I have some pfBlocker generated rules as floating/quick. Some of which protect a few forwarded ports on the WAN interface.
I have logging turned on for these rules and, whilst it works as expected. one thing puzzles me: The logged DST IP is sometimes the WAN interface and sometimes the internal forwarded-to IP. I don't understand why this variation occurs. Is it a consequence of 'floating' rules? Whilst the rules concerned are 'floating', they're assigned only to the WAN interface. It seems as if the rule can be evaluated before or after NAT occurs?
But if was a rebind pfsense would not return an IP for some fqdn query, so how would you end up on pfsense IP? What is more likely is your browser is doing doh, and getting some public IP that is say pfsense wan, to how your getting the pfblocker dnsbl cert..
But you should actually validate that is working.. But if your running your own DNS, all your clients should really point directly to that IP for dns..
when you install and start pfSense the first time, and your ISP used IPv4 and DHCP
Not true in "every" case. your connection could have been a static IP and DHCP would not be in play in that case. (don't really recall you saying ISP or connection type until the question was asked)
The line of questioning was more to lead on the path of thinking about how things work in your specific case. (Learning)
Without getting into the details of how or why, my DNS for example, is all local (internal, behind the wall), fully isolated from the internet. Blazing fast DNS response times. I currently have 40-50 devices behind the 2100 - and it doesn't even have to work hard. It's all about how you approach things, with a specific goal in mind. Plan it out.
I'd would like, if you don't mind, to cycle back on what was perceived to be a long download time for you and the file. (because yes that ~30min time for you ahowed does seem excessive)
what kind of speed is your WAN?
I, for example, typically download this file in 1-2 seconds max - even on a "congested" day it might take 4 seconds (yes, the file only downloads when needed, but still )
(start) Thu 24 Aug 2023 11:26:38 EDT
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6671k 100 6671k 0 0 17.0M 0 --:--:-- --:--:-- --:--:-- 17.3M
(end) Thu 24 Aug 2023 11:26:38 EDT
Hey, I caught that video too! The whole debate about TikTok can get pretty heated. It's interesting how lawmakers are addressing concerns with the CEO. IMO, balance is key here – addressing security and privacy without cutting off a platform many enjoy. BTW, speaking of TikTok, have you considered boosting your content and buy instant tiktok likes? They can give your videos an awesome push.
You mean : you have a pfSense LAN using some IP range - most surely RFC1918, and this RFC1918 is in the list you have selected ?
Plan A : most straight forward solution : ditch this list - it was a wrong pick.
Plan B : whitelist the IP or even entire networks.
Still, the question is a bit strange :
to allow my IP into the router?
You control pfSense, right ? So you control who accesses your LAN (into pfSense), or whatever interface.
Hi, your screen shot is for pfBlockerNG IP settings, you have to check in Firewall/pfBlockerNG/DNSBL if OpenVpn interface is included in Permit Firewall Rules. In auto create firewall rule for DNSBL see if all desire interfaces are present. Also in order pfBlockerNG to work for your OpenVPN clients you have to push all client's internet traffic /OpenVpn server settings Redirect IPv4 Gateway and DNS Server enable have to be enabled/.
@sfigueroa My advice. That screenshot i would assume is for your WAN facing.
By default, pfsense blocks all inbound attempts. So you blocking the world may not make sense if you are not hosting services behind your firewall.
If you are hosting services behind your firewall, then you are better off only whitelisting / passing just the countries you need instead of blacklisting the ones you dont.
so I am just confused as to why my device would be sending these requests when I connect to the LAN interface, if I am not actually trying to reach those domains?
Not you as a person.
But, for example, if you are using a Windows PC or modern handheld device as a smartphone, hundreds of tasks running right now are communication with something somewhere on the Internet.
"Doing there things".
These processes uses host names that have to be resolved first.
That are the host names you saw in your Unified log.
If you want to know what is actually going on, that you should take a look at every process on your system, and checking with whatever means you have to see what it is doing.
[ dnsblOne_v4 ] Downloading update .
[ pfB_UCEPROTECTNetwork_v4 - dnsblOne_v4 ] Download FAIL [ 08/5/23 10:14:49 ]
Cannot Resolve Host: DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download.
The Following List has been REMOVED [ dnsblOne_v4 ]
Something is not working as intended, at least I can resolve rsync-mirrors.uceprotect.net without a problem on pfSense.
If I am switching to the WGET-lists, on my two pfSense boxes I get different sized tables. One has 22,402 records, the other has 12,288 records.
If I download the list with the browser, I get roughly 80,000 records.
So my guess is, this format is still not compatible with pfBlocker?
But what is up with the first problem I mentioned with rsync?
is created with what you've entered here :
Firewall > pfBlockerNG > DNSBL
at the bottom, you have a "DNSBL Whitelist", deploy it and the info shown there creates "/var/db/pfblockerng/pfbdnsblsuppression.txt".
When I empty :
the file will be nearly empty (just one line).
Where does "yandex" etc comes from ?
Well ... ask 😊
SSH into your box (or console), option 8.
grep -R 'yandex' *
grep -R 'adservices' *
These files come with pfblockerng when you install it.
You'll find pfb_py_hsts.txt.
What I know : this file contains sites that are known to use "hsts" (wikipedia hsts please).
I've emptied my 'master' DNSBL whitelist and now :
as you can see, "Whitelist" only contains "localhost.localdomain"
@luisenrique I can agree to one degree of extent but otherwise dis-agree. The internal download link pointing to the .tar.gz list file itself that leaves download failure errors as well as any IP addresses that remain in these files if used (squidguard uses them but not sure pfBlocker does though) these all should be removed to eliminate errors and false-positives if they were rendered.
As to remove ShallaList's contributions altogether would basically be literally the same thing as to say "when Bill Gates dies, lets just simply delete Microsoft Windows entirely worldwide and FORGET the project ever existed." The download link yes is dead, and ANY ip address list will become deprecated in time if not updated as individual IP addresses become to be re-purposed. The domain lists on the other-hand of millions of categorized bad domains is still 99% valid world-wide, regardless if in ShallaList or other DNS blacklists, whether its a "static" list or update-able as an "online" feed, and IF and when any of these are found to be outdated domain names or ones that are found to be needed/non-malicious by Network Admin managing their OWN networks, any and each can easily be whitelisted at the Admin level to allow access for their own network users.
If we dis-own any/all open-source community contributors contributions in the endlessly growing IT world at that point of a contributor simply "moving on with their life" or when one passes away, we as a whole worldwide would be in fact still be sitting in the IT industry and Internet itself of 1980 with literally one ISP, your government, and with literally one PC manufacturer also, your government.
@revilzs It has to at least be big enough to hold the data. Extra space won't hurt.
One note on this...if you use pfBlocker to create overlapping deny rules the deduplication works across rules, so may remove an entry from additional rules. If that's the case for you, disable it, or use Alias Native and create your own rules.