@JeGr said in pfBlocker locked me out of my pfSense web-managment !!!:

I'm more in agreement when it comes to DNSBL - that feature set I can easily see being cloned by Pihole or Adguard. But the IP stuff is way more useful than many realize.

although i generally agree, having pfblocker be granular enough to dnbl based on networks is way more useful than the way its implemented today. Deploy pfsense in a SOHO or school that doesn't want to purchase a separate DNS server but wants filtering, you need granularity which pfblocker doesn't support. So that would be a use case for the extensibility.

@Vatreni

Just thinking out loud : what about getting an ISO from 'whatever' open source project ? FreeBSD or Debian etc.
Copy what you find under /etc/ssl/.

edit : forgot about the most obvious one : get the latest pfSense !!!!!
( as you need it even when you don't install it !!)

and get the latest ca-root certs out of it.

Btw: having troubles with expired certs if the top of the ice-berg(problem).

@mattch it downloads the alias for each rule I think. Or at least processes it.

There’s one trick we found, at least for our purposes …instead of using the alias as a NAT source, allow any and control the access using one firewall rule for all applicable ports. So, disable the automatic rule creation and create your own. That way the alias is not on the NAT tab and is listed once on the interface tab.

@Gertjan
I get pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL

but this started to take place only recently.

@geoffdh

My guess is that not whitelisting the 'ad' URLS can break functionality on some apps. I've had this happen to certain apps where I had to whitelist 'firebase settings' that was blocked by my ad lists in order for the app to work correctly.

@jrey For the next few weeks, I am just going to be using pfBlockerNG for IP blocks and not DNSBL. I am testing out the similar functionally with Cloudflare Zero Trust. It adds the ability to inspect SSL traffic on devices where I've added the certificate.

Here's a very small example of blocks for the last hour with Cloudlfare Zero Trust:

0367d76f-566f-4ca3-b669-411c033a22e7-image.png

@VMlabman said in pfBlocker error in pfSense: There were error(s) loading the rules: /tmp/rules.debug:56::

Could it be that I have too many lists enabled

yes,

Could also be that the default "Firewall Maximum Table Entries" setting is too low.
You will find this entry here: System -> Advanced -> Firewall & Nat

A lot of people select far too many lists - generally not needed.
the setting should generally be twice the value actually required. When the lists are processed to the firewall, the entire new set is created, then swapped into place.

Look for this log entry in the pfbockerng.log. That will give you some guidance to the setting best suited for your case. In my case it is deliberately higher than the 2x referenced.

pfSense Table Stats ------------------- table-entries hard limit 600000 Table Usage Count 135911

Just above that in the log you should see the summary, like this:

Alias table IP Counts ----------------------------- 134581 total 107656 /var/db/aliastables/pfB_???_v4.txt 11244 /var/db/aliastables/pfB_???_v4.txt 6505 /var/db/aliastables/pfB_???_v4.txt 6208 /var/db/aliastables/pfB_???_v4.txt 2608 /var/db/aliastables/pfB_???_v4.txt 228 /var/db/aliastables/pfB_???_v4.txt 132 /var/db/aliastables/pfB_???_v4.txt

the ??? will be the name of the list

I changed the feeds to be once daily, but just like clockwork, at 20 or so seconds after the hour, every hour - for 90 seconds the floating rules are ignored. Continuing to see what could cause this. Open to ideas.

@mcury Muito interessante isso!

Vou considerar um teste sim.

Obrigado meu amigo!

@areckethennu
Yes what @SteveITS said

_8 was 23.09.1
_9 was installed with the update 24.03
_10 was then released to correct the category edit issue that has been discussed

@Gertjan I did a liitle bit different)))

New Text Document.txt

@pslinn Not a specific answer for you but I have seen it before.
https://forum.netgate.com/topic/185383/suricata-php-fatal-error-str_ireplace-cannot-use-output-buffering-in-output-buffering-display-handlers-in-usr-local-www-csrf-csrf-magic-php-on-line-165

https://redmine.pfsense.org/issues/14778

https://redmine.pfsense.org/issues/14498

@Gertjan
Thanks, I'll try

@kuschi I now received feedback from Spamhaus that the list is now realably available again.

@anishkgt said in Blocking YouTube Shorts with Regex:

Since it was done in the link mentioned here ->(https://forum.netgate.com/topic/164732/python-regex-list)

That link shows you you can block 'anything that contains "yahoo" in the host name".
Fasten your seat belts now.
Example :
https://www.youtube.com/shorts/wEVVhumRrHI is an URL
youtube.com is a host name
www.youtube.com is a sub domain of that host name.

pfBlockerng has access - can see in the clear - the domain name, "youtube.com" and the sub domain name, www.youtube.com. So it can 'filter' these. The the app or web browser on the device gets an A (IPv4) or AAAA (IPv4) as an asnwer, and it connects to this (the "youtube") server.
TLS is established first.
Only now the browser gets the actual 'page' : the video : with this command "GET /shorts/wEVVhumRrHI/".
The thing is : you can't get 'into' this TLS stream. Its encrypted. You want it be encrypted. You don't want to have access to this data stream. Like never.

There is one possibilities left : use a proxy, and do MITM. Be warned : this is pure rocket science.

So, as @SteveITS said : you need a proxy.

If the shorts where accessible by the usage of a sub domain name, then it would be easy :
shorts.youtube.com can be filtered at a DNS request level, as the link shown above already shows.

But Youtube (Google) etc are doing there best so nobody can filter there content. They are hiring the "best" for doing just that. So, part of the mission is : you have to be better as these couple of thousands of network engineers they employ.

edit : It's youtube that has given us a partial solution. Youtube, without a premium access, is ... well ... IHMO, its just not possible. If I had to wade through the publicity to see these 'shorts' I presume I have a problem way bigger as 'watching shorts'. But hey, its a free world. Smoking is also bad. And I should drink (not water) less.

@milindhvijay Are you using it for firewall rules or DNS block list?

https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html

For DNS, devices would need to use pfSense for DNS.