@bbcan177 said in Unbound crashing: @bouke said in Unbound crashing: pfBlockerNG-devel 2.2.5_19 You can try the new "Live Sync" feature, which will update the changes on the fly without an Unbound Reload. But that is only when the package updates DNSBL/Unbound and not any DHCP updates to Unbound from the pfSense side. Happy new year and thanks. Just enabled this feature on 01-01-2019 08:05 am (local time) ;-)

I have already determined the cause of my problem. The lab workstation i was using to test this out with still had static DNS server entries configured on one of the network adapters I was using. Once I pointed them all to my pfsense box, everything was working fine. I feel stupid for having overlooked something so simple.

@gertjan said in Getting Hammered: I you liked the port-knocking on "22", have a look at what happens on your port "25" and "443", you'll be amazed. Seeing a few on 443 and a couple on 25. Normally, your mail server already has something like fail2ban and a rather huge setup to filter out fake connection, like temptation to relay, temptations to load your inbox with spams, etc. A (internal, on a LAN) web server (port 443) : same thing : a real hail storm. Not filtering these servers can put a real load on your servers. It is a Exchange server and not set up for routing mails and any attempt to route through it just gets rejected. I also have a large set of rules to reject spam but wanted to use pfBlockerNG to block out spamming IP's. YEs exchange can do it but requires the Edge Server to do it. Dont want another VM running to to do IP filtering. I realise they are scripts trying as well on the ports rather than real humans.

Thanks

Yes, you don't have to enable DNSBL.

Yea, it's been auto-changing back to often. I've finally given up on the 'CARP' feature and just switched it back to the old 'IP alias'. Not sure what features I'll lose but it can't be worse than a misconfigured virtual IP.

@mrglasspoole hi; I had to turn off ipv6 which i don't use(ignored in linux) and this is on a dual core AMD APU with 4 gigs. I also have issues with abuse list at first before killing ipv6 in pf latest and running out of ram issue. but at least it tells you and shuts down. but would like the caching squid had and av.

@bplein said in could not update pfBlockerTopSpammers: @ronpfs Thanks. It was in the Aliases/URLs section! Wow that was the old pfblocker version from over 4 years ago :)

@teamits said in Understand alert: yes Thanks for your thorough answer It clarified my question perfect!

@trohm said in Pass Alias for GeoIP not working: pfB automatically creates the rules and by default puts them in as Floating rules. Therefore I cannot put a rule ahead of the GeoIP rules as I understand Floating rules are always processed before any of the "static" rules applied to a given interface. You can select from one of the predefined Auto rule orders in the General tab (or in the IP Tab for pfBlockerNG-devel which is much improved). If one of those auto-rule options do not work for your network needs, you can use "Alias type" action settings, and manually create the firewall rules and associate the pfB aliastables. Click on the blue infoblock icons in the IP tab for more details.

Thanks @BBcan177, very much appreciated!

@dma_pf said in Lost Alias In Update from 2.2.5_17 to 2.2.5_19: I have a custom feed for a Spamhaus list which is located at https://www.spamhaus.org/drop/asndrop.txt. This ASN feed is not supported by pfBlockerNG. I have intentions to add a parser for it, but it has never had that parser before. Maybe there was an IP in that txt file at one point, that the parser found, and you assumed that it was working?

@bbcan177 said in Download Fail: https://www.reddit.com/r/pfBlockerNG/comments/a6zs1u/abuse_sslbl_is_back_online/ The Following List has been REMOVED [ Abuse_DYRE_v4 ] The Following List has been REMOVED [ CoinBlocker_v4 ] [image: 1545308761008-8e3f78e2-18b9-4b89-b063-340f2bff8edf-image.png] You were right Strangely https://tracker.h3x.eu/api/sites_1month.php I can download manually? So maybe it's the download time, updates are set round midnight??? Forced an update and...??? [ H3X_1M ] Downloading update .. 200 OK. Cheers Qinn

@tmiland said in Group alert entries: I was wondering if it would be possible to group alert entries? Or add it as a feature request? I'm blocking Windows 10 telemetry, and it is constant traffic (A WHOLE LOT) which pushes other entries out of sight. Running latest pfBlockerNG-devel, which is absolutely FANTASTIC! Regards from an early beta tester (pfBNG Dev v.72) You can mute the logging of Domains in DNSBL by creating a new DNSBL Group and select the "Disable logging" option, and the Group Order to Primary. Then either use Feeds, or add the domains to the custom list at the bottom. Follow that with a Force Reload - DNSBL for it to take effect. This will utilize "0.0.0.0" instead of the DNSBL VIP address. Thanks for the feedback!

@yyz said in DNSBL Whitelist vs TLD Exclusion list?: DNSBL Whitelist vs TLD Exclusion list? How are these different? The Whitelist is used to remove Domains from the DNSBL Blocking. When you use the "TLD" option, it will automagically Wildcard block any domain that is a Root domain. So it would wildcard block "example.com" but not "ads.example.com". When a domain is wildcard blocked via TLD, you can use the "TLD Exclusion" list to remove that domain from the TLD functionality. This way, it will only block the single domains that are listed in the DNSBL Feeds and not wildcard block it. A Force Reload- DNSBL will be required after adding to the TLD Exclusion list.

@dasanco said in Alexa: I'm having a real problem understand the purpose of the Alexa list, when and where it should be used, to do what. is there a primer or white paper on how/when/where to use the Alexa option? The TOP1M whitelist (in devel it also has the Cisco Whitelist), can be used to whitelist the most popular domains in DNSBL. I would only suggest using it for the Phishing Feeds, as those can cause FPs since those feeds post full URLs. Also limit the number of TOP1M Domains to whitelist. Some reading here: https://www.netresec.com/?page=Blog&month=2017-04&post=Domain-Whitelist-Benchmark%3a-Alexa-vs-Umbrella

I will work on adding this to my todo list :)

@grimson said in Whitelisting DNSBL in pfBlocker: @guardian said in Whitelisting DNSBL in pfBlocker: With all due respect, did your read that post? It doesn't answer the question that I am asking. Did you search and read other posts about this topic? I doubt that. I know about + on the log, but that means that I have to find the item on the log - often that isn't easy, and I can't deal with the problem proactively. I am looking for some way to explicitly and proactively exclude a domain from the DNSBL. So you didn't even really look at the DNSBL settings or read the included help: [image: 1545262088601-really2-resized.png] Is it really that hard to even look at the settings before asking questions and wasting the time of others? It was a case of looking but not seeing. I had a vague recollection of there being a section, but when I first looked I missed it, assumed that it wasn't there and spent a lot of time looking in other places. It is below the fold and buried in other tabs so I missed it. When I saw your post I knew that I had clearly overlooked something and was finally able to find the section. In fact, when I opened the section, I found that I had put entries in there about 18 months ago. I couldn't find any posts because it was so damn simple. This is the digital example of hunting high and low for your car keys (or something else) when it is lying in plan sight. Sorry for the inconvenience, thanks for helping me find the answer to the question. For the benefit of anyone looking for the answer to the question: pfBlocker Domain Whitelisting Navigate to Firewall / pfBlockerNG / DNSBL and open the area Custom Domain Whitelist near the bottom of the page.