@BBcan177:

Click on the "i" icon in the Alerts tab to do some research on that domain. Can also Google for "who <domain name="">".</domain>

The blocks from Russia and China are ok according to IPVOID but in my permit alert there are entries from the US coming in that are blacklisted.  I have outgoing Russia and China blocked and allow US incoming.  Guess I'll have the fine tune the incoming.  If you have any links on further reading on that topic I would appreciate it.

There should be a trashcan icon beside the Packets Title.

Thanks for the suggestion. I tried these out, but the level1 list blocks 192.168.0.0/16, which prevents local traffic.

Edit: God, and the webserver one blocked 8.8.8.8, which is Google DNS…

A good source for IP blocklists is http://iplists.firehol.org/

Personally, I use their merged lists since they merge a lot of the actively maintained lists out there:

DENY BOTH

firehol_level1
firehol_level2
firehol_level3
firehol_proxies
firehol_anonymous

firehol_level4 (sometimes I've changed this one to be just DENY INBOUND but whatever.

I believe I got it by adding my server's IP address and doing "Inverse" on the rule.

Thanks for helping out this newb! :)

I'd like to chime in here.  I think the TLD blocking is primarily for "outbound" traffic not inbound.  It's used with unbound DNS resolve.

So if you setup your systems like this you can screen nasty TLD's from your end users like this:  (Block TLD:  .top, .party, .ms <– which blocks skype auth, etc)...

PC DNS points to DNS server > DNS server DNS forwarder points to PFSense which uses Unbound, checks the TLD and decides > PFSense's DNS looks to your ISP or some other DNS provider like OpenDNS, Comodo, etc.

It's mean to protect internal LAN assets not block external ones.

NOW...if you want to block external TLD's form your mail server what type of mail server do you have?

You can block junk TLD's by parsing your log files or sometimes spam filters like mail cleaner let you just put the TLD's in there.  For POSTFIX you can do it like this:  https://whackersforhackers.com/2017/03/08/tld-blocking-in-postfix-mta/

There are more ways to TLD block BUT I'd suggest not using PFSense and TLD blocking in PFBlocker to do it because that's not what PFBlocker is trying to do here (I don't think with respect to TLD's and how DNSBL works).

Good luck!

Remove all those Whitelist entries that you manually added. Then browse to www.icloud.com, then whitelist it from the Alerts tab and see how that goes…

Perfect, that did it!

There are feeds that have a list of malicious IPs and there are feeds that have a list of ADvert domains and/or Malicious domains…

So with IP blocking, you will block the whole IP addresses.
With DNSBL, you will block the DNS request to those domains but this could be circumvented by accessing the literal IP address (unless those IPs are blocked in an IP block list).

Sometimes an IP can host several domains (sometimes hundreds..), so with an IP block it would block access to all the domains on that IP.... But blocking via Domain name, you are limiting the blocking to the known Domains only.

There are plus and minuses for both.... I find it best to block and deal with the False positives as the appear. You can suppress a Blocked IP and/or create a Permit rule to allow a blocked IP before a block rule takes effect. With DNSBL you can whitelist a domain.

YMMV

Thanks for the reply, as for the filter log I have it max out to 2000 and on the /var/log/filter.log
only get around 3.1k of lines which holds around 2 hours of firewall logs

Thank you

Still had to report back that it was solved. Thank you BB  ;D

@Soren:

I contacted Namecheap.  They said their upstream DNS provider (whoever that is) had done some maintenance which had caused problems with DNSSEC.  It should now be resolved.

I can now resolve and update the list.  Thank you for your much valued work :)

again don't filter by your IP, https doesn't provide the source IP

In your browser type F12 and look at the which URL are blocked.

Did you configure "Deny InBound" or "Deny Outbound"?  To block that you would have to have rules on your Outbound interfaces…

Also just a comment that you don't need to cat -> grep...    Just   ```
grep "^46.174." *.txt

I've gotten error notices regularly upon entering dashboard, it happening overnight and waking up to it. I got one after I instructed pfSense to reboot. I think I also got one for looking at it the wrong way.

So they've come back often, even after total clear out of settings and reinstall. Have rebooted numerous times, even updated pfSense one of those times.

Note that the Snort openappid rules are hosted in a University server in Brazil… and the Snort rules are hosted on s3.amazonaws.com ...

https://forum.pfsense.org/index.php?topic=131806.msg725825#msg725825

There is no whitelist per se... Just review the Alerts Tab to see what is getting blocked. You can either use the "+" Suppression/whitelist option, or create a permit outbound rule to allow your LAN to access those blocked IPs before the other Block rules take effect...

@skillsboy:

I have tried that pachage, but for some reason it didn't work for me.

@anajames:

The package does not work for me either. Any guide would be appreciated.

To implement this in pfBlockerNG DNSBL, just follow these basic instructions:
    https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943

Then enable the TLD option.
Enter all of the TLDs that you would like to block ie "ru" "cn" "pw" "top" etc… into the TLD Blacklist customlist. You can click on the blue infoblock icons for further details…

The benefit of using the TLD feature of the pfBlockerNG package is that blocking a TLD will also remove all other blocklist references to domains that have these blocked TLDs. So this will reduce the overall size of the DNSBL database...

You can also leverage the TLD Whitelist option, to allow a specific Domain while still blocking all other domains in a TLD.

Here is a list of the worst TLDs as reference:

https://www.spamhaus.org/statistics/tlds/
    http://toolbar.netcraft.com/stats/tlds

Hope that helps!

I think squid and squidguard package are the preferred package for this purpose. Do a web search on blocking websites using squid.

https://turbofuture.com/internet/URL-Filtering-How-To-Configure-SquidGuard-in-pfSense

Another option For blocking for all users by web categories, such as gambling, I use OpenDNS dns servers and create a free account to block categories and specific domains for one site I support. When someone goes to a blocked site, they get a HTML page with a message and the option to request the site be unblocked. An email is then sent to me.

Suddenly it works  :o even with RW_IPBL?

Thanks for all reply's

Did you get it working? I had problems too. Here is how I fixed it.

https://forum.pfsense.org/index.php?topic=126780.0