• Can't access webgui after setting up DNSBL

    2
    0 Votes
    2 Posts
    865 Views
    J

    Hi.

    Stop the fw filter, via shell ( menú, option 8 ) Shell):```

    pfctl -d

    Reconfigure your pfBlockerNG or whatever you need. … and enable the fw filter again

    pfctl -e

    Regards.
  • Blocking some permitted geo local IPs

    4
    0 Votes
    4 Posts
    784 Views
    BBcan177B

    Either will work… Up to you whats an easier method to manage...

  • Web Proxy Blacklist

    3
    0 Votes
    3 Posts
    3k Views
    BBcan177B

    I haven't tested these myself, but you could try these for Proxy blocking …

    http://tools.rosinstrument.com/proxy/l100.xml
    http://tools.rosinstrument.com/proxy/plab100.xml
    http://www.xroxy.com/proxyrss.xml
    http://www.sslproxies.org/
    http://www.socks-proxy.net/
    http://www.proxz.com/proxylists.xml
    http://www.proxylists.net/proxylists.xml
    http://txt.proxyspy.net/proxy.txt
    http://www.proxyrss.com/proxylists/all.gz

  • DNSBL works but no Alerts are logged (SOLVED)

    2
    0 Votes
    2 Posts
    2k Views
    S

    I just found the problem!

    For LAN I have firewall rules that allow/pass some ports and, at the end, a deny all rule. Apparently with this setum (i.e. no default allow rule) for DNSBL to work properly two rules need to be added:
    on LAN, pass source any, destination 127.0.0.1 port 8081
    on LAN, pass source any, destination 127.0.0.1 port 8443

    In fact, before this rules DNSBL was working…kind of, the browser was timing out to each blocked blockec dns/ip.

    Hopefully this will help others newbe to pfBlockNG.

    I take this as an opportunity to thank BBcan177 for the outstanding work!

    SenseRider

  • Pfblocker dependencies

    2
    0 Votes
    2 Posts
    793 Views
    jimpJ

    You should not need to do anything manually. It will install dependencies automatically.

    Post the whole output from the install attempt that failed.

  • Only allow RDP from Australia (NOOB)

    9
    0 Votes
    9 Posts
    2k Views
    J

    Hi.

    ok, i see now. Do not edit floating rule (sorry  :) )
    Set to "Permit Inbound" in pfBlockerNG to AUstralia, both its not necessay.
    As you already have the rule of nat port forwarding, I suppose it was automatically created (along with the nat) one rule in the lan to allow access from wan to the port tcp3389 at the rdp server, and at wan,the pfBlockerNG floating rule permit traffic from AUstralia. An the default (last rule) rule at wan, block the rest.

    Regards

  • [ pfB_blocklist block ] Download FAIL

    7
    0 Votes
    7 Posts
    4k Views
    RonpfSR

    Do you have suppression enabled?

    https://forum.pfsense.org/index.php?topic=105977.msg592741#msg592741

  • DNSBL DNS sever setting

    5
    0 Votes
    5 Posts
    1k Views
    Q

    Yep, tried it both ways plus placing DNS server addresses in the OPEN VPN override bit  (using openvpn as main interface so all traffic is thru the VPN)  and anywhere else I can find to put them but its ignored.

    Seems to be a problem with DNS resolver or my inability to find how to set up DNS on the system

  • How to remove Ads removal message

    2
    0 Votes
    2 Posts
    2k Views
    M

    The message is coming up because the DNS request is pointing to the internal server, which responds with an SSL encrypted gif encrypted using its internal certificate.

    IIRC you may be able to get rid of the message by having the client trust the server certificate, but the blocking offered is a DNS redirection so even then it won't stop blank boxes from coming up as that's part of the HTML/CSS of the page.

    You'd need to use Squid and one of the adblock solutions which alters the html content if you want to completely hide the blank spaces/ invalid certificate messages.

  • PfBlockerNG update removing firewall rules schedule

    5
    0 Votes
    5 Posts
    2k Views
    J

    Thank you so much for taking the trouble to point me in the right direction.

  • Some issues with SG firewall

    3
    0 Votes
    3 Posts
    830 Views
    T

    @nahadot:

    Hi Guys,

    I have been running into some issues with my SG-2440 and i thought someone might be able to help me sort things out.
    I am running version 2.3.2-RELEASE-p1

    Issues:
    1. When i am using pfblockerNG and i am selecting GEOIP blocking for specific countries, it all works well. Then i am trying to add some exceptions for some IPs in the countries i have previously blocked so i am adding this rules above the GEOIP ones. I am saving then order (Save Button, then "Apply Changes", then "reload filter") then i am applying and  this also works well if i don't touch anything else.  However once i am forcing a reload (Update->RUN or Force Reload), the rule that i placed above the GEOIP goes below it for some reason. Because the pfblockerNG is updating the config every day, then every day i have to reorder the rules again. I would normally expect that the order of rules stay the same. Is there a workaround for this?

    2. I have noticed that every time i am touching the WAN interface (unplugging/replugging the cable) the PFSense firewall is getting into some kind of stuck state even minutes after the cable is replugged. Everything becomes very slow when accessing the 2440 device via LAN and i PFSense box is also loosing access to internet. I am not using PPPoE on the WAN. my provider is giving me IP address via DHCP and on the WAN i can see i have IP address after cable is replugged. I did not have too much time to look into this last issue yet. I will post some more info once i debug this a bit more. However i noticed the same problem when i tried to hardcode speed/duplex. The only way i could recover was to reboot the PFsense box. i will try to reproduce and do a packet capture and see what is going on exactly. but if someone recognizes the symptoms described above let me know.

    Thanks!
    Modify message

    I have seen the same issue when every my ISP does a reset on my cable model and changes the IP.  I was able to debug part of the issue, it came down to how /etc/rc.newwanip interacts with services_unbound_configure which is defined in /inc/services.inc.  A race condition happens when DNSBL is enabled, in my case 1,366,154 lines in /var/unbound/pfb_dnsbl.conf try to load

    As a quick fix, I committed out the reload process in /etc/rc.newwanip. I am sure the devs have a reason to reload unbound when the WAN IP changes but have not had time to investigate.

    /* reload unbound */
            /services_unbound_configure();

  • Problem with ordering

    5
    0 Votes
    5 Posts
    2k Views
    R

    Thank you very much. I change all to Alias type and make own rules manualy and all is working.

  • Alerts not showing all entries, just last hour or so.+ issue updating

    5
    0 Votes
    5 Posts
    1k Views
    RonpfSR

    Iblocklist lists are not very up to date, check http://iplists.firehol.org/ to see when they were last updated, only 6 lists were updated lately as of today.

    You should probably take your lists from the source and not third party like iblocklist.com

  • DNSBL VIP resolution from Win7

    4
    0 Votes
    4 Posts
    1k Views
    J

    Well, I put this issue aside to think about, and was out of the office for a few days.  When I returned this morning I saw in the DNSBL log files that another Win7 box on the network is now listed as blocking sites.  It is a box that last week was tested and was not working.  So I tested my own Win7 box, and now DNSBL is now working on it.  My box had not been shutdown or rebooted between the time it was tested as not working, and today when it is working.

    So I don't know what to say other than there is something fishy in the Windows network stack.  All of our LAN boxes get their network, dns, dhcp, and gateway information from our dnsmasq server, so they are all configured the same.  We are running the Avast Antivirus clients here, but I do not see any option to re-route the incorrect dns queries to the proper address.  And we are not using a proxy here.

    Anyway, I will now consider this fixed/solved.  Even though the true issue is still not identified.  I give up and will move on to something else.

    Thanks for the input.

    Jeff

  • Memory error reloading pfB_Top_v6 (SOLVED)

    5
    0 Votes
    5 Posts
    2k Views
    RonpfSR

    It's not pfBlockerNG that generate the error, it's the reload process.

    Default settings in pfSense can not handle huge alias table like GeoIP IPv6 tables.

  • EasyList Alias missing upon setup

    8
    0 Votes
    8 Posts
    2k Views
    J

    Ok, I am getting close on this, but am still puzzled about what is happening.  The Windows boxes on my lan have their DNS reference pointing to the dnsmasq box (192.168.112.51), and the dnsmasq box only has the pfSense gateway/firewall box (192.168.112.11) listed in its /etc/resolve.conf file, and therefore is fowarding all DNS queries to the pfSense box.  The pfSense box has DNS resolver enabled.  In the System/General Setup there are two upstream DNS servers from my provider, and one public DNS server from Google.  The Disable DNS Forwarder box on the General Setup page is not checked.  Therefore 127.0.0.1 shows as the first DNS server on the dashboard page.

    The EasyList sites are blocked when queried from the pfSense box.
    nslookup ad.doubleclick.net
    Server: 127.0.0.1
    Address: 127.0.0.1#53
    Name: ad.doubleclick.net
    Address: 10.10.10.1

    If I query the same site from a test Linux box on the local network I get the same results.
    [root@disect ~]# nslookup ad.doubleclick.net
    Server:        192.168.112.51
    Address:        192.168.112.51#53
    Name:  ad.doubleclick.net
    Address: 10.10.10.1

    If I query the same site from a Windows box on the local network I get a different result.  I even made sure to flush the Windows dns cache before doing the query.
    C:\Users\jeffb> nslookup ad.doubleclick.net
    Server:  taxa.mei.lan
    Address:  192.168.112.51
    Name:    dart.l.doubleclick.net
    Address:  216.58.216.134
    Aliases:  ad.doubleclick.net

    So I started a Wireshark trace on the Windows box to see what was happening.  Below is the summary of the final two sets of packets from the query and response exchange.

    1267 6.512617000 192.168.112.101 192.168.112.51 DNS 78 Standard query 0x0004  A ad.doubleclick.net
    1269 6.513636000 192.168.112.51 192.168.112.101 DNS 94 Standard query response 0x0004  A 10.10.10.1

    1271 6.524775000 192.168.112.101 192.168.112.51 DNS 78 Standard query 0x0005  AAAA ad.doubleclick.net
    1273 6.525384000 192.168.112.51 192.168.112.101 DNS 78 Standard query response 0x0005

    A traceroute to ad.doubleclick.net from the Windows box shows that it initially goes to the pfSense box, then goes out to an IP of my upstream provider, then on to obtain the correct DNS number.

    From the Wireshark data it appears that DNS is returning the virtual IP of 10.10.10.1 for the DNS block list.  Searching the Wireshark data I can not see the address that the Windows box is showing at the command line response to the nslookup (216.58.216.134) anywhere.  So I don't understand why the Windows box is getting the correct DNS address for this site, while a Linux box on the lan, and the pfSense box are both returning the virtual IP for the block list.  What else should I be looking for, or looking at?  Thanks.

    Jeff

  • MOVED: Pfsense 2.4 and pfBlockerNG issue.

    Locked
    1
    0 Votes
    1 Posts
    662 Views
    No one has replied
  • Is this a problem..? DNSBL

    7
    0 Votes
    7 Posts
    2k Views
    BBcan177B

    Use the "Adv. Inbound Firewall Rule" settings to restrict those ports to the smallest subset of IPs that you can….

  • Correct setup to protect open WAN ports?

    4
    0 Votes
    4 Posts
    1k Views
    BBcan177B

    See the following link about your first question:
    https://forum.pfsense.org/index.php?topic=99929.msg556801#msg556801

    MaxMind updates once a month, so there is no reason to run cron updates hourly for GeoIP. However. If you add other IP feeds, you should update at an increased frequency.

  • PFBlockerNG Errors Loading Rules - "Macro Not Defined"

    4
    0 Votes
    4 Posts
    2k Views
    C

    @rajl:

    Thanks for the advice.  I'm running the latest version, so I'll bump the max table entries up to 10m (currently set at 4m) and Force Reload like you suggested.  I'll see what happens and report back in a few days.

    I've done this as well and it still hasn't resolved my issue.

    Are you getting these dpinger errors when this happens in your logs?

    send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr xx.xx.xx.xx bind_add xx.xxx.xx.xx identifier "TPWANGW "

    I get these errors but only on my CARP Backup device, not the main.

    For me all of my gateways go down every 6 hours and that's when this error occurs and I have to run a CRON in pfBlocker to fix it.

    The only CRON that runs every 6 hours is Snort, but I've set it to run :05 minutes after the hour and I still see errors.

    This happens as well, I'm not sure if it's directly related

    Oct 17 00:01:03 kernel ovpns2: link state changed to DOWN
    Oct 17 00:01:03 php-fpm 32369 /xmlrpc.php: Resyncing OpenVPN instances.
    Oct 17 00:01:02 php-fpm 32369 /xmlrpc.php: ROUTING: setting default route to xx.xx.xx.xx
    Oct 17 00:01:02 check_reload_status Reloading filter
    Oct 17 00:01:02 check_reload_status Syncing firewall

    When that ROUTING entry happens all my OpenVPN interfaces reset.

    I don't mean to hijack and I need to start my own thread but I was just curious if you had the same issues.

    I have Snort and Squid running as well, but this only happens every 6 hours which leads me to think it's related to Snort in some way.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.