@petrt3522 said in PfBlockerNG Alerts tab stalls - Any Arguments:

Is 18 seconds in norm for a search. My SG4860 has a msata 120GB drive.

The time will depend on the size of log files. Some search will timeout with a 504 error after 5 minutes. However the search is still running on the pfSense for up to 20 minutes, so use with caution.

@90ninety If your looking to block adult domain names, you can also add one of the Chad Mayfield lists. They're under Firewall > pfBlockerNG > Feeds > Firebog_Other (all the way at the bottom of the feeds list). There are two you can choose from.

Thinking about it logically, most using pfBlocker's DNSBL feature are probably using the actual DNS blocklists, so I bet the widget is looking for those items and they don't exist if only the SafeSearch feature is being used. Hence the error/warning.

To think out loud for the forum, we could use the feed and do something like either:

set Windows DNS to forward to pfSense set pfSense to forward to desired DNS (e.g. Quad9) set Deny Outbound rule to block using DoH feed

or

set Windows DNS to forward to desired DNS create rule to allow Windows DNS to query desired DNS create rule to deny to DoH feed (using Alias Native, so one can set an order with a custom rule)

Most of our clients use Windows AD; the smaller ones just query the pfSense directly, so we can just block DoH using the feed.

Edit: the Windows AD domain of course can be listed as a domain override pointing back to those servers on LAN.

@runevn I use only two DNS that is openDNS. What Tzvia suggested should help.

@bbcan177
Thank you for your patience. I just could not imagine it being so hard to achieve this.

I have some experience with Squid, where URL blocking/whitelisting is relatively easy. But i want to migrate away from it and pfBlockerNG seemed like a good alternative.

@mods @CTMarsh @BBcan177 @bldnightowl

I wish there were some way for me to change the title of this topic. At the time I wrote the original post, pfBlocker seemed to be the culprit, but as we have all learned, it was the OS upgrade on the SG-3100.

I reverted to 2.4.5_p1 and am holding there until something positive happens with the new OS.

@yorke pfBlocker doesn't look at the contents of the packets, just the FQDNS and https packets will be encrypted.

So it's a no.

@gertjan said in CRON stall when reloading UNBOUND:

Live Sync means that pfBlockerNG3 loads unbound with flat DNSBL files.

When enabled, updates to the DNS Resolver DNSBL database will be performed Live without reloading the Resolver.

During Cron Updates, it will update Unbound with only changes using unbound-control, so no interruption and no memory shortage. However Unbound Restart/Reload will check the *.conf files then load all *.conf into it's db, draining memory.

@ronpfs said in Problem after pfBlockerNG-devel 3.0.0_16 update:

@chudak
From any GeoIP tab : Click here for IMPORTANT info --> What's new in GeoIP2

Cool, so far I don't see what's wrong. Do you ?

I had a chat with MaxMind support and one thing jumped at me "it looks like the "registered country" for that IP address range is Germany. I'm wondering if pfSense is looking at that instead of the "country""

That's interesting

It'd be good to have a NordVPN and GeoIP user here to confirm this....

@ronpfs said in Disable action does not work ?:

@chudak said in Disable action does not work ?:

How does permit outbound actually works ? (Need to think about it)

That may contain some answers : https://docs.netgate.com/

I am sure it does ! 😃

Is Permit Outbound default setting for white lists ?

@wolfsden3

See this thread https://forum.netgate.com/topic/162883/disable-action-does-not-work/16?_=1618355648005

Maybe helpful

Normally, I don't block TLD's as it needs 'huge' quantity of resources.
But ok, let's test :

I tried blocking the tld "today" :

dfaf9bb0-5f17-4176-bdad-c7b2b0fc5fcd-image.png

A test :

C:\Users\Gauche>nslookup 1618250475.site.goapp.today Serveur : pfsense.brit-hotel-fumel.net Address: 2001:470:1f13:5c0:2::1 Nom : 1618250475.site.goapp.today Address: 10.10.10.1

Which means :

1f43da52-b94a-4dfc-a72e-ca841ad3ed91-image.png

Btw : i's very rare to see this "black screen", as no one is (should not) using http:// any more.