@talaverde said in py_error.log after 2.5.2 upgrade: have to figure out which of many entries I'll help you. It's here : @talaverde said in py_error.log after 2.5.2 upgrade: 2021-07-09 19:49:33,438|ERROR| [pfBlockerNG]: Failed to load: pfb_py_zone.txt: 'ascii' codec can't decode byte 0xe2 in position 1176: ordinal not in range(128) 2021-07-09 19:49:40,059|ERROR| [pfBlockerNG]: Failed to load: pfb_py_whitelist.txt: 'ascii' codec can't decode byte 0xe2 in position 3755: ordinal not in range(128 With an editor like Notepad++ you could fine it easily.

@steveits Thank you. Indeed this works nicely. Probably you overwrote that change with the upgrade to 3.0.0_16 ? If this code change will be added in the next version, I suggest to also add a hint that an empty license key will deactivate all GeoIP auto updates... Regards Dennis

@BBcan177 Ohhhhhh I see. "Alias Deny" doesn't create an alias and set deny rules........ I had to actually tell it to Block instead of create an Alias then it made the rules. To confirm then, what is the point of "Alias Deny"??? I get it makes the Alias, but what does it deny?

@tdgrant said in Errors after upgrade to 2.5.2: Thank you, Fireodo! Glad I could help ...

@rgelfand said in DNSBL Groups not filtering: nslookup vungle.com resolves to 10.10.10.1. So, you're fine ;) As you already know, "10.10.10.1" is what can be considered as a virtual IP(RFC1918) hosted on pfSense. You can see it using http (not https) access : [image: 1625743396539-06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png] A https access will produce a browser depended error message. [image: 1625743463458-759306e9-fba1-4533-b78d-9ec5fe0f058c-image.png] To understand the 'none' issue, you have to know what https or TLS actually means, and how browsers these days related handle failures. Short example : You blacklist (DNSBL) twitter. For reasons you totally already understand, twister can only be accessed using https, not http. Open a browser, type www.twitter.com and you see .... a failure and certianly not the first image I showed above. You were not - and your browser focs you to - visit twitter using http. It was https. And now the good one : you can't "break" https. No one can. So, yes, your browser, upon an initial DNS request, receives 10.10.10.1, the browser connects on that IP, using port 443. First of all, the browser asked for certificate info. In this certificate, it has to find that states it's "*.twitter.com". Thats what https (TLS) is all about. Now, I ask you, does your pfBlockerNG-devel has the certicate that says it's ".twitter.com" ? ;) (Can you have it ??) Rephrase that. Are you ".twitter.com". ? No. The browser hangs up right away. And this means that all blocked DNSBL will not show you the nice image (see above) but a browser that complains, saying that there are protocol errors. It will only work for plain old "http" accesses and redirects. And these do not exist any more. Because, again, if you want to visit https://yourbank.tld you can not get redirected to https://thefakebankurl.tld Now you understand why I use : [image: 1625744056088-ed983b2c-99e8-4c6a-86ff-927144fb2655-image.png] I'm not redirecting to the "10.10.10.1" nice page - but answer a "0.0.0.0" which will make the browser show a message that the requested site "has no DNS" (or some DNS issue) which is actually true. The most simple answer : Just forget about : [image: 1625743396539-06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png]

@Gertjan - once again, I appreciate your time. I decided to take the path of least resistance for the moment and I default reset pfBlocker, then reloaded the below, added in my shallalist and UT1. Looks like the redirect IP for sites you can't go to on the lists (10.10.10.1) are working. I'll see how this holds up for the next few days. Unbound python mode because it uses less resources. I think I might enjoy a more robust PC or netgate so I can load up other things like Snort. Are you using a Netgate appliance or a PC of sorts (community pfsense)? Got a recommendation? Franklin [image: 1625707795543-d1c1dff7-7c1c-4406-9dd5-c610d8f4d53b-image.png] [image: 1625707820737-5a9966f5-53bb-4ee4-84a1-415144e800ce-image.png] [image: 1625707858478-a8ea957b-37ba-40b9-84ec-914458dbf63e-image.png] [image: 1625708324706-b413ba95-7388-4dcd-a8e2-df4cca86dd1a-image.png]

Bueller... bueller? Noticed that when I add a domain to the whitelist, that unbound process spikes up to some crazy CPU utilization until, I am assuming, it's done syncing. Is there any way to speed the process? This is an 8 core ATOM system with a C2758 processor... perhaps there's a way to just sync whats beed added as opposed to go through everything in the list...?

I can now also confirm the filling filesystem issue is gone once pfBlockerNG is changed to "Unbound Mode" instead of python mode. So this will serve as workaround until the issue with Python mode filling the filesystem is solved: NOTE: It seems my pfBlockerNG stopped logging DNSBL hits once I changed to Unbound mode. The counters in the widget no longer increases, and no hits are registered in the DNSBL report. But DNSBL is still active and working

https://forum.netgate.com/topic/164796/php-warning-filesize-stat-failed-for-tmp-dnsbl_add_data

Hello? Anyone?

Hi @reza3sw , This is very old post but I want to ask in anyway. Please could you decribe little bit more about your process? Regards, Mucip:)

@jegr Yep, I thought whatever I do there in pfBlocker wouldn't affect my unbound config, but that is not the case. So it works as intended it seems. That was the question in my first post.

@jdeloach I posted that message in May 2020.

Deleted reply.

@gertjan I skipped over "unchecked" apparently, sorry costanzo. Unbound was reverted to an earlier version in 21.05 but he has that already.