@cjbujold said in Whitelisting dnsbl does not work:

a force reload(cron job)

You should do a Force Reload DNSBL or ALL. Cron will only process the Whitelist if the Feed that contain it is downloaded.

I guess I should have tested more thoroughly. I have pfBlockerNG and Suricata running on it. If I disable either of these services, then the device doesn't lock up...though with just Suricata, it struggles to fully saturate a 400Mb pipe.

You can drag the rules to suit, they are only re ordered when you add new rules or modify.

Also you can define how they're added:-

Screenshot 2019-06-19 at 08.22.28.png

Or you could use pfBlockerNG to create aliases then roll your own firewall rules.

@BBcan177 Everything looked good and had the appropriate check box checked. I saved the existing DNS Resolver settings and that seemed to correct the issue. Didn't see anything in the logs that stood out.

Saving DNSBL database... completed Reloading Unbound Resolver..... completed [ 06/18/19 20:40:10 ] DNSBL update [ 515852 | PASSED ]... completed Adding to existing Unbound custom options

I'll consider this issue closed. Thank you for the support.

@BBcan177

Thank you for the update! It looks nice. Keep up the good work!

Just out of curiosity is not possible to place NAT/Port Forwarded rules to be placed in Floating Rules automatically or moved to floating rules?

@arian_0098 said in Download/Update Feeds Error:

cURL Error: 28

Something is causing the timeout on your box... In the pfSense Resolver increase the "Log Level" to "2", and then review the "resolver.log" for the timestamp of the next updates, and see if you see any clues... also check the pfSense system.log for the same timestamps...

@guardian said in Does anyone know what these threat alerts are in list BBcan177/MS-1?:

It's pretty rare that I see anything from the list BBcan177/MS-1, but I saw a couple of alerts today.
According to the source on github:
https://gist.github.com/BBcan177/bf29d47ea04391cb3eb0/
the list was last active Apr 23, 2019, so maybe it's no longer current.
The alerts were: (I added the whois below)
192.0.78.25:443
unknown
(OrgName: Automattic, Inc)
205.185.216.10:443
map2.hwcdn.net
(OrgName: Highwinds Network Group, Inc.)
192.0.78.25 was under a section headed by:
https://twitter.com/benkow_
and 205.185.216.10 was under a section headed by:
https://twitter.com/pancak3lullz
but neither twitter feed showed anything obvious.
I know this is one of BBCAN177's manually curated lists, so I'm hoping either @BBcan177 or someone else here on the forum can advise.

From the Reports/Alerts Tab, click on the blue infoblock icon for Threat Source Lookups:
https://dnslytics.com/ip/192.0.78.25
https://pulsedive.com/indicator/?iid=34202&ioc=MTkyLjAuNzguMjU=

Some passive DNS Resolution for that IP:
https://www.virustotal.com/gui/ip-address/192.0.78.25/relations

This IP will be removed from the Feed.

Also note, in the MS_? Feeds, when the source was from a tweet, the Tweet ID is listed as a comment. Some of the older entries didn't have this reference.

For this IP: 205.185.216.10, it has a tweet reference:
https://twitter.com/pancak3lullz/status/746040971675131906

https://dnslytics.com/ip/205.185.216.10
https://pulsedive.com/indicator/?iid=34167&ioc=MjA1LjE4NS4yMTYuMTA=

Some passive DNS Resolution for that IP:
https://www.virustotal.com/gui/ip-address/205.185.216.10/relations
https://securitytrails.com/list/ip/205.185.216.10?page=1

@provels said in How to selectively bypass DNSBL:

@guardian Blind squirrel finds nut!
Pictures at 11!

Sorry, but that one went over my head.

Thanks Sir BBcan177 for wonderful sharing and creation.
This concern is now resolve.
For those newbie like me, please see below answer from Sir BBcan:

"BBcan177
Its in the DNSBL Category Page... Enable Shallalist, and then click the checkboxes for the categories that you want to enable. Best to enable "TLD" option in the DNSBL Tab so that it wildcard blocks all domains/subdomains. Click on the blue infoblock icons for some more details for each option. Hope that helps get you started!

A good tutorial:

https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/

Also check out Reddit:

https://www.reddit.com/r/pfBlockerNG/"

Thanks

@BBcan177 Thanks for getting back.

I am positive the site(s) are NOT in DNSBL, as I can eventually resolve them if I reload the browser page enough times. I will look through my rules.
FYI I looked through the Resolver logs and did not see any errors.

I am not using a proxy FYI.

@bose301s said in pfBlocker only on specific ports:

would like to use the GeoIP lists to block bad traffic from my two open ports

At the bottom of all GeoIP and IPv4/6 pages for each Alias/Group is "Advanced Inbound/Outbound Firewall Rule Settings" which you can use to refine the Auto Type rules to add Ports/Destination IPs etc.... or follow the other recommendations to use "Alias type" and manually create the rules as required.

@sjtorrie

I managed to add a SWAP to my install and this has seemed to of fixed my issues. I know this is a dated post but this may resolve your/others issues of locking up and the potential of using more DNSBLs.

Regards

@BBcan177

Same Issue ... No solution? 😑

@isolatedvirus said in Fixing PfBlocker-NG weak cipher and DH Strength Vulnerabilities:

people doing this without knowing the implications

Dude - heheheehheh you have no freaking IDEA!!! heheheeheh that is a freaking given!!

@BBcan177 Even better. ;-)

Thankss

So you know you are not alone https://forum.netgate.com/topic/143959/i-got-the-wrong-default-server

@Chasire said in I got the wrong default server:

I got one from google (8.8.8.8).

edit => you figured it out already : good 👍
Still, read on, for some tips to enforce pfSense DNS usage.

Easy solution : You should install DNSBL on Google DNS systems ;)

Better solution : When you assign "8.8.8.8" to some PC, it will "8.8.8.8" as it's DNS, thus completely bypassing pfSense. Makes sense, right ?
nslookup tells you what DNS server it's using.

Your PC's should do have "pfSense" as your it's only DNS "server".
It should receive the DNS requests, and handle upon them. Using DNSBL if yo have that installed.

So, yet another example of "use the default values and you would have been good".

Btw : you could even place firewall rules on LAN(s) that permit TCP & UDP port 53 requests, destination "pfSense" - and block right after that rule any other DNS request to "anywhere". As discussed in the manual. That would force every device to use pfSense - and the DNS filtering - or : the device wouldn't have DNS anymore.

IMHO : if you think that you have to filter your DNS, I would strongly advice you to take "8.8.8.8" out of the equation right away. Your situation is like this : "something happens that you don't like, and now world's biggest company is also aware of that".

And who is 192.168.123.2 ?

@NogBadTheBad I did, I have update reloaded my DNSBL and still got the same result. I run squid in pfsense. My webbrowser is in the proxy. I think that has something to do with the problem.

7cf0c40c-7977-4594-9490-829e359fc320-image.png