@jahonix said in Rules ordering not working:

@pftdm007 said in Rules ordering not working:

I am using floating rules to make rules ordering easier for me. Please indicate if this is a problem.

Not a problem if you consider this:

Floating Rules notes
Floating rules without quick set process as “last match wins” instead of “first match wins”. Therefore, if a floating rule is set without quick and a packet matches that rule, then it also matches a later rule, the later rule will be used. This is the opposite of the other tab rules (groups, interfaces) and rules with quick set which stop processing as soon as a match is made. See Floating Rules for more details on how floating rules operate.

OK I read the pfsense documentation and get a better idea. Now I see that there is a ckeckbox called "Quick" in the rules. All of my floating rules ghave this box ticked. So from the documentation:

"Apply filtering in a “last match wins” way rather than “first match wins” (quick)"

I take that the first match will win. But first (or last) based on what? The rules ordering in pfblocker???

@provels @kiokoman
I increased it 1600000. And It solved

Thanks a lot!

I wonder how this value calculated

Thanks

Turns out uninstall/install looked like it kept the settings but it subtly changed the alias names for a custom alias from "pfB_GeoIPUSv4" to "pfB_GeoIPUSv4_v4" which broke several NAT rules. Error reported by pfSense for the rule was:

Unresolvable source alias 'pfB_GeoIPUSv4' for rule ____

Editing the NAT rule and saving without changes corrected it. The NAT rule itself had the new name already, but the old name was being flagged as not resolving because the old name was still used in the matching firewall rule (the two were different).

Much thanks to all who jumped in on this...! I was able to install the pfBlockerNG package today 2.2.5_28. Things are running well.

The update is live now.

Thanks for the quick reply. I read the post before but I did not realize that it will cause this kind of error in pfBlocker.

system, advanced, firewall & nat

@TFTQKX said in NextDNS DNS filtering:

It is free as of now.

Check out https://nextdns.io/pricing : 300 K requests a month is peanuts ....
It might be worth it - can't tell .... but it will not be "free" (for me).

Thanks,

From my understanding, that only blocks sub-domains. So if it were "culture.vox.com", then the TLD would enforce that. I'm looking to go in the other direction of blocking URL's following the domain. Like "vox.com/culture"...

I could be wrong... of course.

Thanks,
Steven

You can find which domain is whitlisted in pfblockernG.log

[ EasyList_Privacy ] Downloading update [ 12/28/19 23:18:22 ] .. 200 OK. Whitelist: collector-cdn.github.com|csi.gstatic.com|metric.gstatic.com|s.youtube.com|s2.youtube.com| ---------------------------------------------------------------------- Orig. Unique # Dups # White # TOP1M Final ---------------------------------------------------------------------- 2994 2992 191 5 0 2796 ---------------------------------------------------------------------- IPv4 count=1

@johnpoz said in Database GeoIP [ GeoIP.Dat ] not found. Reputation function terminated.:

Even if I knew - I wouldn't to be honest.. Anything that helps someone stay on of EOL product is counter productive.. You should of moved off 2.3.x two years ago when it was announced it was going to be EOL in a year, etc.

Ok, agree with You. :)

Try to shift pfSense to another server as fast as possible.

@BBcan177 I have a rule ordering problem. When pfblockerng is enabled my ports that I don't intend to have open are suddenly open is this an issue with rule order my rules are one allow rule for a few ips and then the pfblocker block followed by allow rules from pfsense? Would the alias type rules resolve this issue?

Yes, it worked finally, but not as you described. I had both ethernet and wifi turned On and one interface had direct access to the internet, therefore, was bypassing the PfBlockerNG.

Now I ran into another problem. :)
Everything is working fine, except that one PC is able to bypass PFBlocker. I do not know how but I checked directly and also did Nslookup but it's getting through. All the other workstations are getting blocked except one.

This is the firewall rule screenshot
25521629-221e-4d17-b6ee-be1d8464bb60-image.png

Screenshot of NGAlert showing blocked site access from other PC
ed30728e-3c6c-46d1-955d-5b63e2112f57-image.png

Nslookup screenshot from the rouge PC
8419eb6f-0874-4572-99a7-be567b06a391-image.png
From the other PC it shows 10.10.10.1. So its getting blocked there

@Gertjan said in Not able to block youtube using pfblockerng with customlist.:

@NollipfSense said in Not able to block youtube using pfblockerng with customlist.:

clients are natted on pfSense's LAN

Throw away the firmware in these natting devices and put pfSense in place.

True, natting after pfSense hides a lot of info.

In my case, the natting is before pfSense...(the king of my LAN is the new Mikrotik RB450x4); so, I'll have to monitor IP > Firewall > Connections to see when the AppleTV YouTube app is talking to DNS. Yes, my system is double natted...seems okay with it as pfSense is king of my WAN.

Here's the video that Gertjan mentioned: https://www.youtube.co/watch?v=g0KOcfGicjM

However, if you want to administer your box, I am not sure adding the mobile public IP to whitelist will accomplish what you're seeking without special WAN firewall rule. You could use SSH as per here: https://www.youtube.com/watch?v=lDqRIu2zhoQ
However, you won't have the WebGUI. So, as Gertjan suggested and recommended, VPN is the best option especially since you already installed OpenVPN.

@NollipfSense : I guess that he (tries to) ask(s) how to make a very restrictive LAN : only some sites can be visited by the LAN clients, and nothing else.
Not sure, though....

If there was an option for the auto IP rules to block first then allow (block/reject/pass/match) then the idea of default deny would be a lot more accessible. Currently the auto rules are all some variety of pass/match/block/reject. So if I want to block some top spammers then allow geo regions all in pfblocker followed by a pfsense default deny rule it isnt automatically possible. Maybe thats a feature @BBcan177 can add someday. Block outgoing by default, allow what is needed.

@RonpfS said in pfblockerng-devel error: Unknown Not listed!:

So there is always a window of time when some files go missing from /var/db/pfblockerNG/deny/*.txt, the service will then report the feed as Not listed

Okay, thank you for thoughtful explanation...awesome!