@manuelgop Did you apply the changes after reordering the rules? They apply in order, though as I said pfBlocker might reorder them.

You mean a IPv4 List you created is now not working?

I'm having the same problem with a brand new setup + List.

Cant create it, when it tries to update it gives me custom error list!

Thanks all.

I just came here to check if there was an eta on 2.2 being not marked as development - I normally just look in the package manager for updates.

@NollipfSense said in When will pfBlockerNG 2.2 be stable:

@zjgn said in When will pfBlockerNG 2.2 be stable:

pfBlockerNG-devel 2.2.5_30

Has been stable getting close to 2yrs now.

So is the 2.1 branch no longer recommended?

@IsaacFL said in pfBlocker, blocking the wrong countries:

@bmeeks maybe someone who is using pfblocker more than I, could verify if that is really the case.

This is a /10 owned by Microsoft in Ireland so a pretty big error in the data base.

I know it was pointed out that the orig file was not in numerical order, but at least the csv file I downloaded from Maxmind, was in numerical order so I expected the country extraction would also have resulted in something also in numerical order.

But i didn’t spend much time on it so could have been something I did wrong.

Sorry, but I don't use pfBlocker. I was just responding to the general issue of GeoIP inaccuracies. This effects things other than just pfBlocker.

My personal opinion is that GeoIP is slowly losing its utility due to these errors.

@gabacho4 said in lighttpd taking > 30% cpu:

Turning off the pfblockerng service does

Leave it on. With the default settings. With no feeds what so ever.
Now you have the same config as I have, and the same as the author has. he wouldn't release it if it would explode the usage of certain( lighttpd ) processes.
All will be fine - guaranteed.

Now, add your feeds - your config, step .... by ... step...... and test a lot.
As soon as you see strange things, like lighttpd going haywire, undo that step - reboot, drink cofee, take a break, and test that step ones more.
Still a no go ?
Detail your step on the forum : you'll be having something that can be reproduced. That's worth a lot !
If you find something : do not forget to detail your entire setup without omitting anything.

Btw : You could even disable lighttpd, as it only servers a 1 by 1 pixel in most times (I guess, never tried it).

@gabacho4 said in lighttpd taking > 30% cpu:

Is there really only a couple of us having this issue?

Just you ;)
tazmo resolved the issue by putting things in place. A reboot is rarely needed, but it never hurts.

Added to that, "names" = host names exists for humans.
DNS exists sot that all these names are converted to IP's, something that device actually can use.
You could throw away all host names.

Try visiting https://[2610:160:11:18::199]/ or https://208.123.73.199/ - your browser will yell at you because the cert of that web site doesn't have 2610:160:11:18::199 or 208.123.73.199 in it's ALT DNS list, so for the sake of testing, just override the warning, accepts it, and you'll see ...... this forum. Without using names (URLs).

Edit : when you see these browser certificate warniong, inspect the cert. drill down to the cert info list, and you will find :

219e97a7-a3fe-4b91-8519-73eccf73fa58-image.png

so you know that you are connected to netgate.com or any sub domain of that site - forum.netgate.com in this example.

@WannabeMKII : when you call someone, do you enter his name, or his phone number ?
=> Well, you use your contact list, a sort of DNS lookup, to have the phone select the according phone number. The phone circuit isn't aware of 'names'. Just numbers. Setting up a contact list without phone numbers ... that's .... not useful.

"Cannot allocate memory" on 2.4.5 does not mean you don't have enough table entries. On 2.4.5 that error will be "Too many elements" if you need to increase the table entries limit.

"Cannot allocate memory" is likely just what it says, it ran out of kernel memory trying to load the table. Usually this is only temporary and will resolve itself in the next filter reload. See https://redmine.pfsense.org/issues/10310 for more info.

The Force option Update will download the IP lists and create the aliases. If you're getting an error with the update, then it probably didn't create the aliases. In other words it has no information to work with. I've not run into an error there, let alone mentioning an ISO.

Generally when I've created them I use Alias Native and then create my own firewall rules.

Alright... I'll give that a try next.

Had to resort to a cron tab that did a:
/bin/cat /dev/null > /var/log/pfblockerng/dnsbl_error.log

every 15 minutes. That's a hack!

Will try the dev version next...

Thx,
Bob

@siam yes

@RonpfS
I just did a test. You need to "Force Reload" and "Force Reload DNSBL" in case If you remove an entity from custom white list. The entity behavior will change to blocking. You don't need to restart pfsense.

Thanks for clarification.

Just bumping this in case someone has a thought on it. I've also tried running this script as a shellcmd, but w/o success.

#!/bin/sh sleep 120 /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php update >> /var/log/pfblockerng/pfblockerng.log exit

Thank you for that information. I will downgrade now pfSense. Would you @getcom mind to set up a bug-report? Your reputation is surely better than mine and i expect you can describe the problem better i could ever do.