PfBlockerNG is not the tool to use for content filtering. PfBlockerNG is used to sinkhole content like adverts or malicious IPs/domains.

You want to use Squid or Squidguard and setup categories to block for specific groups of users, subnets or VLANs.

There are already guides out there on how to do this.

Just wanted to provide an update to this thread as someone helped me find the issue that was causing this.

NtopNG has threat feeds in it now and when it can't get to one of the feeds it just keeps trying and trying.

To disable you have to go into the admin interface go to settings and category lists and then disable the offending list giving you an issue. I went ahead and disabled all of them since this was such a problem to find as well as these lists seem to go up and down and I don't want it to just keep trying (outside of its setting to only pull them down daily).

hehe ok, ty sir.
I think I will not poke the bear and trust it is working!

@herman

You should be able to edit the thread title and tag - if not I can do it for you.

Thread marked.

@vesalius said in pfblockerNG TLD help:

dnsbl python mode

I wasn't 100% sure what the difference between unbound and python mode was, so I decided not to change it just yet until I had a better understanding. However, since you asked, I thought I would try it and see if it worked that way. I checked your other suggestions, and yes they were set as you mentioned.

After changing to python mode, TLD is now working - thank you! Also, pretty cool that my RAM usage is down to 15% now.. guess I didn't need the upgrade, oh well.

I did read the following post from BBcan177, along with the "more info" under "dnsbl mode", but was wondering if you had more info I can check out to better understand. Also, because of this, I didn't enable anything else under DNSBL other than TLD

More info
This mode will allow logging of DNS Replies, and more advanced DNSBL Blocking features.
BBcan177 post
https://forum.netgate.com/topic/158592/pfblockerng-devel-v3-0-0-no-longer-bound-by-unbound/2

@bbcan177 I have not set this Clear Widget Option afaik, still every night I am running into this error. Could it get triggered by something else?

@huskerdu
I noticed that some things being blocked via [ TLD ] are still showing as
Unknown Unknown
EX:
Unknown Unknown www.googletagmanager.com [ TLD ]
DNSBL-python | HSTS_A

Do you happen to know a fix?

@bbcan177 said in pfBlockerNG-devel v3.0.0_5:

@lcbbcl said in pfBlockerNG-devel v3.0.0_5:

I have a weird problem with the new version, if i enable HSTS mode for DNSBL, on reports i have unknown unknown for Lan but for Wifi is working fine.
Before the v3.0.0 i had web server interface set as LAN and now i set localhost.
Btw can someone guide me how to use regex?

pfSense 2.4.5 uses Unbound v1.10.1 which has a regression that fails to pass some information to the python modules. It has been fixed, but there is no way to upgrade Unbound to v.1.12.0 in pfSense 2.4.5.

In pfSense 2.5, it has Unbound v1.12.0, soon to be v1.13.0.

For the DNSBL Blocking part, you can enable the checkbox in the DNSBL Tab > DNSBL Event Logging , and that will stop the python integration from logging, and use the DNSBL Webserver to log the events. Unfortunately, that is only limited to HTTP events.

And for DNS Reply logging, there is no other workaround.

Not much I can do unfortunately.

Its recommended to use localhost instead.

For Regex, here is a list of Regexs that can be used:
https://www.reddit.com/r/pfBlockerNG/comments/k08n33/pfblockerngdevel_v300_no_longer_bound_by_unbound/gdkaod4/?utm_source=reddit&utm_medium=web2x&context=3

Regex seems to be like a add-on to PfB.
Thank you.

@bbcan177 said in Adding IPv6 Feeds from the Feeds Tab in pfBlockerNG v3.0.0_5:

@jdeloach

Edit /conf/config.xml

And find the "pfblockernglistsv6" tag, and remove the "<config></config>" line below it.

<pfblockernglistsv6>
<config></config>

That fixed it. Thanks for your prompt support of this great package.

@costanzo

See here:
https://forum.netgate.com/post/950929

Agreed that's a lot of lists 😮
Tone them down. The potential protection they are providing you are not worth the issues you are having and will have. I know it's tempting to add everything, hit save and walk away, but that's asking for trouble. Every now and then even well established lists that have been working fine for a long time can start to block legit stuff. It's the nature of the beast. Having many lists just makes it more difficult to track down which one is causing headaches. It is sometimes hard to track down which specific list it is so I think @Gertjan approach is best.

@azdeltawye said in Windows 10 machines constantly pinging Isreal IPs:

185.77.248.89

AS details for AS58018 :-

aut-num: AS58018
as-name: NETSTYLE2
org: ORG-NAL9-RIPE
import: from AS43945 accept ANY
export: to AS43945 announce AS-NETSTYLE
admin-c: DUMY-RIPE
tech-c: DUMY-RIPE
member-of: AS-NETSTYLE
status: ASSIGNED
mnt-by: RIPE-NCC-END-MNT
mnt-by: EC42500-MNT
created: 2017-01-02T14:57:40Z
last-modified: 2018-09-04T11:56:16Z
source: RIPE
remarks: ****************************
remarks: * THIS OBJECT IS MODIFIED
remarks: * Please note that all data that is generally regarded as personal
remarks: * data has been removed from this object.
remarks: * To view the original object, please query the RIPE Database at:
remarks: * http://www.ripe.net/whois
remarks: ****************************

IPv4 subnets for AS58018 :-

185.77.248.0/24

IPv6 subnets for AS58018 :-

2a00:55a0:3::/48

Wednesday, 9 December 2020 at 21:39:06 Greenwich Mean Time

I'm having the same issue with pfBlocker and NAT rules. I have no issues adding white-list rules for my devices that are on a directly routed subnet. But trying to figure out how to handle an allow rule for an existing NAT rule is causing issues.

Have you found any solution yourself as of yet?

@rtkluttz said in pfBlockerNG IPV4 problem:

Upgrade to pfBlockerNG-devel.

I am running Version 2.4.5-RELEASE-p1 and pfBlocker DEVEL 3.0.0_3

@chpalmer
no it's not... 🤢
we are going out of topic ... but I prefer cappuccino when I wake up
https://www.youtube.com/watch?v=yWKu8ammTlA

@bbcan177
that worked. thanks a lot.

@trewflight48
gonna watch this video I guess I have alot to learn still.

How To Setup ACME, Let's Encrypt, and HAProxy HTTPS offloading on pfsense.

When it hang like that during pkg install, wait maybe 10 minutes, restart Unbound from Services Tab.

To prevent this from happening :

Disable pfBlockerNG before doing the update Update pfBlockerNG Review pfBlockerNG settings Enable pfBlockerNG Force Reload All to be on the safe side.

Who might have to synchronize your Groups with the Feeds tab.

@tross9 said in maxmind -- do i need it for mysite?:

Outside the U.S. thus allowing outside the U.S. to possibly gain access. but I think that is Highly unlikely, only possible if a company goes out of business and their IP is sold.

No that is not true at all - IPs are exchanged all the time.. Company does not have to go out of business. We recently sold off some IPs out of your /16, those IPs are now outside the US.

What if company X has locations in countries A B and C.. And now is using some of their IP space in B vs A, etc.

Geoip data is updated all the time. While it at first entry might just use the companies HQ that is in country X, at some point they determine that IP range xyz while owned by company in country A, is actually used in country B, etc..

Lets be clear - the geoip database is a lets call it best guess at best ;)

But if your concerned with only allowing IPs from XYZ via geoip data. Then it behooves you to make sure list of IPs your using is current. A maxmind account is free, while the data might not be perfect.. Using the current data is going to be more accurate then using old data.

Even using the best and latest to the minute geoip data doesn't mean its correct.. If you are concerned with who can access your resource you have opened to the public. The best solution is to use their IPs, and only allow those.

While I understand that can become problematic - especially with users that have no idea IP even is ;) If your concerned - get them to setup a ddns for their connection. Then use that ddns for your alias and only allow that.

I do this for my son's connection. I manage his network remotely via his unifi devices (router and ap) being part of my controller... For that to happen they need to talk to my controller. I sure and the hell would not open my controller to the public internet, even I could limit the IPs to be on his block ;) let alone his city or country.. So I setup to only allow his IP, which sure changes now and then. So I use his ddns in the alias..

iplist.png

But for example my plex server - my users access this not only from their homes, but from their mobile devices.. It not really possible to know for sure what IP they might come from.. But I sure do not want to open that up to the whole internet. So I lock it down to only the countries they should be coming from.. So I use the listings for those.. Currently only US, but a buddies son was working in Honduras for a while - and so it was allowing US and Honduras, etc..

The geoip listings can be useful.. But if the data is dated, its going to be less useful than current data.

If my friends and family were more tech savy I would lock down their plex server access to only vpn access. But that is a pipe dream to expect normal users how to do that, and sure and the hell not going to spend the time to manage all of their devices and networks to use vpn to access my network. So I do atleast something to limit who can access my plex server. Be it far from perfect or optimally secure setup, etc.

edit: Here I ran across this just a bit ago in my browsing.. This is perfect example of how things get messed up with geoip dbs
https://www.reddit.com/r/networking/comments/k61a5j/geolocation_issue/

The NL company has a location in the US, they got a line in the US and IP from the isp - but for some reason this ip is showing from the NL for geoip, etc..

This sort of thing happens all the time - and yes it can be a real pain the ass to get corrected.. I had a /24 from our /16 that was showing up as being from vietnam... Tried for months to get it corrected.. That IP range had never been used in vietnam, and clearly anyone doing a simple traceroute could see it was in florida..

It was causing issues with users accessing some stuff that was doing geoip filtering, like banks and stuff..

Just more example of why if you want to do geoip filtering, there will be mistakes in the db. And you should use current a db as possible.