As I stated in my reply above, you cannot use these EasyList feeds by adding them to the DNSBL Feeds tab. They will not parse properly.

The only EasyList feeds that are usable in DNSBL are hardcoded in the EasyList tab. Only certain portions of the EasyList/EasyPrivacy are useable in a DNSBL filter. See the categories in the EasyList tab to see which categories are usable.

The next version of pfBlockerNG will have all of the EasyList Language Feeds included.

set DNSBL IP Firewall Rule Settings>List Action>Deny outbounded instead of both
and remove any PIA DNS server ip from Services>DHCP Server>LAN

for firewall rules, follow PIA pfsense guide, (go to end of page) https://www.privateinternetaccess.com/pages/client-support/pfsense

@mugabemkomo:

The only errors I get is:
unbound 22943:0 error: cannot chdir to directory: (No such file or directory)

This "error" has been present for ages. It doesn't cause any problem as far as I know.

@morreale:

@BBcan177:

I'd recommend these PRI1 Feeds:

What does PRI1 mean?

PRI1 is the IPv4 Aliasname that I use for the Primary-1 recommended feeds…

Did you try the command in reply#2?

+1 on a block list sticky. I'd also like to see different sample blocklist sources for those of use hosting services vs those of us consuming services.

As a host (hosting lots of web sites, so for example all my WordPress sites are constantly scanned, and all http/ftp/ssh etc ports are under constant attack), this is what I'm using as an IPv4 block list:

https://isc.sans.edu/block.txt  (DShield Top 20 bad guys)

http://feeds.dshield.org/top10-2.txt (DShield Port Scanners)

https://zeustracker.abuse.ch/blocklist.php?download=badips  (ZeuS bad ips - not the most restrictive list but won't have false positives)

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt possibly overlaps the DShield lists? I don't host email so not sure if I need this.

http://cinsscore.com/list/ci-badguys.txt CIArmy active threats. This gets by far the most blocks.

This is by no means an endorsement of a proper hosting block list, though it does seem to block quite a bit of bad traffic. In fact, I'd appreciate any suggested changes for a hosting provider that wants to block the worst of the worst while avoiding false positives. Thanks!

EDIT: I found a very good resource of blocklists: http://iplists.firehol.org/ has several. For my use, their Level 3 block list seems to be exactly what I need.

The Alerts tab uses the pfSense Firewall log as its source. So you may need to increase the size of the firewall log retention.

It's telling you two things. There is not enough memory to create the v6 bogons list. There is no data to populate that table from pfBlocker.

You could try forcing an update in pfBlocker or disabling it to see if you can successfully load the ruleset. You can also try increasing the maximum table entries in System > Advanced > Firewall/NAT if you have available RAM for it.

Steve

Not with DNSBL, that'd make things pretty horrible, you'd get that page in place of every blocked advert, e.g.

If you are talking about the firewall rules, there's nothing preventing you from creating aliases (use one of the Alias actions in List Action) and using those as a destination in a NAT rule, redirecting the requests to some webserver and serving whatever you want there.

pfBlockerNG 2.1.1_7 is now showing as out of date.  I updated, and now I have pfBlockerNG 2.1.1_8

Thanks to BBcan177 for pfBlockerNG, and thanks to JimP for sorting things out with this update.

@BBcan177:

@HeatmiserNYC:

Hey BBCan,
Ran into some strangeness over the last few days. Why would I only be getting this in my logs? It appears that nothing else is resolving….

If your referring to the "unknown" msg, then that is normal for HTTPS alerts, the browser fails to load the DNSBL webserver (as expected) and as such only a portion of the alert can be logged. Hover over the key icon.

Did something change in with the logging? I'm fairly certain I never saw those messages on a regular basis. It was always source/destination of visited websites…..

If you manually add IPs to a customlist, you need to check the "Update custom list" checkbox, then goto the Update tab, and Force Update. Otherwise the Customlist is updated as per the "Frequency" setting of the Alias.

The next version will be more intuitive to know when the Customlist has changed…

@BBcan177:

Did you enable the "TLD" option? Without TLD, only the listed domain/sub-domain is blocked…

So without TLD:

example.com will be blocked
    sub.example.com will not be blocked

With TLD:

All sub-domains are blocked.

Thanks!  I figured I was missing something simple  ::)  the search result link was going through because it had a "www." on the front.  Enabling TLD fixed it.

@BBcan177:

The next version of the package will have a "Feeds Management" Tab, that lists the recommended IPv4/IPv6/DNSBL feeds… So this will be easier to manage... Also when Feeds change, those changes will be visible in the Feeds Tab...

This sounds like a fantastic feature. Can't wait to play with it!

You can use the pfBlockerNG Log Tab.

Goto "Original IP Files", then view the contents of the original Feed.

Goto "Deny" or "Permit" or "Match" (Depending on how you configured the Alias), and view the parsed IP file contents.

Or goto the shell, and view the files from the subfolders in  /var/db/pfblockerng/

Those people should be sent to North-Korea, BB  :-*

(Having said that: it could also be possible people hit the wrong button by accident - and never bothered to inform you about it. I think I've read somewhere in the past board mods can reset your count to 0).

SAME ISSUE here..

i blocked youtube via win10 machines via the host file…

Thank you for your fast reply, and good information.

I forgot to mention, since you are hardening your system to defend against active attackers, securing your DNS queries is a very important piece of that. Unbound is a very secure resolver so I would recommend taking some time to familiarize yourself with it and optimizing and hardening its settings. By using Unbound, hardening it and only sending queries out through a VPN you are probably effectively impervious to DNS attacks from the massive majority of hacking. Check out this article and here are some suggestions for settings. https://calomel.org/unbound_dns.html

Enable DNSSEC Support (this is authentication for your DNS queries to avoid spoofing attacks, kind of like SHA)

NO Forwarding Mode
NO DHCP Registration
NO Static DHCP
Hide Identity
Hide Version
Prefetch Support
Prefetch DNS Key Support
Harden DNSSEC Data

You might be interested in the Unwanted Reply Threshold, but I've never used it and know nothing about it

Experimental Bit 0x20 Support

Which rules are you referring to?