Do you have TLD enabled? If so, the whole domain might be blocked, so you need to read the whitelist popup instructions to see why the IP was blocked in the first place. There is also an Icon Legend at the bottom of the page which will indicate the Whitelist Icon details.

Did you clear the DNS cache after applying the whitelist?

You can also set the DNS on a particular LAN device to use another DNS server (say 8.8.8.8), which will essentially bypass DNSBL until you have time to figure out what blocked domain is causing issues.

If anyone else is having the same issue I was having with pfblockerNG while having a traffic shaper (especially with this method) https://forum.pfsense.org/index.php?topic=63531.0
I was able to completely resolve this issue by upgrading to the 2.4 beta (at the time I'm posting this) and was able to have no issues with my iOS devices loading web pages slow or certain apps hanging.

@BBcan177:

I believe that the Snort OpenAppID Detector Feed is based in South America…

Yep, Brazil…    this is the one you helped me with.  I don't use the country lists for that region.

TLD blacklist
br
edu.br

TLD whitelist
www.ifs.edu.br|200.133.48.21 # for SNORT OpenAppID rule
ifs.edu.br|200.133.48.21 # for SNORT OpenAppID rule
thor.ifs.edu.br|200.133.48.21 # SNORT OpenAppID rule

Yes, that would make sense.

@BBcan177:

Next release will have a whole set of recommended feeds to use…

Thanks, I am looking forward to that one!

Working for me as well. Thanks for your help!

Excellent !!! Cant wait for that ;)

Your a star!!

Great work!!
Looking forward to the new IP block lists  :)

Thank you for your post ;)
Always good to block windows ;)

Check the  pfblockerng.log  for details.

You can try to clear out all the previously downloaded feeds:

Uncheck - Enable pfBlockerNG
Uncheck - Keep Settings

Save

Then check both checkboxes
Force Update

Awesome thanks for the very detailed and easy to understand explanation!

Keep up the good work!!

@BBcan177:

They 80 and 443 are forwarded to my nextcloud server and 443 UDP to my openVPN server.

For this Permit Inbound you should define a new alias with the two destination IPs of those two servers. I would assume that they are static since you have port forwards in place? If you wanted to control the outbound that is defined in the permit outbound firewall rule settings, so it can be defined as required.

Did you run a Force update after the changes? Did you enable floating rules? Is so, it would be placed in the floating rule tab.

I didn't enable floating rules but didn't realized I need to run a Forced update.  After the update the rule was there. So I have now prevented anyone outside the US from gaining access to my nextcloud and openVPN servers as this rule is above my default WAN: block IPv4 and IPv6 rules.  Thanks for your help, and patience.

pfBlockerAmericaRule.jpg
pfBlockerAmericaRule.jpg_thumb

@justsomeguy6575:

Makes sense. Thanks for the explanation and all the work you put into this.

am I correct in assuming it's not possible to block say github.com/gentilkiwi/mimikatz/releases/download/2.0.0-alpha-20141213/ but not block github.com itself?

No DNS Filtering (DNSBL) will block the full domain or sub-domain DNS resolution… You would have to use a Proxy to filter by a URL.

worked ty

If I read the thread so far correctly, you are in a position that you have added DNS blackholes for facebook.com and google.com, but are unhappy that the domain fbcdn.net and traffic to facebook's IP space are not blocked when you expected them to be.

The behaviour you're seeing is correct for the configuration you have so far, if you want other domains blocked (like fbcdn.net) then you need to block them in your list as you have done for the other domains.  Many other domains for both facebook and google will also not be blocked (for example youtube.com even though it is part of google).

Even when you block the DNS request pfSense will not stop traffic going to IP addresses directly (for example pinging 31.13.70.7 would still work).  To block traffic entirely you would need to add their domain/AS numbers to IP4 & IP6 lists (Google are AS15169 and facebook are AS32934) and tick the 'domain/AS' box.  I can't remember if you need to include AS prefix as part of the number or not, I'm sure someone will be able to confirm that for you.

Did you enable the "DNSBL Permit Rule" option?  If not, enable that and select all of the LAN Subnets in the select box that need to access the DNSBL VIP. This will create a floating permit rule which will allow those other subnets.

Floating rules are processed first, followed by the other Interface Rules. Rules are also processed Top to Bottom.

You don't need those two other NAT Port forward rules.

@bartkowski:

Or the RAW format https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw/396eb85f00418569cd5e82f71b9d96275163d970/MS-2

Best to use the RAW format. Keep in mind that you need to remove the last part of the Gist URL or you will not download any further commits to the Gist.

Here is the URL that can be used in the package:
https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw

Thank you for the link and explanation.

You can add this to the IPv4 and v6 tabs as required and it should pull in the respective IP addresses. It will pull all the IPs into one alias. The domain names will not be parsed tho.

When you click on the suppression icon, pfBlockerNG will Whitelist the domain and it's CNAMEs.  8)

I you do the suppression directly in the DNSBL Whitelist, you have to find the CNAMEs and add them to the list.  ;)