pfBlockerNG

• 

  pfBlockerNG MaxMind Registration required to continue to use the GeoIP functionality!
  • BBcan177  

  74
  9
  Votes
  74
  Posts
  10813
  Views

  W

  @stephenw10 said in pfBlockerNG MaxMind Registration required to continue to use the GeoIP functionality!: Enter the Key in the 'Maxmind License Key' field in pfBlocker. Now you can access the GeoIP tabs. Steve Thanks Steve.
• S

  Firewall Rules Order
  • Stewart  

  20
  0
  Votes
  20
  Posts
  5650
  Views

  C

  Floating rules are evaluated first - or at least they were a few years ago. I had to solve this problem a few years ago. Make the rules that get moved downward into floating rules. Then change the evaluation order of the others as needed using built in tools. I don't have this problem today but I'm sure the answer is still correct.
• N

  Bypassing DNSBL for specific IPs
  • Ns8h  

  21
  2
  Votes
  21
  Posts
  10872
  Views

  P

  Just found this thread and I think it might save my a$$ while stuck at home because of the covid19 pandemic... If I'm hijacking an existing thread, I'll move to a new one. Basically I want all traffic on a specific VLAN (named DMZ with 192.168.2.0/24) totally bypass pfblocker & DNSBL in both directions (incoming and outgoing)... Based on OP's post, I added the following in unbound's custom options: server: access-control-view: 192.168.2.0/24 bypass access-control-view: 192.168.1.0/24 dnsbl access-control-view: 192.168.3.0/24 dnsbl view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf For some reasons, even after restarting unbound, DNSBL and even rebooting pfsense, I still see tons of alerts in the Reports tab of pfblocker. Using a machine on VLAN, pages are still being blocked. Clearly this is not working for me. What am I doing wrong? Some of my settings (if it helps): WAN is WAN... LAN1, LAN2 and DMZ are VLAN's based on LAN physical interface WAN is the only interface selected in pfblockerNG's Inbound Firewall Rules LAN1 & LAN2 are the only interfaces selected in pfblockerNG's Outbound Firewall Rules LAN1 & LAN2 are the only interfaces selected in DNSBL's "Permit Firewall Rules"
• 

  Support pfBlockerNG development!
  • ivor  

  5
  2
  Votes
  5
  Posts
  4549
  Views

  A

  I can not wait to see how he is going to do the mass import for IP4 and DNSBL, I hope its just a simple text doc you can just upload just like you would a backup file on Ublock extension. Looking forward to it. I may have to get some more Ram lol only got 8 gig and I bet doing mass list imports will hit the Ram hard. Great work hope it's coming along well ;) Great job.
• K

  Thanks BBCAN177 !
  • Koent  

  5
  1
  Votes
  5
  Posts
  3175
  Views

  S

  As pointed out to me in another post. https://forum.pfsense.org/index.php?topic=139634.0
• 

  PfBlockerNG v2.1 w/TLD
  • BBcan177  

  124
  0
  Votes
  124
  Posts
  57634
  Views

  E

  It would be really cool if it could automatically update the blocked TLDs based on the spamhaus statistics (https://www.spamhaus.org/statistics/tlds/) on a regular schedule. I realize that this may be more difficult than it sounds as I cant seem to find a spamhaus TLD feed, just a website. But if we dont dream then it will never happen!
• 

  PfBlockerNG v2.0 w/DNSBL
  • BBcan177  

  1070
  3
  Votes
  1070
  Posts
  529363
  Views

  M

  @anttechs said in PfBlockerNG v2.0 w/DNSBL: Many thanks ;) You're welcome I disabled TLD because I had .com and most of the others in there Yeap, that would be it! Cheers
• W

  PfBlockerNG
  • wbennett77  

  1194
  0
  Votes
  1194
  Posts
  438208
  Views

  E

  @RonpfS Thank you friend it worked.
• C

  On hunt for blocklists
  • coffeecup25  

  1
  0
  Votes
  1
  Posts
  24
  Views

  No one has replied

• 

  Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!
  • Bob.Dig  

  3
  0
  Votes
  3
  Posts
  35
  Views

  

  @Rico I used it with four cores before on 2.4.4 and 2.5 and always with the latest pfBlockerNG with no problem. Thank god, suricata exist. I thought I had no use case for it anymore... till now.
• Z

  When will pfBlockerNG 2.2 be stable
  • zjgn  

  3
  0
  Votes
  3
  Posts
  95
  Views

  Z

  @NollipfSense said in When will pfBlockerNG 2.2 be stable: Has been stable getting close to 2yrs now. That's exactly why I'm asking. The 2.2 branch is considered quite stable, but the stable package is still 2.1.
• E

  Unresolvable destination port alias 'pfB_DNSBL_Ports' for rule 'pfB_DNSBL_Permit'
  • Elliott32224  

  4
  0
  Votes
  4
  Posts
  30
  Views

  E

  @T-Monster This is really weird. When I started to go through the setup again with the use of a website describing the process, I saw that what I was seeing for my pfBlockerNG was different from what was on the website. I went back to the package manager, searched on pfBlockerNG and found a much newer version, which I installed. Everything seems fine now. I have no idea where the older version of pfBlockerNG came from.
• E

  GeoIP rules blocking things not on the list
  • ex1580  

  10
  0
  Votes
  10
  Posts
  61
  Views

  E

  @BBcan177 Well that is definitely an answer! I had no idea that MaxMind thought it was also in Brazil. IDK if this is right or wrong or if I should even be blocking so much in my firewall as there are datacenters all over the world (these are outbound rules) but I dont use Bing and that IP seems to be a Microsoft "bingbot" according to Google. If the next release shows this better in the logs then I am happy. Thanks so much! Output from those commands on my box. mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 191.232.139.2 country iso_code "IE" <utf8_string> grep "191.128.0.0" /usr/local/share/GeoIP/* /usr/local/share/GeoIP/GeoLite2-Country-Blocks-IPv4.csv:191.128.0.0/12,3469034,3469034,,0,0 grep "3469034" /usr/local/share/GeoIP/GeoLite2-Country-Locations-en.csv 3469034,en,SA,"South America",BR,Brazil,0 mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 191.232.139.2 { "continent": { "code": "EU" <utf8_string> "geoname_id": 6255148 <uint32> "names": { "de": "Europa" <utf8_string> "en": "Europe" <utf8_string> "es": "Europa" <utf8_string> "fr": "Europe" <utf8_string> "ja": "ヨーロッパ" <utf8_string> "pt-BR": "Europa" <utf8_string> "ru": "Европа" <utf8_string> "zh-CN": "欧洲" <utf8_string> } } "country": { "geoname_id": 2963597 <uint32> "is_in_european_union": true <boolean> "iso_code": "IE" <utf8_string> "names": { "de": "Irland" <utf8_string> "en": "Ireland" <utf8_string> "es": "Irlanda" <utf8_string> "fr": "Irlande" <utf8_string> "ja": "アイルランド" <utf8_string> "pt-BR": "Irlanda" <utf8_string> "ru": "Ирландия" <utf8_string> "zh-CN": "爱尔兰" <utf8_string> } } "registered_country": { "geoname_id": 3469034 <uint32> "iso_code": "BR" <utf8_string> "names": { "de": "Brasilien" <utf8_string> "en": "Brazil" <utf8_string> "es": "Brasil" <utf8_string> "fr": "Brésil" <utf8_string> "ja": "ブラジル連邦共和国" <utf8_string> "pt-BR": "Brasil" <utf8_string> "ru": "Бразилия" <utf8_string> "zh-CN": "巴西" <utf8_string> } } }
• S

  pfr_update_stats: assertion failed and blocked traffic
  • Sesquipedalio  

  2
  0
  Votes
  2
  Posts
  18
  Views

  S

  I started noticing very weird blocked functions in my home network. My music server would not resolve http(s) get requests for streaming music, though I could on other devices. I could not resolve a domain name by typing the base URL in the address bar (like typing purple.com and get the page to load), but I could find it in a search bar and navigate to them and perform nslookups on them. I updated the main pfSense OS, but could not update any packages. Other weirdness that was not easy to categorize. I tried to reboot the pfSense via the web and command menu - neither worked. I forced a hardware reboot and noticed many repeated errors on the console and system logs which read: pfr_update_stats: assertion failed Here is my solution, which is working for now: In the Firewall / pfBlockerNG / General page, tick the box for "Suppression - This will prevent Selected IPs from being blocked. Only for IPv4 lists (/32 and /24)." and click the Save button for this page. In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button. In the Firewall / pfBlockerNG / General page, tick only the Enable pfBlockerNG to enable and leave the Keep settings unticked/disabled. In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run. Copy the output from this into a text file. Use the text file to separate the results to find four types of results: No Domains Found Terminated - Easylists can not be used Anything which is not working, such as a 404 page not found or other error Anything working can be ignored Open EVERY DNS Group Name on the Firewall / pfBlockerNG / DNSBL Feeds page. Search for any of the feeds that are NOT working at all and paste the URL into a browser bar. If they do not resolve, delete them - don't forget to click the save button at the bottom. If they do resolve, see the next step Open EVERY DNS Group Name on the Firewall / pfBlockerNG / DNSBL Feeds page. Search for any of the feeds that are listed as No Domains Found, or that did resolve to a list in a previous step, and paste the URL into a browser bar. If the list is just a bunch of IP addresses, then you have them on the wrong part of your firewall! To fix this: Copy the URLs of any of the lists which were IP-based out of the DNSBL page and into a text file as a placeholder. Move over to the Firewall / pfBlockerNG / IPv4 page and start a new Alias Name (or edit one you may already have there). Add each one of the URLs from your text file, giving it a unique header name (the last field) and make sure to set it to Auto & ON. . Once all added, I set the List Action and update schedule to my preference and saved the page For anything which results in 'Terminated - Easylists can not be used' I do not yet have a solution. In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button. In the Firewall / pfBlockerNG / General page, tick only the Enable pfBlockerNG to enable and leave the Keep settings unticked/disabled. In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run. Repeat the process of reviewing the results to remove broken lists and move IP-based lists to the right IPv4 list page. ------ONCE satisfied with the results: In the Firewall / pfBlockerNG / General page, untick: Enable pfBlockerNG and Keep settings to disable them both. then click the save button. In the Firewall / pfBlockerNG / General page, tick BOTH the Enable pfBlockerNG and Keep settings to enable them both. In the Firewall / pfBlockerNG / Update page, select the Select 'Force' option Update and click Run.
• G

  pfBlockerNG 2.1.4_21 totally lag system after pfSense upgrade from 2.4.4 to 2.4.5
  • Gektor  

  3
  0
  Votes
  3
  Posts
  251
  Views

  C

  Sounds like this issue: #10414 Workaround: #901871 but maybe the firewall table is to small to use pfBlocker after the change...
• 

  Can I search for an IP-address in all aliases?
  • Bob.Dig  

  5
  0
  Votes
  5
  Posts
  47
  Views

  

  @Gertjan Yeah, you got it all wrong, probably because of my English-writing-skills.
• C

  pfBlockerNG-devel 2.2.5_30 "Cannot allocate memory..."
  • Co6aka  

  7
  0
  Votes
  7
  Posts
  122
  Views

  L

  @Co6aka I'm in the same boat as you. Upgraded from 2.4.4 to 2.4.5. Wound up with "Cannot allocate memory" errors & only the firewall could access the internet. Uninstalling/reinstalling pfBlocker_NG gets the LAN back online (I know it isn't a pfBlocker issue). My table entries were at 20 million before upgrading - because I have a lot of lists and some of them are massive (each list does have a purpose). I think I worked up to 60M entries before setting this aside for the night. I haven't tried breaking apart my lists into smaller aliases. After reading the relevant posts here and on Reddit, it doesn't seem likely to help. It'd still be the same number of IPs that need allocation. (wild guess coming) Unless the issue is that the structures holding my massive aliases are buckling under the load. But, heck. I don't know. I'm going to sleep on it. Maybe tomorrow I'll puzzle out where I should be looking for clues. Otherwise, I'll have to check into rolling back - wait for bigger brains to set our world right (yet) again. Edit: box has 4GB RAM Q: How do I calculate Firewall Maximum Table Entries (assume 100MB in aliastables dir) Edit.2: I haven't been able to find a fix. Going to roll back. and I'm fairly impressed w/ the difficulty of locating a download link for pfSense-CE-2.4.4-RELEASE-p3-amd64.iso.gz Not giving up!
• H

  DNSBL breaking Google.com shopping tab...
  • HSTS  

  9
  0
  Votes
  9
  Posts
  140
  Views

  H

  @RonpfS Found it. Thank you. Still haven't found the specific alert I'm looking for, but I at least know where to dig. Note that I haven't been looking all this time. I got side tracked doing something else. Thanks again for your help.
• T

  Malwarebytes feed - hphosts offline?
  • talaverde  

  7
  0
  Votes
  7
  Posts
  239
  Views

  

  @Yamabushi said in Malwarebytes feed - hphosts offline?: Anyone have good recommendations for replacement lists? On their turn, good quality publicly available lists will get hit even harder very soon, obliging the owner to invest in server structures that can take the hit. This often applies : why would one update a list every day if one can update it every hours, even if the list is updated itself every week ?? pfBlockerNG is a success : even if it's free, 'money' is involved. Most quality list will probably choose methods like GeoIP Maxmind at best - or simply : access against cash.
• R

  oisd blocklist not working
  • revengineer  

  7
  0
  Votes
  7
  Posts
  54
  Views

  

  @revengineer The is a log snippet above that to show the processing of that feed and the restart of Unbound. Take a look at those two sections of the pfblockerng.log.
• J

  clog_pfb drops a core if system log files are reset
  • jwj  

  11
  0
  Votes
  11
  Posts
  56
  Views

  J

  FWIW: did a fresh install. Still core faults if I reset logs.
• G

  pfBlockerNG-devel 2.2.5_30: IPv4 list: too many elements + high system load
  • getcom  

  5
  0
  Votes
  5
  Posts
  95
  Views

  G

  @provels said in pfBlockerNG-devel 2.2.5_30: IPv4 list: too many elements + high system load: My understanding, possibly incorrect, is that Firewall Max Table entries must be at least double what your final count shows, since during updates both the new and old list counts exist in the table simultaneously. Each list has its own table and it will be processed one after the other. It should then > the doubled value of the biggest list. I will try that and increase the value first to 3 1/2 million. This needs a reboot, which means this can be done only ooo in four hours. Are DNSBL lists processed in a different way? The DNSBL_UT1 has >1.8 million entries and this list is working. Ok., thank you for the offline hint of the lists...just discovered the download errors also on my own pfS which is still 2.4.4-P3.
• S

  All alerts showing as unk country code.. help
  • sesipod  

  26
  0
  Votes
  26
  Posts
  215
  Views

  E

  @BBcan177 Excellent! Working as expected now. Maybe someday there can be a button or comment explaining how to re-download from MaxMind because I didnt even know the command did that when I was looking at it. Thanks! Keep up the good work!
• C

  pfblokerng en pfsense briged
  • Core7  

  3
  0
  Votes
  3
  Posts
  41
  Views

  

  @Core7 I don't think bridging will work well with the pkg. I also have no other first hand experience doing that sorry.
• E

  DNSBL Feature Request - TLD inverse and lists
  • ex1580  

  1
  0
  Votes
  1
  Posts
  29
  Views

  No one has replied

• 

  pfBlockerNG-devel 2.2.5_30 update: Is it 2.4.5 specific now?
  • provels  

  2
  0
  Votes
  2
  Posts
  180
  Views

  

  No its for all versions
• V

  pfBlockerNG-devel not showing blocked DNS requests
  • vjizzle  

  10
  0
  Votes
  10
  Posts
  403
  Views

  V

  @BBcan177 : the new version of pfSense is here with the python integration. Any word on the next pfBlockerNG release which will use that to show all allowed and blocked DNS requests? I'd be happy to help with testing.
• 

  Shallalist and UT1 lists not working on 2.4.5-RELEASE/pfBlockerNG-devel 2.2.5_29
  • provels  

  15
  1
  Votes
  15
  Posts
  364
  Views

  

  @GregBinSD said in Shallalist and UT1 lists not working on 2.4.5-RELEASE/pfBlockerNG-devel 2.2.5_29: Can you tell me how long that might be? The pfSense devs need to review and approve. Hopefully next week.
• F

  pfBlockerNG-devel install - PHP Startup Errors - failed to load readline.so
  • fabrizior  

  8
  0
  Votes
  8
  Posts
  176
  Views

  

  it does't surprise me, pfblockerng is outdated , pfblockerng-devel have more features
• F

  Upgrade from pfBlockerNG to -devel before 2.4.5 upgrade?
  • fabrizior  

  4
  0
  Votes
  4
  Posts
  144
  Views

  F

  @Gertjan @t41k2m3 Thank you for the details. I’ll make the jump to the -devel package first then. Are there any specific posts/blogs you would recommend to get up to speed on any critical changes or potential gotchas that might extend my maintenance window? My router is usually hovering around 3% CPU and 19% memory utilization with pfblocker, squid, squidguard, snort, and a few other pkgs running. these stats are with no inbound OpenVPN client tunnels active or outbound IPsec VPN to my Oracle Cloud IaaS tenancy up. Still, plenty of resource capacity.
• T

  Post-upgrade to 2.4.5 pfBlockerNG-devel causing memory and/or CPU spikes
  • t41k2m3  

  1
  0
  Votes
  1
  Posts
  76
  Views

  No one has replied

• A

  PFblockNG Devel not logging or blocking domains
  • antoni777  

  14
  0
  Votes
  14
  Posts
  206
  Views

  A

  I still get nothing, In the post above i always get the same error , "Missing DNSBL stats and/or Unbound DNSBL conf file - Rebuilding" V/r Tony
• M

  Advanced Inbound Firewall Rule Settings
  • maxyca  

  2
  0
  Votes
  2
  Posts
  65
  Views

  M

  Really nobody did it?
• J

  Feed not updating with cron but does by force
  • Jobee  

  7
  0
  Votes
  7
  Posts
  99
  Views

  S

  Hello! Are you using ram disks in System/Advanced/Miscellaneous? This sounds oddly similar to these : https://forum.netgate.com/topic/151591/sort-4-not-downloading-vrt-rules/ https://forum.netgate.com/topic/151634/php-errors/ John
• 

  GeoIP and Auto Rules
  • provels  

  1
  0
  Votes
  1
  Posts
  48
  Views

  No one has replied

• 1

  DNS custom IPv4 blocklist stored as base64?
  • 1OF1000Quadrillion  

  2
  0
  Votes
  2
  Posts
  40
  Views

  

  Uh...Base64 is not a number base. It is a method for encoding binary values as text strings. See Wikipedia here: https://en.wikipedia.org/wiki/Base64.
• 

  Trying to run pfBlockerNG-devel update automatically after reboot
  • provels  

  1
  0
  Votes
  1
  Posts
  31
  Views

  No one has replied

• L

  Migrating from Pi-hole to PFblockerNG
  • lordofpc734  

  2
  0
  Votes
  2
  Posts
  117
  Views

  

  you can add list from DNSBL / DNSBL groups and press ADD, insert that link save and enable it for the regex stuff i found this on redmine https://www.reddit.com/r/pfBlockerNG/comments/d01qod/can_pfblocker_block_urls_by_regex/ez56ta3/ This will be available in the next major release as it will utilize the Unbound python integration. it's 6 months old idk how are things going on about it update here https://www.reddit.com/r/PFSENSE/comments/fj1ks8/migrating_from_pihole_to_pfblockerng/ Will be in the next pfBlockerNG-devel release when pfSense 2.4.5 is released.
• T

  PfBlockerNG whitelisting blocked GeoIP
  • techman2005  

  8
  0
  Votes
  8
  Posts
  119
  Views

  

  @techman2005 I just looked up scan.nextcloud.com and it resolved to 95.217.53.149, so you may need to actually edit the file /var/log/pfblockerng/ip_blocklog and remove the IP. I don't understand why it didn't adjust the data when you added the domain, saved, and reload. You could scroll to the right of that log file to see the list it belong to and try adding the IP to the custom list I think...maybe @BBcan177 can step in.
• N

  Find IP Address being blocked in feeds
  • nuffsai21  

  2
  0
  Votes
  2
  Posts
  161
  Views

  N

  Spent more time reviewing the changes I made. If I am not mistaken the pfB_Top_v4 alias is made by enabling GeoIP blocking (any of the lists there). In my case I enabled Top Spammers list and with action 'deny outbound'. After disabling 'GeoIP Top Spammers' the ubuntu updates began working.