@Unoptanio said in Pfsense 2.7.0 pfblockerng ERROR: could not update pfB_PRI1_v4 content from ...:

Could the alias have been included in version 2.6.0 by default?

2.6.0, or the current 2.7.0 : make use of the fact that it is open source so look for yourself in this folder, the GUI web root folder : https://github.com/pfsense/pfsense/tree/master/src/usr/local/www : there is no /pfblockerng/ folder - neither the PHP file in that folder : pfblockerng.php (ok, this is quiet obvious).

Also, when pfblockerng is installed, there are no DNSBL feed or IP feeds activated, they have to be selected and downloaded first.
When you install pfblockerng, it does nothing, it has to be set up first.

Still, I'm curious. To be sure, I would have to get a copy from a non infected source : https://www.pfsense.org/download/ and see what I find in the aliases when done. That's .... hum..... to much work 😊

Or you change the pfBlockerNG Firewall 'Auto' Rule Order.

@gwaitsi I have the same exact error. Did you find a solution?

I have the "pfBlockerNG-devel" package installed. The DNSBL part is turned off. This is the error I get:

[19-Sep-2023 12:18:28 Etc/UTC] PHP Fatal error: Uncaught ValueError: escapeshellarg(): Argument #1 ($arg) must not contain any null bytes in /usr/local/pkg/pfblockerng/pfblockerng.inc:3816
Stack trace:
#0 /usr/local/pkg/pfblockerng/pfblockerng.inc(3816): escapeshellarg('^192\.168\.1\.1...')
#1 /usr/local/pkg/pfblockerng/pfblockerng.inc(5647): find_reported_header('192.168.1.15\x00\x00\x00...', '/var/db/pfblock...', false)
#2 /usr/local/pkg/pfblockerng/pfblockerng.inc(1031): pfb_daemon_filterlog()
#3 {main}
thrown in /usr/local/pkg/pfblockerng/pfblockerng.inc on line 3816

@michmoor It is bing.com. But I want to use the search provider. I already use pfB (and pie-hole) but I don't see anything logged in either x bing.com. Their chat is like the loud drunk at a party who no one wants to talk to, but won't shut up or leave.

Hey guys,

after applying pfblockerng non-devel update 3.2.0_6 to my _5-install sync still did not work.

Unchecking the button "Keep Settings", saving and reloading and then reinstalling the package on my backup-machine followed by a force reload on the master machine did the trick and now the sync works smoothly. Reboot was not necessary on neither my master nor my backup machine.

Thanks folks!

@coffeecup25 You could enable "DNS Reply Logging" in pfBlocker for that.

Subsequent to the first post the DNS Resolver cache ran ok until 16 Sep @0615hrs - ie for 54 hours since pfBlockerNG last reset the DNS cache to zero.

At the time off this post the DNS has been running again for 8hrs 13 mins and completed the single Cron job at 1215hrs with no reset.

Not ideal.

☕️

Monitor Guy, thank you, exactly right. I deleted the old dnsbl line from Service Watchdog

dnsbl pfBlockerNG DNSBL Web Server

and added

pfb_dnsbl pfBlockerNG DNSBL service

and problem solved! No more messages every minute.

@danilo-arrifano said in Block Youtube with and without domain:

Good afternoon, Netgate masters.

I hope everyone is okay!
I don't have in-depth knowledge of Firewalls, but the company I work for has PFSense 2.7.0
I have to block the Youtube website on my network, but my network has hosts with Windows Pro and Windows Home. Knowing that devices with Windows Home do not adhere to firewall rules because they do not have support for domains, I send you my request for help.
How to resolve this issue?
Sorry for my English, but I don't speak the language.

I would be very grateful for any ideas that can help me!
Thank you very much in advance!

Go to firewall menu and select pfBlockerNG > DNSBL, scroll down until you see TLD Blacklist/whitelist...click on the plus symbol...you should see below and add youtube.com. Save, update and reload. Remember to clear browser cache on all devices.

Screenshot 2023-09-12 at 3.53.38 PM.png

@j-koopmann Gotcha, hmmm that is odd. Mine has been creating them just fine, I'll check several other pfSense units I have running though and see if any others are having the same problem.

@Gertjan Without modifying the TTL like you did it makes python group whitelisting kinda pointless.....

@BlueCoffee said in Every morning I have a "crash report" why?:

Should I post this error ina new thread do you think?

We'll leave that to the forum admins ^^

here :

log_error(sprintf('hw.physmem = "%s" - hw.realmem = "%s"', $physmem, $realmem));

Do you think you can manage to edit the file, make it look like this :

94fe540a-dade-4d6a-ae39-38e1097877ae-image.png

Now go to the pfSense GUI dashboard.
And then to the location where the answers are : the logs :

a63f8325-f7e6-4617-8d64-9d2e7040762b-image.png

You saw I what I have. Both are probably strings that can easily be converted to integer numbers.
Now : your turn.

@BlueCoffee said in Every morning I have a "crash report" why?:

I moved to this little box

What little box ?

@sub2010

I´m happy i found the error ✌ .

When i configure the DNSBL SafeSearch, YouTube Restrictions the Video doesnt show up.
b8befdd6-b447-4a4d-b412-4ea17dae4e40-image.png
a87b582a-c73f-4051-bd61-08ce68d7d97f-image.png

And even i disable it, i cant bring back the video. Only one Reinstallation can help me.

Do you have any Idea how i can use Restrictions with whitelistening?

@Gertjan You are certainly correct that the Adult (XXX) category that's available on UT1 is huge. But at least the option is available for those that have the proper firewall hardware for it. While the Shallalist does not seem to be available currently. Archives are an option, but they are mostly outdated since they're no longer updated regularly.

@Gertjan

Another solution might be : not adding DNS requests from devices on the "Group Policy" into the resolver cache ( if this is even possible ? )

This is the behavior I would expect. I'm not sure if it is possible either.

Oh, all my formats are on AUTO, so I'll have to find out which list has GeoIP format.... :-(

So I have to go through all the non-custom lists? This could take while, and I don't know what to look for. Maybe there is a keyword like GEO-something?

EDIT: there might be an easier way, I just sift through the update.log of pfblocker and discard lists that show something like "Classifying repeat offenders by GeoIP".

EDIT2: Oh, the reputation functions dmax and pmax use GeoIP! I turned these on a week ago or so.... Embarrassing, I should have made the connection!

Thanks @Bob-Dig , I am confident that turning reputation off is the solution.

Will report back if I am wrong.. ✌

I got it to work. I'd love to be able to get more specific with the locations instead of the center of a country, but for today this will do.

Here is code to the query made in grafana

SELECT "action" FROM "tail_ip_block_log" WHERE ("host" =~ /^$Host$/ AND "action" = 'block' AND "direction" = 'in') AND $timeFilter GROUP BY "geoip_code"::tag

Here is grafan code to panel JSON```
{
"datasource": {
"uid": "$dataSource",
"type": "influxdb"
},
"fieldConfig": {
"defaults": {
"custom": {
"hideFrom": {
"tooltip": false,
"viz": false,
"legend": false
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"color": {
"mode": "thresholds"
}
},
"overrides": []
},
"gridPos": {
"h": 9,
"w": 6,
"x": 9,
"y": 16
},
"id": 563,
"maxDataPoints": 1,
"options": {
"view": {
"allLayers": true,
"id": "zero",
"lat": 0,
"lon": 0,
"zoom": 1
},
"controls": {
"showZoom": true,
"mouseWheelZoom": true,
"showAttribution": true,
"showScale": false,
"showMeasure": false,
"showDebug": true
},
"tooltip": {
"mode": "details"
},
"layers": [
{
"type": "markers",
"name": "Layer 1",
"config": {
"style": {
"size": {
"fixed": 5,
"min": 2,
"max": 10,
"field": "Time"
},
"color": {
"fixed": "red"
},
"opacity": 0.2,
"symbol": {
"mode": "fixed",
"fixed": "img/icons/marker/circle.svg"
},
"textConfig": {
"fontSize": 12,
"textAlign": "center",
"textBaseline": "middle",
"offsetX": 0,
"offsetY": 0
},
"rotation": {
"fixed": 0,
"mode": "mod",
"min": -360,
"max": 360
},
"text": {
"fixed": "",
"mode": "fixed",
"field": "geoip_code"
}
},
"showLegend": true
},
"location": {
"mode": "lookup",
"geohash": "geoip_code",
"lookup": "geoip_code"
},
"tooltip": true
}
],
"basemap": {
"type": "default",
"name": "Layer 0",
"config": {}
}
},
"pluginVersion": "10.1.1",
"targets": [
{
"datasource": {
"uid": "$dataSource"
},
"alias": "$tag_geoip_code",
"groupBy": [
{
"params": [
"geoip_code::tag"
],
"type": "tag"
}
],
"measurement": "tail_ip_block_log",
"orderByTime": "ASC",
"policy": "default",
"query": "SELECT count("action") FROM "tail_ip_block_log" WHERE ("host" =~ /^$Host$/ AND "action" = 'block' AND "direction" = 'in'), AND $timeFilter GROUP BY time(10m), "geoip_code"::tag",
"rawQuery": false,
"refId": "A",
"resultFormat": "table",
"select": [
[
{
"params": [
"action"
],
"type": "field"
}
]
],
"tags": [
{
"key": "host",
"operator": "=~",
"value": "/^$Host$/"
},
{
"condition": "AND",
"key": "action",
"operator": "=",
"value": "block"
},
{
"condition": "AND",
"key": "direction",
"operator": "=",
"value": "in"
}
]
}
],
"title": "IP - Src/Dst Blocked Geo",
"type": "geomap",
"description": ""
}

@oever pfblocker vs just blocking by resolving to say 0.0.0.0 likes to point to a block page - that says hey this site is blocked. But if your looking for something specific loaded off that IP, 10.10.10.10 I think is default vip that is used.. But I think at some point there was recommendation to use something different.. Anywho - yeah block page is just hosted on pfsense off whatever the IP you use (vip on pfsense) to serve up the page to tell you hey that site is blocked.

But if you try and load some specific resource off that httpd, like favicon.ico then sure yeah that could be loaded.

Glad I could help you get some sleep ;)

@Gertjan thats exactly what I was thinking - but was too lazy to check into the code ;)

@Cabledude

I was using M0n0wall in the past, as it offered a 'captive portal' and I was looking for some answers.
I've used my IRL first name to create an account here, just to ask some question.
I had my answers quickly, from what I recall, my questions were just "wrong", and I've installed pfSense.
Still using it today.

edit : forgot about the most important one : I'm still learning.

@deveals
Danny
I'm also a newbie, and we're using pfBlockerNG with a custom list.
Our custom list is derived and compiled from a combination of sources, including AbuseIP.com, local fail2ban, and others.
The custom list contains about 100k addresses.
pfSense gets list updates a few times each day by a cron task.
The activity against this list is easily visible.
There's a pfBlockerNG widget for the pfSense GUI dashboard that gives summary data.
If you need more granular data using the GUI, go to Firewall, Rules, WAN, select and edit the custom rule, scroll to bottom of page and note the Tracking ID number.
Also make sure logging is enabled for this rule. Log = tick.
Then use Status, System logs, Firewall, Advanced Log filter (enabled in System, General Setup, Log Filtering), and enter the Tracking ID in the filtering criteria. Apply Filter.
Now you see all the traffic actioned by your custom rule.
If there's a better way to do this, I hope somebuddy with more experience will chime in with correction/s and/or suggestion/s.
HTH

@jrey I don't even have the file anymore, I'm using what you provided and substituted my URL and it's been working perfectly.

Thanks again for your help, really appreciate it!

I have some pfBlocker generated rules as floating/quick. Some of which protect a few forwarded ports on the WAN interface.
I have logging turned on for these rules and, whilst it works as expected. one thing puzzles me: The logged DST IP is sometimes the WAN interface and sometimes the internal forwarded-to IP. I don't understand why this variation occurs. Is it a consequence of 'floating' rules? Whilst the rules concerned are 'floating', they're assigned only to the WAN interface. It seems as if the rule can be evaluated before or after NAT occurs?

I ended up deleting pfblocker, restarting, and re-installing it. It seems to be working now.

@reynold well that could be problematic - since when you forward a returned IP being rfc1918 would be a rebind..

So with your client be it nslookup or dig or host, whatever your fav dns client is from cmd line. Do a query to pfsense IP, do you get back local resources that your DNS is resolving?

When you forward to some other NS, you prob want to allow for rebind from it, create a private-domain entry in your unbound config.

See here

https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

But if was a rebind pfsense would not return an IP for some fqdn query, so how would you end up on pfsense IP? What is more likely is your browser is doing doh, and getting some public IP that is say pfsense wan, to how your getting the pfblocker dnsbl cert..

But you should actually validate that is working.. But if your running your own DNS, all your clients should really point directly to that IP for dns..

@Cylosoft said in pfblocker in AD domain with local dns server:

Then in the PF DNS Resolver settings we add domain overrides for the local domain. So "whatever.local" uses lookup server IP Address of the AD domain controller IP.

I did it and yellow warning disappeared