@psp said in (SOLVED) How to change pfBlockerNG rules order:

Just one note: don't use the prefix pfB_ as first string on "Description" for your own rules with pfBlockerNG aliases. This will ensure that your rules will not be handled by pfBlockerNG during updates.

Thanks you for let me know.

When @JeGr mentioned the 'alias Denys' option, I notice that there was a description on GeoIP explaining all available options, and notice that part.

From the DNS Resolver page in the pfSense manual:

DNS Query Forwarding:
Disabled by default. When enabled, unbound will use the system DNS servers from System > General Setup or those received from a dynamic WAN, rather than using the root servers directly.

Just the confirmation I was looking for :)

@vishal3213208 said in "Authentication failed due to problem verifying server certificate." error while trying to connect to Anyconnect SSL VPN.:

and thus blocked

Blocked IP's are shown on the report page / alert and or DNSBL
Up to you to check who / which device was using that Ip - was it pfSense itself ?
The IP must be in one of your feeds used.

I found an unbound error unrelated to these issues and fixed it. error: duplicate forward zone . ignored. Other than that, everything else was functioning properly. Must be some internal code, because all of my logs and settings are clean as a whistle. Thank you all for your kind help. I'll just chalk this up to experience and call it a day. Take care.

Post continued here due to a problem I had replying (it was marked as spam).

Feel free to delete this thread, sorry for the mess!

Oh, also, I think the command is

pfctl -t pfB_YOUR_ALIASTABLE -T replace -f /var/db/pfblockerng/YOUR_FEED_NAME.txt

the "-f" necessary to specify the target file.

I think we have addressed the issue, it was a rookie mistake. I should have place the IP address of the router interface on each VLAN as the DNS server instead of VIP address.

@Alex99 Yeah change that to deny and you will probably see your counter go up, I'm going to try that with North America (allow inbound) as well just to test.

This is probably a better approach than blocking all the countries: Pfblocker … is this normal after 3 hours of uptime

I have updated the PfSense to 2.4.5 but issue still persists.

Hi @BBcan177 any updates on this?
I could add also a small bounty on it if needed..

Thanks!

It would be cool to have a temporary list for sites that may be on a DNSBL for some reason, and one would like a one-time quarantine exception for 15mins period instead of whitelist permanently. Hoping that @BBcan177 will see this if there isn't a way to do it or share how to do it.

The solution I took was to go to a coffee shop instead of adding to whitelist ... a little inconvenient.

@mlines said in One way logging possible?:

I figured it out for those who are interested after reading other posts. Modify the existing auto rules across all interfaces to change the descriptions from "pfB" to "pfb" and modify the logging as I wish. Then change the lists in pfblockerng from Deny Both to Alias Native. Reload and the modified rules are now retained.

Not exactly right. You are using pfB to generate an alias for the PRI1 lists, right?

So if you want to create your firewall rules yourself and don't want pfB to mess with it, switch it to "Alias Deny" as that way you can profit from dedup and other mechanism of multiple lists combined. You can also use "Alias Native" if you want but you can read up in the help, what the difference is.

Anyway renaming anything in the description is not necessary! Just switch it to "Alias xy" and pfBlocker won't create rules itself so you can design, modify and place your rules yourself without interference. That's my recommendation anyway to use pfB to manage and download thoses lists, GeoIPs or DNSBLs but only let it create the aliases and use them in your own rules yourself.

As @provels states correctly, if you don't have inbound traffic, blocking PRI1 per se doesn't increase security a bit. If you have say a DMZ with multiple servers/services or running a VPN, you can use it to filter traffic before the pass rules allow traffic to hit your services, that's right. If all you have e.g. are a rule for allowing OpenVPN inbound, you can easily modify that pass rule with a "source NOT pfb_PRI1_v4" to block out IPs from the PRI1 alias without needing a second block rule or anything. Explicitly blocking traffic for PRI1 alias is only needed/wanted, if you want to see how much hits/traffic that actually accounts for or if you want to log it for any reasons :)

Otherwise having PRI1 blocked on the LAN side (or WAN outbound) - or some other lists like malware or bot control net - makes perfect sense. Just watch out that your alias doesn't include the RFC1918 (private nets) IP ranges or you might be wondering why you can't access other LAN/VLAN subnets anymore ;)

Greets

@scorpoin :

With checking the 'manual', a certain pattern can be observed :

First, in the server part, 'groups' or 'classes' are defined : called 'bypass' and 'dnsbl'. They have a 'network(s).
Then for each group or view (network), option are listed.
One of them - called 'dnsbl' includes our pfb_dnsbl file.

Note : I guess we can have the "views" called 'limited' or 'restricted' or whatever.

Create an alias using pfBlocker and craft your own firewall rules.

Screenshot 2020-07-01 at 16.06.10.png

Screenshot 2020-07-01 at 16.06.33.png

With the aliases the deny, permit & match only defines where the info in the report tab goes.

Screenshot 2020-07-01 at 16.08.44.png

How can you ask :

@mperez0000 said in pfBlockerNG-Devel blocking on mobile devices but not laptop:

I don't know why its querying other DNS servers.

and then showing this image :

84b5ddcb-24f5-49e9-9bde-3ded510f5a69-image.png

without seeing the relation between your question and your => answer<= to it.
Read the description text.

You don't need the first, as DHCP will hand out the IP of pfSense as the 'local DNS cache resolver'. So network (DHCP) clients know to who they have to ask for DNS requests.
See also the DNS servers fields description of the DHCP server setting page.

The other two IPs : so you list two other IP,'s which are also used by DHCP = communicated to your network DHCP clients ..... which means they could use OpenDNS instead of the pfSense Resolver ... which uses pfBlocker ....

So, you set up the opportunity to bypass pfBlockerNG - and ask why it's bypassed ... ☺

Really, consider this : the default settings were just perfect ;)
If you want to add something there add :

05c2b518-6ff0-4caa-8037-ef6dfc1b3a8b-image.png

Note : your 'wireshark' also showed something else : your LAN doesn't reply on ICMP (ping) ? Why ? (can't see if it's the source or destination - your PC is in "undercover" mode ?)
Tip of the day : use the default LAN rule as proposed by Netgate.

@mlines

Hi,
The operation is certainly not correct in this respect.
PfBlockerNG must work with the resolver (Unbound) for DNS query.

f9ec3f32-30b6-4155-8558-9572161e6f2f-image.png

You wrote that you made your own list, we use this for DoH:
https://heuristicsecurity.com/dohservers.txt

@Artes

thanks for the information

it seems like a whole new thing....
yesterday, I was alerted by a colleague from one of the our UK sites

It looks like another google scandal will be..... and Israeli participation
if I have time this weekend I'll sort the list and upload it to one of our web servers and test it