Found the issue. I don't know how it happened (I must have did it somehow)  But in the alexa whitelist setting settings, none of the TLD Inclusions were selected.  I re selected the defaults, and now everything seems to be working. Thanks for pointing me in the right direction BBcan177

@sias: I found a guide to setup domain blocking that talked about putting domains in the TLD Blacklist. I tried doing that and forcing the update but it still doesnt block. Is this the right way of doing domain blocking or is there another method? The TLD Blacklist is used to Blacklist a whole TLD like "cn" or "ru" etc… Follow the guide here to use DNSBL: https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943

There are many ways to do that… But i would recommend to create a Permit Inbound rules instead. This way your not going to fill the logs will all of the IPs that were blocked hitting that rule… So less noise, means you can review the logs for real events that need attention :) Its always better to try to limit down the allowed IPs to as small of a range as possible... There are still a lot of IPs in North America... But its still better than leaving it wide open...

@lpallard: Seems to be fixed now, I added the top domain to the Custom Whitelist but instead of adding the domain manually like ".githubusercontent.com" I clicked on the + sign on the alert page, and the following domains were added: .githubusercontent.com .github.map.fastly.net # CNAME for (raw.githubusercontent.com) I think the problem was that ".github.map.fastly.net" needed to be added as well. Now its working. Yes Whitelisting from the Alerts tab is the best, as it will automatically whitelist any CNAMES… You can still whitelist manually, but you should check for CNAMES... You could use a command as follows to find them: drill example.com @8.8.8.8

@Riftcore34: yea I did try Forwarding mode but pfblocker did not work with it on and resolver off :) Unbound can be used in "Forwarder" or "Resolver" mode…  So don't get that mixed up with DNSMasq which is a "Forwarder" only... :)

@RonpfS: @lordbob75: I don't believe there will be, but could deleting that cause any problems? Well I don't know, maybe at some point you did some tests and now it's not needed. Removing them already solved the email problem ;)  ;D Fairly sure I messed with some IP lists at some point, but never noticed the new rule or whatever.  Still don't know a whole lot about networking and firewalls so I don't always recognize things like this. Alerts have definitely gone away at this point, thank you so much for helping me nail that down.

@BBcan177: Can you try the following patch? https://forum.pfsense.org/index.php?topic=110515.60 I tried the patch, it worked for a few days.  But now the ui hangs when connecting. Seems like there is a memory leak somewhere or something.

bmeeks put a great guide together, a little dated but still a good thread…(thanks bmeeks!) https://forum.pfsense.org/index.php?topic=61018.0 This is a more recent thread: https://doc.pfsense.org/index.php/Setup_Snort_Package This will get you going... My suggestions would be: When you setup the interfaces resist the temptation to "Block Offenders" at the start...you can use it as a IDS then move to IPS. It will block a lot! Use the "Snort VRT IPS Policy Selection" to start depending on your needs...i.e. Balanced/Connectivity/Security Use "Service_Watchdog" package as well in case it stops... I think any of the IDS/IPS packages use hardware resources...so make sure your setup is strong enough...not hard to setup! Requires some attention to get going...quite a few false positives to start that block traffic(hence start with IDS to start). Good luck...

Try to reinstall pfblockerNG. If the error persist, then you may have to reinstall pfsense as curl_init is a basic pfsense curl function. You may probably be able to recover without reinstalling, check the Installation and upgrade forum https://forum.pfsense.org/index.php?board=4.0.

Like firehole … https://forum.pfsense.org/index.php?topic=135257.0 Yes that was exactly the issue. So i turn that list OFF. Thnx

Beats me. You applied the changes to the FW Rules ? Enable logging on the rule and see what's happening in Firewall logs. Also check the LAN rules

I had to reboot after the restore and that fixed it. thanks

@BBcan177: @J24: Looking for a few insights on how to interpret the columns and data in this pfBlockerNG dashboard widget.  Thanks! Top Header shows the last time the MaxMind GeoIP was updated. Green check shows pfBlockerNG is enabled with 772 IP entries Green check shows that DNSBL is enabled with 3,012 domain entries. The "Alias column" is the name of the IP/DNSBL group that is configured in the IPv4/6/GeoIP/DNSBL tabs The "Count" is the Number of entries in each Alias/Group. The "Packet" is the Number of events processed by each Alias/Group. The "Updated" is the last timestamp where the Alias was updated. The Green up arrow shows that Rules are enabled for the Alias (IPv4/6 only) The Black down arrow shows that there are no Firewall rules associated (IPv4/6 only) The Number in parenthesis is the Number of firewall rules associated (IPv4/6 only) Thank you!

I had bad luck with iBlock lists….here is a recent link with some better lists: https://forum.pfsense.org/index.php?topic=135257.0 Assuming you have set it up correctly, take a look at the alert tab in pfBlocker to see what alerts and lists are being triggered. Good luck, V

@BBcan177: You can use Unbound in Resolver mode or in Forwarder mode…. Still recommended to use Resolver mode so that you use the Root dns servers... but that's up to you to decide....  Also keep in mind that not all Forwarders support DNSSEC. Thanks for this info. The resolver mode was often noticeably slow on some lookups - maybe there is some other config option I have screwed up?

Will do. Thanks!

No, I'm not using the traffic shaper.

@motific: I have had a look at this feed a while back. It is pretty poor IMHO and I wouldn’t recommend it, if they included the suggested changes it would be even worse.  One of the worst things is that it just arbitrarily blocks random chunks of Microsoft services (including ones you may have whitelisted) by blocking some of the intermediate CNAME domains (like a-msedge.net)  Not to mention that some of them are not tracking servers but provide other services (like the weather for the live tile.) Quite a lot of the lists blocking Microsoft tracking are similarly bad,  I have to assume that they don’t test very well if at all.  Recently I’ve had to pull the Phishtank feed (supposedly a list of phishing domains), the last straw was when they added login.live.com (which is quite a useful one if you actually use pretty much any Microsoft services at all!) I’m not bad at tracking down the DNS responses to find the issues but for a relative novice to find a whitelisted domain suddenly blocked and showing as whitelisted in pfB it would be infuriating. I have always been hesitant to recommend these types of Feeds… So unless there is more feedback, I will just hold until more people chime in....

@RonpfS: When you disable pfBlockerNG, it removes the aliases and FW rules it created (auto-rule). In your case of Alias type table, you have to disable the pfb_ FW rules before disabling pfBlockerNG. I'm assuming this can be scripted in some way, as I have far too many to do on an individual basis… Found it, in the [filter][rule][0][disabled] array, when using pfSsh.php EDIT: i tried to disable a rule to see a change in the [filter][rule][0][disabled] variable, and interestingly enough it didn't change from being empty, i would have expected to be set to "yes". am i missing somthing?