgate.com/topic/136069/pfblockerng-2-2-5_16-pfb_filter