@dabone said in PFblockerng 2.2.1 with tdl, adding a schedule?:

is there an easy way to schedule the block?

There is no provision for scheduling in pfblockerNG.

Thanks!.

@matt1544 said in failed install pfBlockerNG-devel: 2.2.1 on pfSense-2.4.4.a.20180717.0730:

Do you know what version of pfsense would be compatible?

2.4.3 or less

@bbcan177 Thank you for the reply. When I first got into Selective Routing last year on my Asus router, I also used the entware package whob to mine IPv4 addresses. I also discovered that it did not return the number of IPv4 addresses compared to ipinfo.io. Here is a snip of example code use to obtain IPv4 for a website.

#Pull all IPs listed for whatismyipaddress.com on radb.net whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"'

So, I went with ipinfo.io. I have since found two other similar sites. I too have been on the lookout for an alternative source. I will let you know if I find any.

I haven't got them working together yet. First I want to know if they can have conflicts with each other.
I am using pfSense 2.4.3 and the latest versions of each product currently.
These days I'll make them work together and I'll tell you anything new in this thread.
Greetings

Gabriel

Thank you very much for the quick reply. I hadn't considered the consequences of blocking India vs India_Rep.

It turns out that entire subnet is controlled by Cisco and several of our Texas state counties are assigned IPs in that range. Since this "problem" only began after July 2nd (the last time they were able to connect to our mail server using that same IP), we assumed it was entered by mistake.

I've informed our customer and they will get with Cisco to determine a resolution, as it seems they're also now being blocked by other mail servers as well as their hosted helpdesk app is failing. All of these problems began sometime after July 2nd, which is when I assume the IP was entered into the India_Rep database.

Thanks again for your assistance!

David

Nevermind - My bad, was a TLS configuration issue in Postfix!

@fredlubrano said in PHP Warning: Illegal string offset 'vip' in /usr/local/pkg/pfblockerng/pfblockerng.inc on line 1128:

amd64
11.2-RELEASE
FreeBSD 11.2-RELEASE #35 79c8a561b61(RELENG_2_4_4): Mon Jul 9 16:25:18 EDT 2018 root@buildbot3:/builder/ce-master/tmp/obj/builder/ce-master/tmp/FreeBSD-src/sys/pfSense

In pfSense 2.4.4, it moves to PHP v7 which changed how arrays are defined. Unfortunately, you will need to drop down a lower pfSense version until the package is reworked to address the new changes in PHP7.

You should start a new topic for you problem.

In you case, inspect the Alerts Tab to figure out what is blocking traffic.

@christenjm said in PFBLOCKER SYSLOGS:

Thank you BBcan177 does pgblockerNG send these logs to external syslog server

They are not part of the pfSense syslog options at the moment, but possibly for next releases. You would have to manually send to a syslog as required.

DNSBL will filter any LAN device that uses pfSense for DNS requests. To have some devices bypass DNSBL completely, you would need to define those LAN devices to use a different DNS server.

Unbound has a "view" option where you can manually configure some workaround:
https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

Hope to add some more configurability to next versions, but for now its a manual option.

Ok - done. Good so far, but if I see it happening again, I'll report back

@mhab12 said in Blocking all but the whitelist.:

https://forum.netgate.com/post/774687

Using a "dot" in Squid is the same for Unbound. Create a "local-zone" with ".", and then define all the "local-data" entries that you want to allow. Any local-data not defined will return nxdomain.

From the Unbound docs link posted previously:

local-zone: <zone> <type>

**static** If there is a match from local data, the query is answered. Otherwise, the query is answered with nodata or nxdomain. For a negative answer a SOA is included in the answer if present as local-data for the zone apex domain.

@slimaxpower said in string offset error:

So after an update and reboot I am getting curl error 28 on quite a few dnsbl feeds when updating or cron.
youtube was being blocked, but not google or gmail etc.

Something is blocking the Feed download. Review the Alerts/Reports tab to see what it could be.

You can check if DNSBL is blocking the domain with a ping command and if it replies with the DNSBL VIP. Or check the "Deny" Table to see if its being blocked by an IP Block.

@bbcan177 Yes, I did restart both services. But the issue solved itself: I've looked after a few hours again and now the log and stats are filled.

Strange, I have no idea why it took a while ...

@newyork10023 said in pfBlockerNG rule element modification and ordering:

To begin, pfBlockerNG_devel 2.2.1_2 is awesome. Wow. Thanks.

Thanks!

Certain feeds are naughty. For example, adding RFC 1918 (Private Address Space), Multicast addresses, etc., etc., etc., is just BAD. Blocking possibly necessary system addresses, including multicast addresses, etc., is just NASTY. Adding a WhiteList is not going to fix this issue. These rule elements need to be culled from the list(s), and I mean permanently.

By chance are you using Firehol Level1? That feed contains bogons and should not be used for Outbound blocking. You can also enable "Suppression" which will remove local/loopback addresss.

A couple of feature suggestions for automatic rule insertion: use rule Separators to bind automatic rule insertion to specific places in the rules. (Indeed, one of my pet peeves is that automatic rules re-arrange Separator organization in seemingly random ways.). Another suggestion would be that automatic rule insertion should not re-arrange rule ordering AT ALL (after their initial placement). Subsequent rule updates should update rules IN PLACE. I like the possibility that Separators could be used to bind automatic rule insertion. But, disabling all automatic rule insertion needs to be an option for DNSBL.

Firewall rule separators will be very difficult to implement with pfBlockerNG and auto rules...

DNSBL will block domains, it cannot block based on a URL as it is a DNS based blocker.

Thanks,
You gave me the direction I needed. I thought the Geo-IP tab was just a way to create rule in the IPv4 and v6 tab. I didn't realize it also kept rules independently. So solved
Again, thanks

Check the IPs with this shell command to see what MaxMind is listing as the GeoIP ISOcode (Change the x.x.x.x - to the IP your looking at):

geoiplookup x.x.x.x

You also need to ensure that you have the blocking rules on the appropriate outbound Interfaces.