@RonpfS said in Embeeded youtube clips won't work. Firefox detected a potential security threat and did not continue to www.youtube-nocookie.com:

Remove your Whitelisting of the domain, Force Reload All, then whitelist it using the Alert Tabs to see what pfblockerNG will whitelist. www.youtube-nocookie.com is a CNAME : youtube-ui.l.google.com that need to be whitelisted as well.

Thank you now it works! It added the following to the whitelist:

.www.youtube-nocookie.com .youtube-ui.l.google.com # CNAME for (www.youtube-nocookie.com)

pfBlockerNG-devel already has ASN support in the IP State setting. Also Radb registry isn't very accurate. The package is using bppview.io instead.

https://api.bgpview.io/ip/<IP>

Your local device could have had the entry cached. Normally I will also disconnect my device from the network, and back on to force the device to flush local cache. Sometime a /flushdns on windows helps too.

@NasKar said in Access to my VPN and Plex Server while abroad:

I would like to access my VPN to make changes to my firewall just in case and my Plex Server.

Trust me, it's not a good idea to change your firewall through VPN. Make the changes before you go.

@Koent said in curl error 7 on all downloads:

analyse the FW daily

Me neither.
But I do check 'basic' operations when changing 'major' things like interfaces that deal with outgoing traffic.
In this case : because the NIC called WAN (actually : PPPoE) now faces the Internet directly. Before, pfSense was probably hidden behind another router (no standard, but normal for a DHCP client mode). Now, it's time to re check and double check your WAN rules : typically none should be there exception NAT rules.

I tried to add

/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php update >> /var/log/pfblockerng/pfblockerng.log

as a shellcmd, but it still ran too early. I don't know how to make it sleep for a couple minutes.

Thank you both for sharing...I learned about Shodan for the first time.

So their servers or cluster at each pop can handle 65k users - yeah find that unlikely ;) This just a perfect example of how misuse of ipv4 space ran us into a shortage of ipv4 way before it should of ever happened..

Network space should be assigned appropriately for the amount of devices that will be using that space.. Even when inside rfc1918 space (which has limits as well) Sure you allow for growth and such.. But come on their 8 core 10ge box could handle anywhere close to even 8k users? That would leave you at most 1.25mbps each user ;) Let alone 64k users ;)

@provels They can be used as whitelists instead

Those are the default settings now... If none of those Auto rule settings work for your needs, you can always use "Alias Type" Action settings and manually create the firewall rules to suit. Click on the blue infoblock icon for the Action setting for more details.

Perhaps @BBcan177 can add them to the feed list in one of the next sub-versions?

Yeah if your MS shop using AD, its prob best to let MS be your dhcp and dns... Then just have your AD dns use pfsense/pfblocker for your dns to external domains.

You can put in a domain override in pfsense so it can resolve your PTRs for networks and the like.

Hi,

He (@BBcan177 ) already spoke about it here (the DNS forum).

Thanks for the reply. I found a way to get it to work...

At the bottom of the Custom Address List, there is a drop-down menu with the option "Update Custom List" -- selecting that item and then forcing an update fixed the issue and the address was correctly blocked.

What's odd is that I've never had to select that before. I've always just added the address, forced an update and literally watched as no more targeted traffic made it through the firewall.

I'm not sure what changed, but at least I was able to get it working.

Thanks again!
-Michael

@skilledinept said in What does "SFS_Toxic_BD" mean? – Is Zoho bad?:

Just to be clear, I'm not blaming anyone or anything, it's only curiosity and, I did install the developer version. The whole UI change threw me for a loop so I followed the little walkthrough just enough to get filtered DNS and left the rest for later.

Those in the know install the developer version ☺

https://www.reddit.com/r/pfBlockerNG/comments/chsajn/cant_get_geoip_to_block_foreign_countries/

@Koent
When you run a "Reload" it uses the previously downloaded feed if it was previously downloaded.
Goto the Log Tab, view the file in the "dnsbl" folder, and delete it, then run a Force Reload/Update

If you are using static mappings in the DHCP, I believe that one alternative to modifying unbound's custom options would be to specify DNS servers in the DHCP static mapping(s) of the host(s) that you wish to exclude from DNSBL. Of course, this is only if you're willing to use other DNS servers. For example:
e34b1368-01ba-42a4-9823-862e35fed9b7-image.png
That way, the host(s) won't use the pfSense machine for DNS at all. Note that you would need to take additional steps for this to work if you have also configured a NAT port forward to redirect any DNS requests from hosts on your LAN to unbound.

Also, keep in mind DNSBL IPs (if enabled), which are handled via firewall rules instead of unbound:
8942b15e-05a0-427a-8c20-3fc57f2a1077-image.png

If you want certain static IPs to also be excluded from this, you can set the list action to Alias Deny, as in my screen shot, and then create your own block rules that do not apply to the static IP(s) in question. Or you could leave the List Action set to one of the "Deny" options that automatically creates rules, but configure advanced rules that exclude your static IP(s):
100b1944-6399-4c4a-950b-6012b05a0edd-image.png

@BBcan177, if any of this is terrible or misguided advice, please feel free to set me straight 😉