ok. thanks for the confirmation, although I think that default behaviour (e.g. auto-creating of "wide-open"-NAT-roules) should be changed.

@repa: I think, we can't get this working with pfBlockerNG, right ? Yes

What browser are you using? Are you on a multi-subnet network? Ensure that you can ping and browse to the DNSBL VIP address.

pfBNG 2.0.4 on 2.2.6. See extra.log Hmmm, when on .ro. (read-only) access to the filesystem seems a failure and when on .rw. it looks OK, but then dnsbl.log is reporting writing problems ? Besides in both cases I see double entries about download reports. So what is in general the supposed state (ro or rw) for using pfBNG ? extras.txt

Including some pfBlockerNG config screenshots              

Yes, you can ignore those warning during a re-installation. During a re-install, all of the pfBlockerNG Aliases are removed and re-added at the end of the pkg installation. Since you manually added pfBlockerNG (alias) Firewall rules, there is a small window of time, where the pfBlockerNG alias does not exist, and you will get those warnings.  I don't have a workaround for that unfortunately.

I was using premium for some time and in my experience it does not worth because free list from same provider blocks more than enough. Premium lists had maybe 4% blocked packages compering free ones. If you thing 4% is worth, well :) Cheers.

Those are other issues are not related to your issue… How large is your pfSense Firewall log? Looks like that entry value is too large? Status: System Logs: Settings: GUI Log Entries to Display?

@doktornotor: There's a setting to limit the number of lines in the log file on the General tab… Ah thanks, I overlooked the variable. That 20000 will be about 5MB and 10% /var increase and then no problem for me. I'll check if/how it pans out.

lol Confirmed, and thanks for the Heads up on the path change :)

@BBcan177: @The: What to do ? Create some floating rules (as i read in the Wiki) create some alias as you replied ? In v1.10 I added some additional text to the TOP20 tab to help with this issue. (See Note:) Instead of blocking the world, you can change all of the "Deny" rule(s) to be a single "Permit Inbound" Rule… For example: It seems like you want to allow South America only to hit your Zimbra mail server, follow the instructions below:    (  BTW: Big fan of Zimbra!!  ) Remove all of your existing Country Blocking Rules. Remove all of your existing "Pass" Firewall rules for Zimbra. You could also just disable these pass rules and keep them there as a backup, if pfBNG is disabled for any reason. Goto "South America" Country Tab. Select the IPv4/6 Countries that you want to allow access. List Action: "Permit Inbound" In "Advanced Inbound Firewall Rule Settings": Enable the Custom Port checkbox Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_Ports" (Change the alias name to what ever you wish), and enter all of the Mail ports in the alias. Enable Custom Destination checkbox Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_IPs" (Change the alias name to what ever you wish), and enter all of the Mail Destination IPs (ie: the 192.x.x.x address from your screenshot above) Custom Protocol: Select "TCP/UDP" (Or as required) Hope that helps! This seems to be the pertinent post concerning setting up protection on my two open ports, but I am still not clear.  I was able to get the script to work, and it created 7 alias entries (IBlock, PRI1, PRI2, PRI3, SEC1, TOR, and MAIL).  In contrast to the above scenario where the firewall is already blocking unsolicited traffic to all ports, since my single port is open (via NAT under port forwarding) by default, would I set up the Advanced Inbound Firewall Rule to block everything except the US to that one port?  It seems that if I do the Permit Inbound as above, then I am already allowing traffic to the port in question, so I would need to deny all traffic except the US instead. Also, however I set it up, do I need to go in and do the same thing for each of the 7 alias/list entries created by the script? I'm going to assume that the port used by OpenVPN is inherently secure, since it is not treated as a regular open port. I apologize for my ignorance.  This is all very new to me, but I moved to pfsense after a fairly devastating hack into my server, and I want everything to be as secure as possible.

pfBNG should only have load when it's cron process is executed, the Alerts Tab is viewed, or from the MaxMind GeoIP monthly update. Try running the "top" command and the "ps -aux or -wax" command to see some further details.

Nah, nothing that I'd know of…. pfctl -d disabled, pfctl -e re-enables. This would be done automagically anyway after a while. https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI#Remotely_Circumvent_Firewall_Lockout_by_Temporarily_Changing_the_Firewall_Rules

Well, I'm not sure what happened, I added a 3rd host to see if I could get that one to work and immediately after doing that, all 3 hosts sync'd successfully.

hey vito for ELK server logs disable first all log capture by default and let pfblockerNG do all the log reporting. Then on Kibana (ELK) you will see the rule it will be filtering for ex: rule 85 is blocking all top IPv4 list while rule 92 is blocking youtube. see pictures hope this helps im working now on filtering the syslog (system logs for pfsense) but seems hopeless  :-[ [image: Clipboarder.2015.09.03-003.png] [image: Clipboarder.2015.09.03-003.png_thumb] [image: Clipboarder.2015.09.03-004.png] [image: Clipboarder.2015.09.03-004.png_thumb] [image: Clipboarder.2015.09.03-005.png] [image: Clipboarder.2015.09.03-005.png_thumb] [image: Clipboarder.2015.09.03-006.png] [image: Clipboarder.2015.09.03-006.png_thumb]