@Mr.:

BB: isn't the not-reporting-no-logging a bug?

Feature … :)

Someone needs to find a way to bypass those human validation measures in these sites to get the list to download...

Quoting the MaxMind doc:

Country, Registered Country, and Represented Country

We now distinguish between several types of country data. The country is the country where the IP address is located. The registered_country is the country in which the IP is registered. These two may differ in some cases.

Finally, we also include a represented_country key for some records. This is used when the IP address belongs to something like a military base. The represented_country is the country that the base represents. This can be useful for managing content licensing, among other uses.

@BBcan177:

No that is to increase the "State Table"…

System / Advanced / Firewall&NAT  -  Firewall Maximum Table Entries

too

BBCan177's fix above worked for me.
Let me take this opportunity to thank BBCan for his work on the pfblockerNG package - very impressive work fella!

@tonymorella:

@Mr.:

@RonpfS:

For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.

I'm trying to figure out the sentence to google for that actually gives relevant results so I can figure out what to do, Ron  ;D

I mean: how can I be sure/test my Windows, Linux and Android stuff do what you wrote above? Is it simply a case of DHCP an IP to all clients (including static P's), or is there more to be done (like disabling services on the clients, for example (?)).

Thank you for any tips  :P

Setup rules to redirect all DNS request to the local DNS

Firewall > NAT > Port Forward> Edit

Interface LAN

Protocal TCP/UDP

Click Invert match select LAN Address

Destination port range From Port DNS and to Port DNS

Redirect target IP 127.0.0.1

Redirect target port DNS

NAT reflection Use system default

Filter rule association Create new associated filter rule

Create rule that allows TCP/UDP from LAN net to  LAN address on port 53

Create rule that allows TCP/UDP from This Firewall to Any on port 53

For example, if a device has 8.8.8.8 setup as its DNS server this rule says anything that is not the LAN address for the request to 127.0.0.1 from port 53 to port 53

Tony

I am lost on last 2. Is the 2nd last one created under Firewall rules-lan
and the last one is firewall  rules-floating,

Thanks for sharing,
regards,
boatingdude

Did you see the DNSBL Feeds that i posted in the DNSBL sticky thread?

Hello

Thanks, tonymorella :)  ( the last space was my mistake )

Regards.

@jvamos:

I have been receiving reports of people having websites down. I could not replicate the problem.

I had the user recreate the issue and noticed he was clicking on the suggested sites at the top under the Google ad network. Same page but with an ad server in between. I corrected user behavior but couldn't help think this would be an issue in larger offices.

Anyone have a good workaround?

Josh

Yep notice this all the time. If the point is to block the ads, then user behavior is the way to go. If you want to allow, good ads add them to the whitelist or create a allow for the Google ASNs.

@johnpoz:

Curious would anyone else like to see slimmed down version of pfblocker?

I really don't want it creating auto firewall rules for me, no offense at your coding stills or anything.  I just do not like the idea of auto rules in any sense of the word.  But I do love the ability to easy pick IP blocks of specific countries to use in an alias.. You made that brain dead easy - would love to see package that does just that..

To answer: no. I think BB is, to put it in popular sitcom-TV terms: ""like" OMG".

Because BB probably (I haven't asked, so just guessing) has a Blueprint of '"The Ultimate Firewall Blocking Tool Set", and in such an ultimate tool set you want as many different tools.

Ah.  Thanks.  I think what I did will work.

This module never ceases to amaze.

Everything is starting to come together. This makes perfect sense! Exactly what I was looking for. At first I had no idea what you were saying but it was that I never fully read to understand these settings on these pages. Sorry to waste your time and thank you!

That did the trick, thanks for your help!

@BBcan177:

Click the blue Infoblock Icon in the DNSBL Feeds Tab when editing a "Group"….

The "DNSBL Settings" infoblock has this text:

Note:  AdBlock Easylists cannot be used in this Tab.

Yes yes im not using ADBlock EasyList… also as you said mentioned there Easylist cannot be used


BBcan177, exactly what I thought….

Thanks for demonstrating, and showing pfblockerNG works very well once more!

so;
If I allow inbound GeoIp rule for only US IPs then by default all other are denied?  True?.

but either way it looking like pfblocker is working. ( 100% again)
I'm now seeing the Geoip rules listed in the dashboard ( did not see any listed when using 2.1.1.2 )
no crash errors yet.
not seeing any allowed inbound from china or anywhere else
over 500 packets denied and Count > 3,000,000

Again Thanks,
I'll need to look at a reverse rule ( allow inbound US only) but I know just enough about firewalls to be dangerous or screw up the works so that no one get in our out.

@BBcan177:

Here are more DNSBL Feeds that can be used in pfBlockerNG.
(Copy and paste URLS as plain text)

Create a new alias for these.
These are not necessarily ADvert domains. So I named mine "Malicious"

hpHosts
http://hosts-file.net/download/hosts.zip

SWC
http://someonewhocares.org/hosts/hosts

spam404
https://spam404bl.com/blacklist.txt
https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt

malc0de
https://malc0de.com/bl/BOOT

MDS (use 'Flex' state)
https://mirror1.malwaredomains.com/files/justdomains

MVPS
http://winhelp2002.mvps.org/hosts.txt

MDL
http://www.malwaredomainlist.com/hostslist/hosts.txt

GJTech
http://adblock.gjtech.net/?format=unix-hosts

dShield_SD  (They also have a conservative list available)
https://www.dshield.org/feeds/suspiciousdomains_High.txt

Zeus
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

These two feeds post full URLs, so there can be some more false positives.
Create a new Alias, and use Alexa as a recommendation.

PhishTank
https://data.phishtank.com/data/online-valid.csv.bz2

OpenPhish
https://www.openphish.com/feed.txt

MPatrol (You need to register - Free or Paid subscription. Use Danguardian feed)
https://lists.malwarepatrol.net

This is a feed that I manage (as time permits)
MS_2
https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw

Use this in its own Alias:

BBC_DGA  (This is a large feed of DGA for the likes of Cryptolocker et al…)
http://osint.bambenekconsulting.com/feeds/dga-feed.gz

BBC_C2
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt

Use this feed in its own alias as it is updated more frequently.
So you can update it more often than once per day.

hpHosts_partial
http://hosts-file.net/hphosts-partial.asp

If users find other feeds, please post back so that others may benefit also.
Its also important to donate to the feeds provider (IP and/or Domain) as they all need support.

BBCan,

When you say "create a new alias…" do you mean under DNSBL Feeds or Firewall Aliases?

That was an awesomely fast reply BBcan ~ thanks!

Um; Okay, but I'm only forcing CRON because my BlackList feed disappears overnight - presumably, due to the same CRON issue at 4:45 am daily?

Can you elaborate upon "Select how often List files will be downloaded. This must be within the Cron Interval/Start Hour settings." ?

I.e: how should I set my DNSBL feed to be updated within my CRON?

UPDATE thanks for looking into this issue BBcan! It seems to have gone away now, and I don't know why.  I'll write again if the problem returns.

AWESOME!  Thanks!

I am eager to upgrade to 2.3 but unfortunately each time I upgrade my CARP configs the upgrade produces a crash dump loop.

Thanks for the solution!

Spot on!

After removing /var/run/booting everything works as expected.

Thank you!