@telserv Hi Bob.Dig

So that was the solution. I would never have found it, because I have only configured about six countries in Europe, and four in North America. However, I never argue with things that work. 😊

Thanks again!

@rvoosterhout I found the problem , when you create Alias , change type to NETWORK

@stephenw10 this seems to be popping up everywhere - not sure if that post I linked to was the original, or a copy from elsewhere - but seeing the exact article pop up on other security sites.

And not one I have seen have bothered to clarify anything.. Like hey this is interesting, but its years old and not to worry.. But good reminder to keep your software updated.. And btw you shouldn't have your gui exposed in the first damn place, etc..

@fireodo thanks

Never mind. Something must have been wrong with the whitelist. I deleted the entire whitelist and readded. Now I can remove IPs as expected.

Hi @Gertjan, thanks for your will to help me! Here are my settings:

d4a72d4e-4fd3-4588-9b01-1cec1b230933-image.png

Phishing group is defined here:
195a7bb4-7c8c-455c-86bd-7b0211d252af-image.png

4656cfd9-15f2-4ad8-854c-d01aa86eb585-image.png
Nothing is selected under Shallalist and UT1.

@johnpoz LOL no I am just blind, I'm not sure how since I read through the entire list like 5 times, maybe I am just tired. I was looking for "Netherlands" instead of "The Netherlands" and was only looking at things I hadn't selected already, so I guess I skipped it when reading.

Anyway, it is there, apologies for creating a post for something so silly lol.

Much appreciated!

@reberhar
I played with pfBlocker and watched the updates for CARP from that window.

BBcan is very deliberate about making sure that the CARP VIPs are configured with the /32 mask. I think I understand why.

When I fudged it the /24, of course it worked. But when the night updates happen it is set back to /32. CARP then failed on that node. I set it back to /24 and the process repeated itself.

But even with the mask at 32 the next day CARP is again down on that node.

I will keep trying.

Tonight I will clear the state tables.

@KKIT Is it when an pfBlocker update happens?

I agree it is bad as well. I had to reinstall again and restore my config. I'm going to run it on ufs this time instead of ZFS and see if that has any impact on it.

@floppypen

Ok, nice, so it's more then probable that Firefox uses the resolver to resolves stuff.
Did you test ?

I'll give an example :

My settings :

ffb980da-263d-4148-926f-5d593404e7da-image.png

This is dnsbl file :

cf9a1ef2-64be-4163-8a94-aa8ae2f482d6-image.png

Let's pick one :

0f71f2fd-819c-44cc-a2b8-08a08cf9a599-image.png

So, I set up a tailer : (SSH or console mode - No (never) GUI command line please):

[24.03-RELEASE][root@pfSense.bhf.tld]/root: tail -f /var/unbound/var/log/pfblockerng/dns_reply.log | grep 'americanskinheads.com'

This command 'tails' de main dns_reply.log log file : every DNS request thatw as parsed by pfBlockerng (the python (!) mode parser).
Now I visit this site - and no surprise :

67b0a7d9-ef70-4604-93ed-38b2be236c62-image.png

and the logs showes me :

DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,2a01:cb19:907:dead::c7,ServFail,unk DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,192.168.1.6,ServFail,unk DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,2a01:cb19:907:dead::c7,ServFail,unk DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,192.168.1.6,ServFail,unk

Btw : 192.168.1.6 and ,2a01:cb19:907:dead::c7 are the IPs my PC with the web browser is using.

Recap :
My wanted to visit a site using a host name.
The local PC DNS cache didn't have that hostname / IP in it's cache, it was asking unbound (pfSense).
Unbound filtres everything trough the pfBlockerng python loop, that uses a big DNSBL database : it found a match (no surprise) and unbound answered back to my PC : my browser : the the IP that stands for "don't know that IP so here you have 10.10.10.1" which points to the pfBklockerng web server that showed me in turn : that domain you wanted to visit is blocked.

@Bob-Dig Got it, THX, i tried for IPv6 always de_rep, but i had to choose only de.
Now it works, it was a littlebit confused, but it works now, exactly as i want.

THX for the Tip and Photo!

@jc1976 running Snort or Suricata by chance?

@Gertjan yeah.... but I'm 57 now and my late nights of coding or sysadmin work are behind me.

(former 4.2BSD user, 4.3BSD... SunOS 3.2... BSD/OS..... FreeBSD-3.2 and onwards) :)

@roveer said in pfBlockerNG v3.2.0.8 giving This Connection Is Not Private on all apple devices, but not PC's:

Is there a solution to this?

There never will be, as its not a problem.

For example : your browser found a host called "ad.doubleclick.net" on a web page and this host name was 'blocked' by pfBlockerng.
What happened is : your browser asks the local DNS (pfSense) : what is the IP address of ad.doubleclick.net ? And your local DNS, the resolver will use pfBlockerng to test every DNS request. pfBlockerng will compare the requested host name "ad.doubleclick.net" with a list of 'forbidden' host names, the DNSBL feeds you've installed into pfBlockerng.
And guess what : there was a match ! 'ad.doubleclick.net' was present on some DNSBL list, so the resolver stops doing it work (resolving 'ad.doubleclick.net') and it will return to the browser the IP : (pfBlockerng default) "10.10.10.1".
Ok, the browser is happy, now it will connect to that IP, and show the user what it has to 'say'.

Meanwhile, the way how browsers connect to web servers has changed since the last century.

Entering TLS, or what is "https" ?
https is http, with and s added to it. It's the http protocol, encrypted (secured) with TLS.

Before : the browser would connection to the server IP, and ask on port '80' : "gime the page" - and done.
These days : the same thing but over a secured communication link. This means that the browser gets a certificate from the web server first.

Lets take the example of the certificate of this web site 'forum.netgate.com' : embedded in the certificate (check for yourself) you can find :

ce574356-2a73-4988-824a-8e4f47bec1da-image.png

Your browser, before accepting the connection with 'forum.netgate.com', will compare what it found in the certificate from the forum.netgate.com web server, with what it tries to contact : does 'forum.netgate.com' match '*.netgate.com' ? And it does !! so the connection has a pad lock, and the browser is happy. All is well. Many children, Bright future. etc.

Now, wind back to our our 'ad.doubleclick.net ' and 10.10.10.1 answering. Will '10.10.10.1' be able to produce a certificat to the browser that says "'I am 'ad.doubleclick.net' " ? Of course not.
Now your browser will yell at you .... as it want to connect to a server called 'ad.doubleclick.net' and it got an answer back from an other server called (I don't know, but not 'ad.doubleclick.net') ... that is bad ! Massive errors will show up. Users are panicking. "Internet is broken again"

To make the long story short : and @dave14305 is right, forget about the pfBlockerng build in web server that will show the user a pfBlockerng web page if he's trying to visit a web site that is blocked.
It is impossible to redirect https traffic - period. The pfBlockerng web server was nice to have when web sites were 'http' only (last century). And that doesn't exist anymore.

Set up the “Null Block (no logging)” option, and be done with it. Some day, our browser will make the 'error' shown more 'clear' to the end user. Maybe ....

Btw : I've a load of "apple products ipad & iphone" in use here, I'm even using one right now to write this post.
I didn't saw any "This Connection is not private" issues.
That is, it is still complaining that my Wifi isn't encrypted but I don't care ???!! Everything (mostly) is already flowing over the Wifi (radio waves) using TLS so what is the risk ?
I could of course activate WPA2 for my wifi (and now I have to deal with the passwords).
I could, as soon as the wifi is activated, fire up a VPN.
And now I have a secured connection in a secured connection in a secured connection.
Now I buy safely my new thin foiled hat.

@johnpoz

I'm running pfblockerNG 3.2.0_10 on pfsense 24.03. I have been doing the updates through a vpn, which has been working without a problem. I changed it to force the update out the wan, which worked.

Taking a look at the vpn logs, it has started showing some udp write errors, although the vpn channel would come up and appear to function properly. Since it works through the WAN, it must be the vpn causing the problem. Will have to take a closer look at that.

I appreciate your help! I wouldn't have suspected the vpn, if you hadn't asked the question.

@Gertjan I have the secure shell server enabled and the correct port set and WinSCP is working just fine.

As far as pfBlocker, I've had an ID and license key in pfBlocker for quite some time and it has worked just fine. From you previous comment I didn't know if there was something else I needed to do.

pfBlocker is running just fine now and MaxMind is reporting it is happy with successful download. I ended up uninstalling pfBlockerNG-devel and reinstalling pfBlockerNG, and getting a brand new MaxMind license. I'm really not sure why things are now working.

In addition to pfBlockerNG working I can also get a listing of available packages from the package manager. Previously this wouldn't list anything.

What version of pfBlocker are you running -devel?

Thanks,
-TAC