@morreale: @BBcan177: I'd recommend these PRI1 Feeds: What does PRI1 mean? PRI1 is the IPv4 Aliasname that I use for the Primary-1 recommended feeds…

Did you try the command in reply#2?

+1 on a block list sticky. I'd also like to see different sample blocklist sources for those of use hosting services vs those of us consuming services. As a host (hosting lots of web sites, so for example all my WordPress sites are constantly scanned, and all http/ftp/ssh etc ports are under constant attack), this is what I'm using as an IPv4 block list: https://isc.sans.edu/block.txt  (DShield Top 20 bad guys) http://feeds.dshield.org/top10-2.txt (DShield Port Scanners) https://zeustracker.abuse.ch/blocklist.php?download=badips  (ZeuS bad ips - not the most restrictive list but won't have false positives) https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt possibly overlaps the DShield lists? I don't host email so not sure if I need this. http://cinsscore.com/list/ci-badguys.txt CIArmy active threats. This gets by far the most blocks. This is by no means an endorsement of a proper hosting block list, though it does seem to block quite a bit of bad traffic. In fact, I'd appreciate any suggested changes for a hosting provider that wants to block the worst of the worst while avoiding false positives. Thanks! EDIT: I found a very good resource of blocklists: http://iplists.firehol.org/ has several. For my use, their Level 3 block list seems to be exactly what I need.

The Alerts tab uses the pfSense Firewall log as its source. So you may need to increase the size of the firewall log retention.

It's telling you two things. There is not enough memory to create the v6 bogons list. There is no data to populate that table from pfBlocker. You could try forcing an update in pfBlocker or disabling it to see if you can successfully load the ruleset. You can also try increasing the maximum table entries in System > Advanced > Firewall/NAT if you have available RAM for it. Steve

Not with DNSBL, that'd make things pretty horrible, you'd get that page in place of every blocked advert, e.g. If you are talking about the firewall rules, there's nothing preventing you from creating aliases (use one of the Alias actions in List Action) and using those as a destination in a NAT rule, redirecting the requests to some webserver and serving whatever you want there.

pfBlockerNG 2.1.1_7 is now showing as out of date.  I updated, and now I have pfBlockerNG 2.1.1_8 Thanks to BBcan177 for pfBlockerNG, and thanks to JimP for sorting things out with this update.

@BBcan177: @HeatmiserNYC: Hey BBCan, Ran into some strangeness over the last few days. Why would I only be getting this in my logs? It appears that nothing else is resolving…. If your referring to the "unknown" msg, then that is normal for HTTPS alerts, the browser fails to load the DNSBL webserver (as expected) and as such only a portion of the alert can be logged. Hover over the key icon. Did something change in with the logging? I'm fairly certain I never saw those messages on a regular basis. It was always source/destination of visited websites…..

If you manually add IPs to a customlist, you need to check the "Update custom list" checkbox, then goto the Update tab, and Force Update. Otherwise the Customlist is updated as per the "Frequency" setting of the Alias. The next version will be more intuitive to know when the Customlist has changed…

@BBcan177: Did you enable the "TLD" option? Without TLD, only the listed domain/sub-domain is blocked… So without TLD: example.com will be blocked     sub.example.com will not be blocked With TLD: All sub-domains are blocked. Thanks!  I figured I was missing something simple  ::)  the search result link was going through because it had a "www." on the front.  Enabling TLD fixed it.

@BBcan177: The next version of the package will have a "Feeds Management" Tab, that lists the recommended IPv4/IPv6/DNSBL feeds… So this will be easier to manage... Also when Feeds change, those changes will be visible in the Feeds Tab... This sounds like a fantastic feature. Can't wait to play with it!

You can use the pfBlockerNG Log Tab. Goto "Original IP Files", then view the contents of the original Feed. Goto "Deny" or "Permit" or "Match" (Depending on how you configured the Alias), and view the parsed IP file contents. Or goto the shell, and view the files from the subfolders in  /var/db/pfblockerng/

Those people should be sent to North-Korea, BB  :-* (Having said that: it could also be possible people hit the wrong button by accident - and never bothered to inform you about it. I think I've read somewhere in the past board mods can reset your count to 0).

SAME ISSUE here.. i blocked youtube via win10 machines via the host file…

Thank you for your fast reply, and good information.

I forgot to mention, since you are hardening your system to defend against active attackers, securing your DNS queries is a very important piece of that. Unbound is a very secure resolver so I would recommend taking some time to familiarize yourself with it and optimizing and hardening its settings. By using Unbound, hardening it and only sending queries out through a VPN you are probably effectively impervious to DNS attacks from the massive majority of hacking. Check out this article and here are some suggestions for settings. https://calomel.org/unbound_dns.html Enable DNSSEC Support (this is authentication for your DNS queries to avoid spoofing attacks, kind of like SHA) NO Forwarding Mode NO DHCP Registration NO Static DHCP Hide Identity Hide Version Prefetch Support Prefetch DNS Key Support Harden DNSSEC Data You might be interested in the Unwanted Reply Threshold, but I've never used it and know nothing about it Experimental Bit 0x20 Support

Which rules are you referring to?

You can try to use the "Adv. In/out" rule settings to create a pfB rule. The customlist at the bottom of the alias settings can be used to add IPs. Entering "0.0.0.0/0" for "any". Alternatively, use "Alias type" rules and configure the pfB rules as required.

In the Ipv4/6 tabs, you can set the State setting to "Flex" which will lower the ssl requirements. Click on the blue infoblock icons for further details.

Yeah TLD + More lists + Force Google Safe Search & Block other search engines, block TOR, block VPNs, and you'll still have leaks in your ship. Like you said, it's an impossible feat to actually block porn unless you whitelist the internet. But you can do a really good job of avoiding it unless it is overtly searched for. That's about the best you can search for without going to extremes.