pfBlockerNG

• 

  pfBlockerNG MaxMind Registration required to continue to use the GeoIP functionality!
  • BBcan177  

  74
  9
  Votes
  74
  Posts
  11204
  Views

  W

  @stephenw10 said in pfBlockerNG MaxMind Registration required to continue to use the GeoIP functionality!: Enter the Key in the 'Maxmind License Key' field in pfBlocker. Now you can access the GeoIP tabs. Steve Thanks Steve.
• S

  Firewall Rules Order
  • Stewart  

  20
  0
  Votes
  20
  Posts
  5679
  Views

  C

  Floating rules are evaluated first - or at least they were a few years ago. I had to solve this problem a few years ago. Make the rules that get moved downward into floating rules. Then change the evaluation order of the others as needed using built in tools. I don't have this problem today but I'm sure the answer is still correct.
• N

  Bypassing DNSBL for specific IPs
  • Ns8h  

  36
  2
  Votes
  36
  Posts
  11194
  Views

  H

  @denx Great - as for the server: unless you want to make the modification posted by Gertjan, keep checking if make any changes to pfBlocker as it will come back. I have a note on in my "Change Log Documents" to verify so it doesn't bite me. To help out pfdm007, do you have leading spaces in your Custom Options? TIA
• 

  Support pfBlockerNG development!
  • ivor  

  5
  2
  Votes
  5
  Posts
  4558
  Views

  A

  I can not wait to see how he is going to do the mass import for IP4 and DNSBL, I hope its just a simple text doc you can just upload just like you would a backup file on Ublock extension. Looking forward to it. I may have to get some more Ram lol only got 8 gig and I bet doing mass list imports will hit the Ram hard. Great work hope it's coming along well ;) Great job.
• K

  Thanks BBCAN177 !
  • Koent  

  5
  1
  Votes
  5
  Posts
  3180
  Views

  S

  As pointed out to me in another post. https://forum.pfsense.org/index.php?topic=139634.0
• 

  PfBlockerNG v2.1 w/TLD
  • BBcan177  

  124
  0
  Votes
  124
  Posts
  57679
  Views

  E

  It would be really cool if it could automatically update the blocked TLDs based on the spamhaus statistics (https://www.spamhaus.org/statistics/tlds/) on a regular schedule. I realize that this may be more difficult than it sounds as I cant seem to find a spamhaus TLD feed, just a website. But if we dont dream then it will never happen!
• 

  PfBlockerNG v2.0 w/DNSBL
  • BBcan177  

  1070
  3
  Votes
  1070
  Posts
  529878
  Views

  M

  @anttechs said in PfBlockerNG v2.0 w/DNSBL: Many thanks ;) You're welcome I disabled TLD because I had .com and most of the others in there Yeap, that would be it! Cheers
• W

  PfBlockerNG
  • wbennett77  

  1194
  0
  Votes
  1194
  Posts
  438306
  Views

  E

  @RonpfS Thank you friend it worked.
• A

  Hoping someone can help allow AWS ranges only
  • automate  

  1
  0
  Votes
  1
  Posts
  6
  Views

  No one has replied

• 

  Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!
  • Bob.Dig  

  13
  0
  Votes
  13
  Posts
  200
  Views

  

  @Gertjan Thanks. Maybe one core isn't that bad. We'll see.
• C

  On hunt for blocklists
  • coffeecup25  

  3
  0
  Votes
  3
  Posts
  132
  Views

  C

  Thanks. I added the large list you mentioned and am giving it a tryout. It's an impressive work.
• T

  Malwarebytes feed - hphosts offline?
  • talaverde  

  8
  0
  Votes
  8
  Posts
  297
  Views

  

  Is there a way to keep the list contents and disable future updates in pfBlockerNG? I selected Never for Update Frequency but I'm still getting download errors. Under DNSBL Source Definitions there is an option to place lists on HOLD, would this allow them to continue working without updating any more? I don't see any harm in keeping the list active at least until another similar replacement can be found.
• M

  This problem is driving me nuts! Please help.
  • mike3y  

  6
  0
  Votes
  6
  Posts
  45
  Views

  J

  You can go to Status->Filter Reload and reload the filters. If it doesn't throw an error you should be good. The only way it would come back is if one of those list grows so that the total number if items in all of your tables exceeds the value you set.
• S

  A couple of thoughts on the CARP VIP setting in pfBlockerNG-devel 2.2.5_19.
  • silentnomad  

  4
  0
  Votes
  4
  Posts
  227
  Views

  G

  Hi @BBcan177 sorry to taking up again this topic, but I'm facing the exact same two issues on two pfSense 2.4.5 in CARP with pfBlockerNG-devel 2.2.5_30 Should they have been fixed already or fix it's a bit difficult and it's taking some time? I can survive with the VHID not customizable (1 was empty in my case but I'd like to put something much higher to distinguish between real interfaces), but SKEW issue it's quite annoying because I need to manually change it in the backup firewall and after some time (probably cron/reload) it reverts back to the same settings of the master. I think the behaviour should be the same of standard pfSense CARP XMLRPC sync so it leaves the same base and adding +100 to the skew. Thanks EDIT: Looking quickly through the code, even if I'm not a real PHP expert, I think the issue it's here $advskew = (isset($config['virtualip_carp_maintenancemode'])) ? 'advskew 254' : 'advskew 0'; Because it detects only when the CARP it's down due to maintenance mode, not the "normal" configuration when the slave node is backup because master it's alive. I don't know if pfSense has a parameter to check it, because manually it's quite difficoult, you should check the interface where pfBlocker VIP is, then check for the VIPs and get the status of the VIP that it's not the pfBlocker one (that should be a "real" VIP). Or maybe it could be easier, in case VIP Address type is CARP, to ask user to manually create the CARP Virtual IP from pfSense and then with a picker in pfBlocker ask to choose the Virtual IP? If it's in "normal" mode, pfBlocker could take care of creating Virtual IP etc. but in CARP mode, that is already an advanced function, you could leave it to pfSense and user so it will be easier to manage/customize (VHID, Base, Skew etc..)
• J

  IP Count Resetting
  • Jobee  

  1
  0
  Votes
  1
  Posts
  16
  Views

  No one has replied

• C

  How to troubleshoot false positive from feed?
  • cipherwar  

  5
  0
  Votes
  5
  Posts
  46
  Views

  C

  @Artes Yup just checked that out. Thanks again.
• F

  PfBlockerNG high CPU
  • Frosch1482  

  3
  0
  Votes
  3
  Posts
  69
  Views

  C

  Dont see it at all on 2.2.6 Running very stable on all the appliances both with and without DNSBL.
• Z

  When will pfBlockerNG 2.2 be stable
  • zjgn  

  3
  0
  Votes
  3
  Posts
  131
  Views

  Z

  @NollipfSense said in When will pfBlockerNG 2.2 be stable: Has been stable getting close to 2yrs now. That's exactly why I'm asking. The 2.2 branch is considered quite stable, but the stable package is still 2.1.
• E

  Unresolvable destination port alias 'pfB_DNSBL_Ports' for rule 'pfB_DNSBL_Permit'
  • Elliott32224  

  4
  0
  Votes
  4
  Posts
  37
  Views

  E

  @T-Monster This is really weird. When I started to go through the setup again with the use of a website describing the process, I saw that what I was seeing for my pfBlockerNG was different from what was on the website. I went back to the package manager, searched on pfBlockerNG and found a much newer version, which I installed. Everything seems fine now. I have no idea where the older version of pfBlockerNG came from.
• E

  GeoIP rules blocking things not on the list
  • ex1580  

  10
  0
  Votes
  10
  Posts
  79
  Views

  E

  @BBcan177 Well that is definitely an answer! I had no idea that MaxMind thought it was also in Brazil. IDK if this is right or wrong or if I should even be blocking so much in my firewall as there are datacenters all over the world (these are outbound rules) but I dont use Bing and that IP seems to be a Microsoft "bingbot" according to Google. If the next release shows this better in the logs then I am happy. Thanks so much! Output from those commands on my box. mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 191.232.139.2 country iso_code "IE" <utf8_string> grep "191.128.0.0" /usr/local/share/GeoIP/* /usr/local/share/GeoIP/GeoLite2-Country-Blocks-IPv4.csv:191.128.0.0/12,3469034,3469034,,0,0 grep "3469034" /usr/local/share/GeoIP/GeoLite2-Country-Locations-en.csv 3469034,en,SA,"South America",BR,Brazil,0 mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 191.232.139.2 { "continent": { "code": "EU" <utf8_string> "geoname_id": 6255148 <uint32> "names": { "de": "Europa" <utf8_string> "en": "Europe" <utf8_string> "es": "Europa" <utf8_string> "fr": "Europe" <utf8_string> "ja": "ヨーロッパ" <utf8_string> "pt-BR": "Europa" <utf8_string> "ru": "Европа" <utf8_string> "zh-CN": "欧洲" <utf8_string> } } "country": { "geoname_id": 2963597 <uint32> "is_in_european_union": true <boolean> "iso_code": "IE" <utf8_string> "names": { "de": "Irland" <utf8_string> "en": "Ireland" <utf8_string> "es": "Irlanda" <utf8_string> "fr": "Irlande" <utf8_string> "ja": "アイルランド" <utf8_string> "pt-BR": "Irlanda" <utf8_string> "ru": "Ирландия" <utf8_string> "zh-CN": "爱尔兰" <utf8_string> } } "registered_country": { "geoname_id": 3469034 <uint32> "iso_code": "BR" <utf8_string> "names": { "de": "Brasilien" <utf8_string> "en": "Brazil" <utf8_string> "es": "Brasil" <utf8_string> "fr": "Brésil" <utf8_string> "ja": "ブラジル連邦共和国" <utf8_string> "pt-BR": "Brasil" <utf8_string> "ru": "Бразилия" <utf8_string> "zh-CN": "巴西" <utf8_string> } } }
• S

  pfr_update_stats: assertion failed and blocked traffic
  • Sesquipedalio  

  2
  0
  Votes
  2
  Posts
  19
  Views

  S

  I started noticing very weird blocked functions in my home network. My music server would not resolve http(s) get requests for streaming music, though I could on other devices. I could not resolve a domain name by typing the base URL in the address bar (like typing purple.com and get the page to load), but I could find it in a search bar and navigate to them and perform nslookups on them. I updated the main pfSense OS, but could not update any packages. Other weirdness that was not easy to categorize. I tried to reboot the pfSense via the web and command menu - neither worked. I forced a hardware reboot and noticed many repeated errors on the console and system logs which read: pfr_update_stats: assertion failed Here is my solution, which is working for now: In the Firewall / pfBlockerNG / General page, tick the box for "Suppression - This will prevent Selected IPs from being blocked. Only for IPv4 lists (/32 and /24)." and click the Save button for this page. In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button. In the Firewall / pfBlockerNG / General page, tick only the Enable pfBlockerNG to enable and leave the Keep settings unticked/disabled. In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run. Copy the output from this into a text file. Use the text file to separate the results to find four types of results: No Domains Found Terminated - Easylists can not be used Anything which is not working, such as a 404 page not found or other error Anything working can be ignored Open EVERY DNS Group Name on the Firewall / pfBlockerNG / DNSBL Feeds page. Search for any of the feeds that are NOT working at all and paste the URL into a browser bar. If they do not resolve, delete them - don't forget to click the save button at the bottom. If they do resolve, see the next step Open EVERY DNS Group Name on the Firewall / pfBlockerNG / DNSBL Feeds page. Search for any of the feeds that are listed as No Domains Found, or that did resolve to a list in a previous step, and paste the URL into a browser bar. If the list is just a bunch of IP addresses, then you have them on the wrong part of your firewall! To fix this: Copy the URLs of any of the lists which were IP-based out of the DNSBL page and into a text file as a placeholder. Move over to the Firewall / pfBlockerNG / IPv4 page and start a new Alias Name (or edit one you may already have there). Add each one of the URLs from your text file, giving it a unique header name (the last field) and make sure to set it to Auto & ON. . Once all added, I set the List Action and update schedule to my preference and saved the page For anything which results in 'Terminated - Easylists can not be used' I do not yet have a solution. In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button. In the Firewall / pfBlockerNG / General page, tick only the Enable pfBlockerNG to enable and leave the Keep settings unticked/disabled. In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run. Repeat the process of reviewing the results to remove broken lists and move IP-based lists to the right IPv4 list page. ------ONCE satisfied with the results: In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button. In the Firewall / pfBlockerNG / General page, tick BOTH the Enable pfBlockerNG and Keep settings to enable them both. In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run.
• G

  pfBlockerNG 2.1.4_21 totally lag system after pfSense upgrade from 2.4.4 to 2.4.5
  • Gektor  

  3
  0
  Votes
  3
  Posts
  292
  Views

  C

  Sounds like this issue: #10414 Workaround: #901871 but maybe the firewall table is to small to use pfBlocker after the change...
• 

  Can I search for an IP-address in all aliases?
  • Bob.Dig  

  5
  0
  Votes
  5
  Posts
  67
  Views

  

  @Gertjan Yeah, you got it all wrong, probably because of my English-writing-skills.
• C

  pfBlockerNG-devel 2.2.5_30 "Cannot allocate memory..."
  • Co6aka  

  7
  0
  Votes
  7
  Posts
  139
  Views

  L

  @Co6aka I'm in the same boat as you. Upgraded from 2.4.4 to 2.4.5. Wound up with "Cannot allocate memory" errors & only the firewall could access the internet. Uninstalling/reinstalling pfBlocker_NG gets the LAN back online (I know it isn't a pfBlocker issue). My table entries were at 20 million before upgrading - because I have a lot of lists and some of them are massive (each list does have a purpose). I think I worked up to 60M entries before setting this aside for the night. I haven't tried breaking apart my lists into smaller aliases. After reading the relevant posts here and on Reddit, it doesn't seem likely to help. It'd still be the same number of IPs that need allocation. (wild guess coming) Unless the issue is that the structures holding my massive aliases are buckling under the load. But, heck. I don't know. I'm going to sleep on it. Maybe tomorrow I'll puzzle out where I should be looking for clues. Otherwise, I'll have to check into rolling back - wait for bigger brains to set our world right (yet) again. Edit: box has 4GB RAM Q: How do I calculate Firewall Maximum Table Entries (assume 100MB in aliastables dir) Edit.2: I haven't been able to find a fix. Going to roll back. and I'm fairly impressed w/ the difficulty of locating a download link for pfSense-CE-2.4.4-RELEASE-p3-amd64.iso.gz Not giving up! Edit3: Found a copy of 2.4.4 on Linuxtracker.org (not affiliated). Installed a fresh copy. Restored from the backup I made using 2.4.5 (because, you know) and that worked just fine. Everything came right up; no issues at all. I'm all good again. I'm also scared of upgrading any of my boxes to 2.4.5 but what can you do. I still appreciate all the work that goes into this.
• H

  DNSBL breaking Google.com shopping tab...
  • HSTS  

  9
  0
  Votes
  9
  Posts
  172
  Views

  H

  @RonpfS Found it. Thank you. Still haven't found the specific alert I'm looking for, but I at least know where to dig. Note that I haven't been looking all this time. I got side tracked doing something else. Thanks again for your help.
• R

  oisd blocklist not working
  • revengineer  

  7
  0
  Votes
  7
  Posts
  62
  Views

  

  @revengineer The is a log snippet above that to show the processing of that feed and the restart of Unbound. Take a look at those two sections of the pfblockerng.log.
• J

  clog_pfb drops a core if system log files are reset
  • jwj  

  11
  0
  Votes
  11
  Posts
  59
  Views

  J

  FWIW: did a fresh install. Still core faults if I reset logs.
• G

  pfBlockerNG-devel 2.2.5_30: IPv4 list: too many elements + high system load
  • getcom  

  5
  0
  Votes
  5
  Posts
  98
  Views

  G

  @provels said in pfBlockerNG-devel 2.2.5_30: IPv4 list: too many elements + high system load: My understanding, possibly incorrect, is that Firewall Max Table entries must be at least double what your final count shows, since during updates both the new and old list counts exist in the table simultaneously. Each list has its own table and it will be processed one after the other. It should then > the doubled value of the biggest list. I will try that and increase the value first to 3 1/2 million. This needs a reboot, which means this can be done only ooo in four hours. Are DNSBL lists processed in a different way? The DNSBL_UT1 has >1.8 million entries and this list is working. Ok., thank you for the offline hint of the lists...just discovered the download errors also on my own pfS which is still 2.4.4-P3.
• S

  All alerts showing as unk country code.. help
  • sesipod  

  26
  0
  Votes
  26
  Posts
  220
  Views

  E

  @BBcan177 Excellent! Working as expected now. Maybe someday there can be a button or comment explaining how to re-download from MaxMind because I didnt even know the command did that when I was looking at it. Thanks! Keep up the good work!
• C

  pfblokerng en pfsense briged
  • Core7  

  3
  0
  Votes
  3
  Posts
  41
  Views

  

  @Core7 I don't think bridging will work well with the pkg. I also have no other first hand experience doing that sorry.
• E

  DNSBL Feature Request - TLD inverse and lists
  • ex1580  

  1
  0
  Votes
  1
  Posts
  30
  Views

  No one has replied

• 

  pfBlockerNG-devel 2.2.5_30 update: Is it 2.4.5 specific now?
  • provels  

  2
  0
  Votes
  2
  Posts
  199
  Views

  

  No its for all versions
• V

  pfBlockerNG-devel not showing blocked DNS requests
  • vjizzle  

  10
  0
  Votes
  10
  Posts
  410
  Views

  V

  @BBcan177 : the new version of pfSense is here with the python integration. Any word on the next pfBlockerNG release which will use that to show all allowed and blocked DNS requests? I'd be happy to help with testing.
• 

  Shallalist and UT1 lists not working on 2.4.5-RELEASE/pfBlockerNG-devel 2.2.5_29
  • provels  

  15
  1
  Votes
  15
  Posts
  379
  Views

  

  @GregBinSD said in Shallalist and UT1 lists not working on 2.4.5-RELEASE/pfBlockerNG-devel 2.2.5_29: Can you tell me how long that might be? The pfSense devs need to review and approve. Hopefully next week.
• F

  pfBlockerNG-devel install - PHP Startup Errors - failed to load readline.so
  • fabrizior  

  8
  0
  Votes
  8
  Posts
  207
  Views

  

  it does't surprise me, pfblockerng is outdated , pfblockerng-devel have more features
• F

  Upgrade from pfBlockerNG to -devel before 2.4.5 upgrade?
  • fabrizior  

  4
  0
  Votes
  4
  Posts
  146
  Views

  F

  @Gertjan @t41k2m3 Thank you for the details. I’ll make the jump to the -devel package first then. Are there any specific posts/blogs you would recommend to get up to speed on any critical changes or potential gotchas that might extend my maintenance window? My router is usually hovering around 3% CPU and 19% memory utilization with pfblocker, squid, squidguard, snort, and a few other pkgs running. these stats are with no inbound OpenVPN client tunnels active or outbound IPsec VPN to my Oracle Cloud IaaS tenancy up. Still, plenty of resource capacity.
• T

  Post-upgrade to 2.4.5 pfBlockerNG-devel causing memory and/or CPU spikes
  • t41k2m3  

  1
  0
  Votes
  1
  Posts
  83
  Views

  No one has replied

• A

  PFblockNG Devel not logging or blocking domains
  • antoni777  

  14
  0
  Votes
  14
  Posts
  208
  Views

  A

  I still get nothing, In the post above i always get the same error , "Missing DNSBL stats and/or Unbound DNSBL conf file - Rebuilding" V/r Tony
• M

  Advanced Inbound Firewall Rule Settings
  • maxyca  

  2
  0
  Votes
  2
  Posts
  67
  Views

  M

  Really nobody did it?
• J

  Feed not updating with cron but does by force
  • Jobee  

  7
  0
  Votes
  7
  Posts
  101
  Views

  S

  Hello! Are you using ram disks in System/Advanced/Miscellaneous? This sounds oddly similar to these : https://forum.netgate.com/topic/151591/sort-4-not-downloading-vrt-rules/ https://forum.netgate.com/topic/151634/php-errors/ John