The pfSense Max Table entries is a table setting for all aliastables in total… grep -c ^ /var/db/aliastables/*.txt And it usually needs about 30% more…

Yes I understand this however, I'm going to be turning on "both" not just "inbound" on the FW.  I'm easing my way into blocking country outbound SO I need to enabled GEO IP Block. I haven't quite figured out what was going on BUT it's possible this was a SNORT issue or perhaps a DNS resolution issue at the time. This might be a non-issue.  I've turned pfbng back on, have cleaned a few things up and it seems like all is well. Thanks for your feedback.

There aren't many IPv6 Feeds: https://www.spamhaus.org/drop/dropv6.txt https://www.myip.ms/files/blacklist/csf/latest_blacklist.txt Choose one of the following (recommend the first one): https://www.stopforumspam.com/downloads/listed_ip_30_ipv6.zip https://www.stopforumspam.com/downloads/listed_ip_1_ipv6.zip https://www.stopforumspam.com/downloads/listed_ip_7_ipv6.zip https://www.stopforumspam.com/downloads/listed_ip_90_ipv6.zip https://www.stopforumspam.com/downloads/listed_ip_180_ipv6.zip https://www.stopforumspam.com/downloads/listed_ip_365_ipv6.zip Note: v2.1.1_8 has an issue with IPv6 lists, use "Alias Type" settings until the next release.

Hey, so I ran into this a while ago… Went through and white listed all sorts of domains that amazon wanted me to let through. I honestly think it's an issue with their app.  If you keep white listing, you'll eventually find that they are serving ads from 3rd party sites as well. It ends up being a pretty big rabbit hole. Unfortunately i ended up giving up, i just go to amazon in Chrome with all the sites still blocked, and have no issues. I think the Amazon app doesn't know how to deal with not being able to get to a site. Where Chrome just moves on...

When you add a new Feed, it will download the feed and wait for the next Cron task. Each DNSBL Group has an "Update Frequency" setting where you can configure the update settings. If you want to force a download of a particular feed: Goto Logs Tab > Log/File Type > "DNSBL Files" > open Feed > Click on "Delete Icon" > Force Update OR From shell: rm /var/db/pfblockerng/dnsbl/ <insert name="" of="" feed="" header="" here=""> .txt</insert>

Run the following command to see which feed contains that IP: grep "8.8.8.8" /var/db/pfblockerng/deny/* If you enable the suppression feature, it will add a "+" icon in the Alerts tab which can be used to suppress this IP. This IP shouldn't be listed in any feed, so once you find out which feed listed that IP, you may want to report it to the feed maintainer.

@moscato359: Do you prune your IP lists over time? Sometimes old IPs get released, and handed to someone else. Most lists only keep the last 30 days at longest. I only remove IP address if I am contacted by the current owner of the IP address and our interactions convince me that the IP address is not likely to send out spam in the future. The bulk of the IP addresses in SpamList fall into one of two categories: 1.  Machines at hosting providers who don't care if their clients use their systems to send out spam.  Even if the current customer gives up and stops paying to use those IP addresses to send out spam, it is likely that in the future some other customer will pick them up and start sending out spam. 2.  Compromised machines that are being used to send out spam.  Even if the machine is cleaned up, most people who are compromised once will be compromised again repeatedly.  So it is likely their IP address will send out spam in the future.

The first command returned nothing but the second one returned the following at least a hundred times. /var/db/aliastables/pfB_BlockListMalware.txt:127.0.0.1 I checked my malware lists and this one seems to be the problem. http://www.malwaredomainlist.com/hostslist/hosts.txt I deleted it, forced a reload and it continued to show the loopback address listed in the malware block list.  So, I disabled the entire list, forced a reload, re-enabled it, forced another reload and, while I'm not entirely sure it's still using the malware blocklist, at least it's not returning the loopback address when I enter the command anymore. I might try rebooting my router, just to see if that sorts everything out. Either way, thanks for the help.

@BBcan177: @LIGISTX: You are awesome. Thanks! Anytime… Thanks for using my package  8) Now I just need to figure out snort  :-X

As I stated in my reply above, you cannot use these EasyList feeds by adding them to the DNSBL Feeds tab. They will not parse properly. The only EasyList feeds that are usable in DNSBL are hardcoded in the EasyList tab. Only certain portions of the EasyList/EasyPrivacy are useable in a DNSBL filter. See the categories in the EasyList tab to see which categories are usable. The next version of pfBlockerNG will have all of the EasyList Language Feeds included.

set DNSBL IP Firewall Rule Settings>List Action>Deny outbounded instead of both and remove any PIA DNS server ip from Services>DHCP Server>LAN for firewall rules, follow PIA pfsense guide, (go to end of page) https://www.privateinternetaccess.com/pages/client-support/pfsense

@mugabemkomo: The only errors I get is: unbound 22943:0 error: cannot chdir to directory: (No such file or directory) This "error" has been present for ages. It doesn't cause any problem as far as I know.

@morreale: @BBcan177: I'd recommend these PRI1 Feeds: What does PRI1 mean? PRI1 is the IPv4 Aliasname that I use for the Primary-1 recommended feeds…

Did you try the command in reply#2?

+1 on a block list sticky. I'd also like to see different sample blocklist sources for those of use hosting services vs those of us consuming services. As a host (hosting lots of web sites, so for example all my WordPress sites are constantly scanned, and all http/ftp/ssh etc ports are under constant attack), this is what I'm using as an IPv4 block list: https://isc.sans.edu/block.txt  (DShield Top 20 bad guys) http://feeds.dshield.org/top10-2.txt (DShield Port Scanners) https://zeustracker.abuse.ch/blocklist.php?download=badips  (ZeuS bad ips - not the most restrictive list but won't have false positives) https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt possibly overlaps the DShield lists? I don't host email so not sure if I need this. http://cinsscore.com/list/ci-badguys.txt CIArmy active threats. This gets by far the most blocks. This is by no means an endorsement of a proper hosting block list, though it does seem to block quite a bit of bad traffic. In fact, I'd appreciate any suggested changes for a hosting provider that wants to block the worst of the worst while avoiding false positives. Thanks! EDIT: I found a very good resource of blocklists: http://iplists.firehol.org/ has several. For my use, their Level 3 block list seems to be exactly what I need.

The Alerts tab uses the pfSense Firewall log as its source. So you may need to increase the size of the firewall log retention.

It's telling you two things. There is not enough memory to create the v6 bogons list. There is no data to populate that table from pfBlocker. You could try forcing an update in pfBlocker or disabling it to see if you can successfully load the ruleset. You can also try increasing the maximum table entries in System > Advanced > Firewall/NAT if you have available RAM for it. Steve

Not with DNSBL, that'd make things pretty horrible, you'd get that page in place of every blocked advert, e.g. If you are talking about the firewall rules, there's nothing preventing you from creating aliases (use one of the Alias actions in List Action) and using those as a destination in a NAT rule, redirecting the requests to some webserver and serving whatever you want there.

pfBlockerNG 2.1.1_7 is now showing as out of date.  I updated, and now I have pfBlockerNG 2.1.1_8 Thanks to BBcan177 for pfBlockerNG, and thanks to JimP for sorting things out with this update.

@BBcan177: @HeatmiserNYC: Hey BBCan, Ran into some strangeness over the last few days. Why would I only be getting this in my logs? It appears that nothing else is resolving…. If your referring to the "unknown" msg, then that is normal for HTTPS alerts, the browser fails to load the DNSBL webserver (as expected) and as such only a portion of the alert can be logged. Hover over the key icon. Did something change in with the logging? I'm fairly certain I never saw those messages on a regular basis. It was always source/destination of visited websites…..