I can not wait to see how he is going to do the mass import for IP4 and DNSBL, I hope its just a simple text doc you can just upload just like you would a backup file on Ublock extension.
Looking forward to it.
I may have to get some more Ram lol only got 8 gig and I bet doing mass list imports will hit the Ram hard.
It would be really cool if it could automatically update the blocked TLDs based on the spamhaus statistics (https://www.spamhaus.org/statistics/tlds/) on a regular schedule. I realize that this may be more difficult than it sounds as I cant seem to find a spamhaus TLD feed, just a website. But if we dont dream then it will never happen!
@aweidner said in [TLD blacklist, exclusion and whitelist]
For a new-to-pfblockerng-person like me this sounds unnecessary unintuitive. If there is a blacklist, why can't i use the whitelist in the same realm?
Unbound mode is the original/first generation of DNSBL. It relies on Unbound local-zone and local-data entries to block domains.
Unbound Mode is too restrictive in wildcard blocking. Unbound Python mode (the next generation of DNSBL) doesn't use Unbound's local-zone/local-data entries, and removes all these types of restrictions. Therefore, you can use the DNSBL Whitelist feature with Python mode in this circumstance.
Existing pfBlockerNG DNSBL Unbound mode:
In this mode, entries are added to Unbound with an include file located at:
For each single domain to be blocked, a local-data entry is added:
local-data: "example.com A 10.10.10.1"
Any DNS request for example.com would be sinkholed to 10.10.10.1 where the DNSBL Webserver will respond to that request.
If the TLD Wildcard blocking option is enabled, entries will be added to Wildcard block domains:
local-zone: "xyz" "transparent"
local-data: "example.xyz 60 IN A 10.10.10.1"
local-data: "example2.xyz 60 IN A 10.10.10.1"
For each TLD (ie: xyz), a transparent zone is created, and any xyz domains that need to be wildcard blocked are added to the associated transparent zone entry with local-data entries.
When users want to Wildcard block a whole TLD, TLDs would be added to the TLD Blacklist with a local-zone redirect entry:
local-zone: "ru" redirect local-data: "ru 60 IN A 10.10.10.1"
If "ru" is wilcard blocked, and a user wants to allow a specific ru domain to be allowed, domains can be added to the
TLD Whitelist. The entries in Unbound will use a local-zone static entry to block all domains except for domains that are
explicitly defined with a local-date entry;
local-zone: "ru" "static"
local-data: "ramblr.ru A 188.8.131.52"
Possible workaround after a brief off-thread conversation: I set GeoIP Top Spammers to Alias Native and then disabled it again. I then manually ran the cron entry "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dcc >> /var/log/pfblockerng/extras.log 2>&1" and it didn't log the alert into extras.log like the others. If I don't post back in a month it worked. :) Also there will be an update coming at some point, though we'd have to get current to update.
But just to be clear - a speed test will result in full speed.
But some web pages will open very slow, at first i thought my dns is very slow.
As when the page load it does at a normal speed, just very delayed.
As nearly every website is using sources(scripts, ad, tracker,...) from all over the place, its hard to pinpoint.
I think it might be slow if some parts of the page are blocked.
But I don't know if the browser is waiting for a timeout or a js script has trouble.
Redirecting the DNS traffic should work anyway.
Possibly unbound sends it's traffic to the ISPs DNS. Or you did something wrong. Since you don't provide your settings, it's hard to say.
You can sniff the packets to see, what's going on.
However, also not clear what the goal of the WAN-LAN bridge is indeed. If you only want your clients to pull network settings from the ISP you can enable the DHCP relay and configure the clients network accordingly.
I have reviewed each of the recommended steps:
1- DNS resolver is listening for all interfaces, if I configure that it only listens for the Bridge interfaces, it presents us with the same result.
2- Modify the validation code for the virtual IP, add an IP of the example segment 192.168.1.203 and the same result still does not block domains, for verification use nslookup and it continues to show the original IP of the domain which was used as test, in few words is not blocking.
3- Well my opinion about this is that apparently there is a link between the DHCP service and the DNSBL to work with it, but as I said this is only my opinion.
Previously I was looking for more information and I was with that unknown that if I wanted to make a bridge interface with DNS blocking, I would have to configure one of the interfaces that comprise the Bridge for this case the LAN will activate the DHCP service.
As an example:
That is cool! I did not know that was possible. I saw in your Reddit post that you stated "pfSense doesn't have a lot of graphing/logging functionality." I 100% agree with you that it should not be part of the firewall, but it would be awesome to have a Netgate preferred solution like Graylog with a step by step guide to integrate the logging from the firewall and its common packages into a centralized visualization platform.
I'm not an expert but I used 3cx with pfsense for 3 years at my previous job.
I had the same issue with no audio on one side on two different occasions with 3cx. 1. was when I did not have the full cone NAT configured properly. I don't have access to 3cx anymore but I remember there was a network troubleshooting utility. Until I fixed the NAT problem it would not return successful. This might help https://www.3cx.com/docs/pfsense-firewall/
The other time I had a similar issue was because the user vpn was not routing and using NAT instead. After I changed the OpenVPN config to routing and added the VPN static routes in pfsense pointing to the VPN server it worked.
I also remember there were instances where we would receive calls from external entities that used VOIP and those connections did not need to go through our SIP provider. I realized this because I had originally opened the SIP ports with the src address of the SIP provider, and most calls would work except from some specific vendors. After opening up the the SIP ports from "any" those vendors started working as well.
As far as iTalkBB, I have never used it, but pfBlockerNG just uses regular firewall rules. You can turn on logging and see if something is a miss. Or even faster test just temporarily disable the firewall rules and see if stuff starts working.
I have noticed the Geo IP is not 100%, so maybe you are running into an issue there. It was recommended somewhere that you don't block the world. I prefer to do the reverse which is just to allow specific countries.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.