Next Release will have a Feeds Management Tab which will make this easier to manage:
    https://www.patreon.com/pfBlockerNG/posts?tag=Screenshots

If you use pfSense Aliases, they are not accessible as a table unless you use the URL Table IPs option… Otherwise the IPs are stored in base64 format in the pfSense config.xml file

@code4u:

Awesome. Thank you. That solved my problem! Now the "No Domains Found" error makes sense. :-) Maybe it would help newbies if the error further stated:  "Check to ensure that you're not adding IP based feeds to the DNSBL tab which is for domains based feeds. IP based feeds need to be added to the IPv4 tab." or something similar.

Ok I will adjust the text…Thanks...

Some DNSBL Feeds listed here:
    https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943
    https://forum.pfsense.org/index.php?topic=102470.msg573159#msg573159

Next Release will have a Feeds Management Tab:
    https://www.patreon.com/pfBlockerNG/posts?tag=Screenshots

@Xentrk:

@BBCan177, how come the DNSL Alert Log reports the IF and Source as unknown?  Is there a setting I need to configure?  I still see IF and Source information from some LAN clients.

This is already addressed in the upcoming release…

Thanks.
Managed to do it and whitelist the domains.

I have almost the same configuration, but in my setup all three are working beautifully excepting one stubborn domain that I cannot seem to be able to block (steepto.com).

Take a look at this thread: https://forum.pfsense.org/index.php?topic=142077.0

One suggestion, install squidguard too and they may behave…

grep "IP listed under feed"  /usr/local/share/GeoIP/cc

Or

Open /usr/local/share/GeoIP/cc/Europe_v4.txt  and search for the IP that's blocked.  Scroll up to the previous # mark and it should have a header for the country name.

@cyberzeus:

You only need to add rules to the Inbound, if you have any open WAN ports that you would like to filter on.

To add to this, I think most guides say to use Deny Both because while you may start out with the default case of all unsolicited inbound WAN traffic being blocked, as soon as a single port is open for service, the game is afoot.  So, if you start out with Deny Both, then at least you're covered if something changes on the WAN and you forget to change your pfB protection.

Personally, I use Floating for my pfB lists and have them attached to both WAN\LAN…

Keep in mind that adding rules to the WAN when there is no open Ports is wasting processing power of the box and flowing down queries as each inbound packet will go thru each table unnecessarily..  Your also going to fill the widget and logs with noise and miss out on the real events that were being blocked which should be investigated….

@cyberzeus:

So first, De-dup was NOT enabled - I chg'd this and now have much better results - THANK YOU.  Next, you read my mind - as when to not use de-dup.  You mentioned "Alias Native" which I can research here but please also feel free to discuss that or other situations where de-dup would\should not be used.

Thanks again…really appreciate the help...OH, by the way - pfB really does kick ass...killer package...one of the reasons I choose pfSense...there are many reasons why but pfB is definitely one of the tops...

You could also use "Alias Deny" which will use deduplication….

Sometime you might add a Feed to block an ASN for a particular segment of the LAN, so using Alias Native will create its own isolated aliastable without deduplication taking effect and affecting the IPs in the other blocklists... Just one example...

That was it!! Thank you ;D

Hi,

This looks great, and exactly the functionality I was looking for!  I see the sneak peak was from January 2017 … any chance it will be coming soon?  Or is it out already and I need to update?

Don't give up on the good work!

Thanks,
Dave

To overcome an IP blocked event, you have two choices:

Suppression - This is limited to only /32 and /24 blocked events.

Add the IP to a Permit Alias, that will permit the IP outbound, before the Block rules take effect.

@RonpfS:

You are using pfsense DNS Resolver ?
And you PCs are using pfsense for DNS service ?
Maybe post the logs after a Force Reload DNSBL ?

If my settings are correct I should be using the DNS Resolver.

Most all of my connected device are setup with static settings. For each they use the pfSense's interface gateway address for the DNS address. For example, the PC I have been using for testing pfSense has an IP of 192.168.10.10, Gateway is 192.168.10.1 and the DNS is also 192.168.10.1.

@tagit446:

@RonpfS:

You select the Interfaces where devices use pfsense/DNSBL for DNS services resolution. This will create NAT rules to forward Web request to the VIP.

Please elaborate as I use it on all interfaces (I thought?) but this option only allows you to choose one from the drop down.

Yeah, I wasn't on the DNSBL tab at the time. So you select one of the LAN interfaces then  ;)

@tagit446:

Have to admit this one confuses me due to the VPN.

I don't have VPNs here.

most domain names ended up TLD if you enabled TLD.

For example : 6634248.fls.doubleclick.net

grep 6634248.doubleclick.net /var/unbound/pfb_dnsbl.conf

grep fls.doubleclick.net /var/unbound/pfb_dnsbl.conf

grep doubleclick.net /var/unbound/pfb_dnsbl.conf

local-data: "www.doubleclick.net.my 60 IN A 10.10.10.1"
local-zone: "doubleclick.net" redirect local-data: "doubleclick.net 60 IN A 10.10.10.1"

If you put 6634248.fls.doubleclick.net in Custom whitelist, it won't whitelist it as any request for  *.doubleclick.net will give the VIP adress.

So if you want whitelist to all subdomain *.doubleclick.net, you had *.doubleclick.net to the Custom whitelist.

If you want to only whitelist 6634248.fls.doubleclick.net then you have to put doubleclick.net in the TLD Exclusion List. Do a Force Reload DNSBL, now instead of collapsing all doubleclick.net domain names into *.doubleclick.net, it will just collect all doubleclick.net domain names as they are listed in the tables. This could increase the number of Domain in DNSBL by hundreds.

After the Force Reload DNSBL, you can then whitelist any doubleclick.net domain from the Alerts Tab or with Custom Whitelist.

When you are done whitelisting domains, I recommend to run Force Reload DNSBL to settle things. Sometimes whitelisting temporary vanishes at Cron Update if the table containing the whitelisted domain names isn't downloaded, then magically return at next Cron update that download the table)

Got it working via select unbound in DNSBL feed when creating backlist. Also restart pfsense.

Thanks,
Sub

Ram Disks aren't really recommended for packages, as they store the package data in the /var folder which with RAM Disks is all lost on a reboot….

So when you do reboot, you will need to run a Force Reload - ALL to get everything working again.

@BBcan177:

You can still use an internal DNS server. You just have to make sure that the internal DNS server has its external forwarders set to only pfSense. To utilize DNSBL, you will need to use Unbound and not the DNSMasq forwarder in pfSense.

That's what I thought, thank you!

@BBcan177:

This has been addressed in the upcoming release.

Also Malc0de shouldn't have added Github. They don't seem to have a contact. So hard to remove those False positives upstream. You can either suppress or whitelist it.

Thanks for letting me know.

Season greetings and cheers Qinn

btw looking forward to v2.2x ;)

Thank you BBcan177. I clarified my post a bit, although you answered my questions. So I will modify my configuration as suggested by you:
@BBcan177:

You can define your own GeoIP aliastables by going to the IPv4/6 Tab and in the Source field, add the full path of the GeoIP ISO code.

I have to find that GeoIP ISO code list because a copy pasted table won't be updated.
@BBcan177:

So instead of adding the rules on the NAT rule, create the rules in the Floating Tab or on each individual Interface.

This will hopefully solve this inconsistency:
@ui5-5e:

NAT or rather the corresponding FW rule takes it all (custom port, protocol, block, pass). Thus neither the PfBlockerNG general settings permit/deny etc. nor the PfBlockerNG advance inbound settings (protocol, port-alias) has any impact, as long as they are used in NAT (source) definition.

I thankfully use Pfsense and PfBlockerNG since years  :)