@steveits
Thank you. Indeed this works nicely.
Probably you overwrote that change with the upgrade to 3.0.0_16 ?

If this code change will be added in the next version, I suggest to also add a hint that an empty license key will deactivate all GeoIP auto updates...

Regards
Dennis

@BBcan177 Ohhhhhh I see.

"Alias Deny" doesn't create an alias and set deny rules........ I had to actually tell it to Block instead of create an Alias then it made the rules.

To confirm then, what is the point of "Alias Deny"??? I get it makes the Alias, but what does it deny?

@tdgrant said in Errors after upgrade to 2.5.2:

Thank you, Fireodo!

Glad I could help ...

@rgelfand said in DNSBL Groups not filtering:

nslookup vungle.com resolves to 10.10.10.1.

So, you're fine ;)

As you already know, "10.10.10.1" is what can be considered as a virtual IP(RFC1918) hosted on pfSense.
You can see it using http (not https) access :

06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png

A https access will produce a browser depended error message.

759306e9-fba1-4533-b78d-9ec5fe0f058c-image.png

To understand the 'none' issue, you have to know what https or TLS actually means, and how browsers these days related handle failures.

Short example :

You blacklist (DNSBL) twitter.
For reasons you totally already understand, twister can only be accessed using https, not http.
Open a browser, type www.twitter.com and you see .... a failure and certianly not the first image I showed above.
You were not - and your browser focs you to - visit twitter using http.
It was https.

And now the good one : you can't "break" https. No one can.
So, yes, your browser, upon an initial DNS request, receives 10.10.10.1, the browser connects on that IP, using port 443.
First of all, the browser asked for certificate info.
In this certificate, it has to find that states it's "*.twitter.com". Thats what https (TLS) is all about.

Now, I ask you, does your pfBlockerNG-devel has the certicate that says it's ".twitter.com" ? ;) (Can you have it ??)
Rephrase that.
Are you ".twitter.com". ?
No.

The browser hangs up right away. And this means that all blocked DNSBL will not show you the nice image (see above) but a browser that complains, saying that there are protocol errors.
It will only work for plain old "http" accesses and redirects. And these do not exist any more.
Because, again, if you want to visit https://yourbank.tld you can not get redirected to https://thefakebankurl.tld

Now you understand why I use :

ed983b2c-99e8-4c6a-86ff-927144fb2655-image.png

I'm not redirecting to the "10.10.10.1" nice page - but answer a "0.0.0.0" which will make the browser show a message that the requested site "has no DNS" (or some DNS issue) which is actually true.

The most simple answer : Just forget about :

06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png

@Gertjan - once again, I appreciate your time.

I decided to take the path of least resistance for the moment and I default reset pfBlocker, then reloaded the below, added in my shallalist and UT1. Looks like the redirect IP for sites you can't go to on the lists (10.10.10.1) are working. I'll see how this holds up for the next few days. Unbound python mode because it uses less resources. I think I might enjoy a more robust PC or netgate so I can load up other things like Snort. Are you using a Netgate appliance or a PC of sorts (community pfsense)? Got a recommendation? Franklin

d1c1dff7-7c1c-4406-9dd5-c610d8f4d53b-image.png

5a9966f5-53bb-4ee4-84a1-415144e800ce-image.png

a8ea957b-37ba-40b9-84ec-914458dbf63e-image.png

b413ba95-7388-4dcd-a8e2-df4cca86dd1a-image.png

Bueller... bueller?

Noticed that when I add a domain to the whitelist, that unbound process spikes up to some crazy CPU utilization until, I am assuming, it's done syncing. Is there any way to speed the process? This is an 8 core ATOM system with a C2758 processor... perhaps there's a way to just sync whats beed added as opposed to go through everything in the list...?

I can now also confirm the filling filesystem issue is gone once pfBlockerNG is changed to "Unbound Mode" instead of python mode.

So this will serve as workaround until the issue with Python mode filling the filesystem is solved:

NOTE: It seems my pfBlockerNG stopped logging DNSBL hits once I changed to Unbound mode.
The counters in the widget no longer increases, and no hits are registered in the DNSBL report.
But DNSBL is still active and working

https://forum.netgate.com/topic/164796/php-warning-filesize-stat-failed-for-tmp-dnsbl_add_data

Hello? Anyone?

Hi @reza3sw ,
This is very old post but I want to ask in anyway.
Please could you decribe little bit more about your process?

Regards,
Mucip:)

@jegr Yep, I thought whatever I do there in pfBlocker wouldn't affect my unbound config, but that is not the case. So it works as intended it seems. That was the question in my first post.

@jdeloach I posted that message in May 2020.

Deleted reply.

@gertjan I skipped over "unchecked" apparently, sorry costanzo. Unbound was reverted to an earlier version in 21.05 but he has that already.

@ik2189 said in pfBockerNG, ads and trackers:

What are the best URLs for ads or trackers ?

The 'quality' ones, the ones that contain all the domains and IP's that block all the adds etc ?
If it exists, it isn't probably for free.

What you can do :
Take some domains that feeds pages with adds.
Try out all the feeds listed on Firewall > pfBlockerNG > Feeds one by one.
Check if the domain(s) that you've noted are listed. if so, keep that list as a candidate for your pfBlockerNG

Or : create your own feed, and add domains to it while you keep new ones. Don't forget to maintain and publish it ... for free of course ^^