Managed to choke pfSense with 4GB ram and pfBlockerNG to not answer to icmp echo anymore.

So my theory stands: Add more memory.

I’ll try less feeds. It’s a sg-1100 appliance so I can’t add memory

@timboau-0 said in pfBlockerNG and Suricata (IPS) interaction:

OK, I'm thinking that makes sense - so unless there was an attack against the actual firewall - any traffic that did make it through malicious or not would be 'seen' traversing through to the LAN.

Yes, this is correct. The LAN is the best place to put an IDS/IPS 99% of the time. A major reason is so, when using NAT, the IP addresses you see in alerts will be the actual LAN host addresses instead of the NAT IP. When you put the IDS/IPS on the WAN, all internal host traffic shows up under the WAN public IP due to NAT. So finding what internal host generated an alert is very difficult.

I stopped using chrome and switched to the Brave browser (Download from the official site- https://brave.com). I forgot about advertising on YouTube.
Brave was created by Brendan Eich, one of the founders of the JavaScript programming language, using the Blink engine (developed by Google). All popular browsers are created on this engine - Opera, FireFox and Chrome itself.

@Stewart said in Unable to edit GeoIP Links:

Maybe not. I was just checking the lists to edit but if I run an update I get:

MaxMind Database downloading and processing ( approx 4MB ) ... Please wait ... Download Process Starting [ 02/25/20 14:34:14 ] /usr/local/share/GeoIP/GeoLite2-Country.tar.gz 401 Unauthorized Failed to Download GeoLite2-Country.mmdb /usr/local/share/GeoIP/GeoLite2-Country-CSV.zip 200 OK Download Process Ended [ 02/25/20 14:34:16 ]

Is that right? It lets me edit the lists now but I'm only authorized for 1 of the 2?

When you view the pfBlockerNG box in the pfsense Dashboard, does it show that MaxMind has updated? If not, you may not have any list downloaded. If it doesn't show that MaxMind has updated, issue the following command from Diagnostics, Command Prompt without the quotes: "php /usr/local/www/pfblockerng/pfblockerng.php DC". This should force an update MaxMind since it is only set to update once a month by the default cron.

@RonpfS said in 2 Questions: Whitelist and UT1:

@NollipfSense Your Whitlelist should have only domain names, no URLs or http://

That's what I have...see second post...WAIT, I see the mistake...thanks!

@BBcan177 Ah...that makes sense...I'll patiently wait for the updated d3pie.

@jeffvogelsang

The pfBlockerNG-devel package has an existing Feeds tab. It would probably be more efficient to request changes to the feeds or submit a PR against the database here:

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/www/pfblockerng/pfblockerng_feeds.json

Keep in mind that I typically do not add feeds that are compilations of other Original Feeds. Best to go directly to the source. There are changes to be made to the json already as some feeds are now discontinued. That will happen in the next release.

From your FW rule, it looks like there is no Firewall 'Auto' Rule Suffix' in the description.

Your Firewall 'Auto' Rule Suffix is set to "AR" and that doesn't show in the Description of the FW Rule.

I guess you changed that setting it at some point. Did you disable pfblockerNG when you changed the settings ?

Select 'Auto Rule' description suffix for auto defined rules. pfBlockerNG must be disabled to modify suffix.

@NollipfSense Thanks for the suggestion of increasing states/table entries. I will give it a try.

Although, as described in my initial post, my system seems to use a disproportionately low amount of memory about two hours after reload, it seems to apply TLD filtering adequately, as far as I can discern from looking at my Reports/Alerts/DNSBL log... Still puzzled...

EDIT: Of course, I might not know about packets escaping filtering and thus logging, yet the log appears to be populated in a plausible manner.

Solved it guys, did some googling on that SSL error and found another post here:

In
/var/unbound

Delete
dnsbl_cert.pem
unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem

Reboot and run force update/reload.

DNSBL now up and running. Thanks for the help in diagnosing guys.

@jdeloach Funny that I turned off mine yet it still had the notification of failure! Just did a reload and that seems to resolve.

@cmeziere You're welcome and glad you fixed it.

@lbm_ said in pfblocker-devel does not block ip:

I've created an alias under firewall rules

There, you go...that's exactly what I would say.

@NollipfSense ...

This very blind moron thanks you, sir! I don't know how I could have missed that expandable bar...

Offending entry removed, license key entered, problem solved. Thank you again!

Yes, I understand completely (now that you explained) --- I did not realize that pfBlocker was working at DNS level - I assumed that it was putting IP blocks in firewall rules.

Thanks again the help