pfBlockerNG

• T

  "DNSBL IPs" When IPs are found in any Domain based Feed, you can configure IP Firewall Rules for these IPs
  • talaverde

  1
  0
  Votes
  1
  Posts
  88
  Views

  No one has replied

• T

  pfBlockerNG Log Settings - Max Lines
  • talaverde

  2
  0
  Votes
  2
  Posts
  131
  Views

  

  @talaverde I would think you issues might be that IPs/Domains are being blocked. Review the Alerts Tab for more details. You have sufficient hardware to handle pfBlockerNG. You can also increase the pfSense DNS Resolver Log Verbosity to 2 and review the resolver.log for additional clues to see if there are other issues.
• V

  DNS SSL/TLS + pfBlockerNG -Develop + VLANs +Quad9 ?
  • Velcro

  5
  0
  Votes
  5
  Posts
  666
  Views

  T

  I, also, have been trying to make my DNS as secure as possible while using CARP, pfBlockerNG (devel) and PIA VPN. I tried configuring the Quad9 DNS, but ended up with a large list of DNS responses in dnsleaktest.com. According to the PIA KB / support, they say that as long as you use their DNS servers (209.222.18.222 & 209.222.18.218), your DNS is running inside their encrypted VPN tunnel anyway, so SSL/TLS isn't necessary. That logic seems sound. When properly configured, dnsleaktest.com responses with only one (PIA) DNS server. This is the only configuration I've found to do so. At this point, I've given up on Quad9. I might be wrong. Having 12 Quad9 DNS servers respond to my DNS test may be better than one PIA VPN DNS server responding. I just don't trust seeing 12+ as I can't keep track of them all and don't like that many servers logging my data, even if they are (supposedly) anonymous. Further, I've found PIA VPN to be the only one with their own DNS servers. I spent a lot of time testing out ExpressVPN. It's supposedly faster, but I did not find that to be true. Best guess, that is just based on some 'paid for' reviews.
• S

  Blocked Traffic
  • slimypizza

  5
  0
  Votes
  5
  Posts
  249
  Views

  

  @slimypizza Click on the ! icons in the Alerts Tab. It will show several different Threat Lookup tools.
• R

  How I can allow few users to access few of the websites but not all from DNSBL Feeds list?
  • rkadmin

  2
  0
  Votes
  2
  Posts
  127
  Views

  

  Take a look at : https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips
• G

  Lost internet after enabling pfBlockerNG
  • gortega

  1
  0
  Votes
  1
  Posts
  131
  Views

  No one has replied

• S

  GeoIP permit inbound is blocking
  • stefanl

  2
  0
  Votes
  2
  Posts
  153
  Views

  S

  Resolved by enabling System > Advanced > Firewall/NAT tab > Disable all auto-added VPN rules.
• 

  pfBlockerNG Wizard tool
  • BBcan177

  5
  11
  Votes
  5
  Posts
  570
  Views

  

  @xraisen said in pfBlockerNG Wizard tool: I have installed it and located the dnsbl_default.php to edit and put a police logo. Because here in the Philippines, it's a nationwide banning of Porn. At least my clients will be educated under R.A of the Philippines You shouldn't edit the "default" web page. Best to copy this file to a new file and then select this new file in the DNSBL tab. On a package installation, the default file will be replaced.
• J

  Alert Tab Giving PHP Memory Error
  • Jobee

  4
  0
  Votes
  4
  Posts
  137
  Views

  

  Check/Lower the size of Log Settings (max lines) in the General Tab
• M

  Whitelist ports in pfBlockerNG-devel 2.2.5_17?
  • mattgphoto

  8
  0
  Votes
  8
  Posts
  214
  Views

  M

  @bbcan177 Something else I actually came across as well, is it looks like pfBlockerNG is filtering the port based on a different rule? (A different name shows up): here
• J

  Keeping google ad injections blocked but allow google shopping search results?
  • jacotec

  2
  0
  Votes
  2
  Posts
  311
  Views

  

  @jacotec said in Keeping google ad injections blocked but allow google shopping search results?: Is there ANY way to allow clicking on these search results but leaving the google advertise injections blocked? Something like "whitelist googleadservices if the host website is google.com"? No its one way or the other unfortunately... Just need to tell people to not click on the Google search results that have "AD" in the Title.
• R

  pfBlockerNG cURL 28 Error when updating DNSBL
  • retestreak

  4
  0
  Votes
  4
  Posts
  128
  Views

  

  @retestreak said in pfBlockerNG cURL 28 Error when updating DNSBL: [ raw.githubusercontent.com ] Domain listed in DNSBL Whitelist that domain from the Alerts tab.
• R

  DNSBL modify default bloked webpage
  • rjabellax5

  34
  0
  Votes
  34
  Posts
  1936
  Views

  M

  @bbcan177 said in DNSBL modify default bloked webpage: To fix that Cert error for HTTPS sites, create a new DNSBL Group and add the domains that are causing issue to the customlist at the bottom of the page. Then disable logging and set the Order to "Primary" which will cause this Group to load first. Follow that with a Force Reload DNSBL... That will null block those domains to 0.0.0.0 and avoid the cert errors. The thing is that basically you will need to add all https sites in there (well, almost) as most of them are using HSTS for that matter nowadays. (facebook, google and almost all majors) No mentioning logging, alerts, etc... That's actually the exact reason, why i'm trying to get away from this bulky and messy squid+samba+squidguard construction. But here with lighthttpd you're using static private cert which is not trusted by local cert authorities. Why can't you consider to issue at least trusted with local CA cert? I'd imagine that'll help with majority if issues.... Also i've heard rumors from of this forum, that if we will be using the squid's way with auto generating valid subCA certs for users from local CA it "would be both complicated and slow." But squid had been working with that for years, I haven't noticed any issues with it's performance... (yes there is caching also, but still) Could you please comment? (I'm on latest dev 2.2.5_17 now)
• E

  Correct way to only allow my cellphone-openvpn to view LAN side ip cams
  • Ev4nsp479

  3
  0
  Votes
  3
  Posts
  164
  Views

  E

  Thank you.
• J

  PfBlockerNG Error
  • jlee18

  11
  0
  Votes
  11
  Posts
  231
  Views

  J

  its working now, i dont know what i did :)
• I

  Netflix outside VPN
  • ianp

  16
  0
  Votes
  16
  Posts
  676
  Views

  J

  please check this answer https://forum.netgate.com/topic/96636/netflix-vpn-block-how-to-fix/19
• R

  Not enough double u's?
  • Raffi_

  4
  0
  Votes
  4
  Posts
  172
  Views

  R

  Yup, "test.com" was in one of my lists. That explains it! pfblocker was doing its job. Thanks!
• A

  Stuck on booting up on console
  • anttechs

  2
  0
  Votes
  2
  Posts
  98
  Views

  

  Sure it's not the stuff listed about the console here? https://www.netgate.com/docs/pfsense/install/upgrade-guide.html?highlight=upgrading#upgrading-from-versions-older-than-pfsense-2-4-4
• R

  Checked "DNSBL Firewall Rules" however no floating rule added?
  • reilos

  3
  0
  Votes
  3
  Posts
  149
  Views

  R

  Hi @BBcan177, Yes, i did. I also tried deselecting either one and disabling and re-enabling it. @reilos said in Checked "DNSBL Firewall Rules" however no floating rule added?: I have pfBlocker running on 2 interfaces, which i have selected in the list behind the checkbox.
• S

  Blacklisting ALL domains and whitelist a selected few domains with pfBlockerNG
  • snarky

  5
  0
  Votes
  5
  Posts
  973
  Views

  S

  Hi everybody, I found indeed a solution to my problem and would like to share it here. It is not perfect, but what in this word is? My solution does not directly use pfSense. pfSense is only used to ... a) configure a special DNS server address for selected DHCP clients (smart TVs and the like) b) block access to the (uncensored) DNS resolver running on pfSense form said clients using the firewall The special standalone DNS server (a Raspberry Pi in my case) runs the dnsmasq service. dnsmasq has two very handy configuration options. The magic incantations are the "server" directive and the "address" directive. (Note: One could also run dnsmasq on pfSense - but in my setup I already use unbound on pfSense and didn't want to risk messing with everybody elses DNS resolution just for this.) With the server directive one can specify an address which we want to be resolved by a certain DNS server. The trick here: '#' as the target resolver means "use your configured standard server to forward the request to". Meaning: resolve normally. Im my case for Netflix I have: server=/netflix.com/# server=/netflix.ch/# server=/nflxext.com/# server=/nflximg.com/# server=/nflximg.net/# server=/nflxvideo.net/# server=/nflxso.net/# server=/netflix/# server=/cloudfront.net/# server=/d179kwmlpc4o47.cloudfront.net/# server=/d2s336w63pl2vv.cloudfront.net/# (the details seem to depend on geographic location - note I have a blanket "allow" for all of cloudfront.net here - the cloudfront host names are not necessarily stable) The "address" option can then be used to implement the "DNS black hole" functionality: address=/#/192.168.x.y OR - address=/#/ The first version makes dnsmasq return a fixed (fake) IP address for any DNS request not whitelisted using a server directive. The second returns NXDOMAIN instead of a wrong IP. I use the first. Look at the manpages of dnsmasq and dnsmasq.conf for details! For some of my "smart" devices to function, I need to allow additional domains. One Samsung TV for example needs access to the domain time.samsungcloudsolution.com (among others). Otherwise it will not believe that it has internet access and will simply refuse to start the Netflix app - stupid "smart" thing!! My solution kind of works, but adding a new "smart" device is always a hassle. And if you want to use another video streaming service, you have to find out the necessary domains to whitelist first. This is the solution I am using. I hope this will help someone. Andy
• E

  Is pfBlockerNG Devel stable?
  • emammadov

  23
  0
  Votes
  23
  Posts
  929
  Views

  

  @bbcan177 The list with which I am familar is pulled by uBlock Origin, but I cannot determine which exact list it is. I did find the following lists, and I expect one is the list pulled by uBO: https://www.zoso.ro/pages/rolist.txt https://www.zoso.ro/pages/rolist2.txt
• A

  Upgrade to newer pfblockerng have get error.
  • akong77

  2
  0
  Votes
  2
  Posts
  313
  Views

  G

  @akong77 said in Upgrade to newer pfblockerng have get error.: Hello, I upgrade lastest pfblockerng have got error.I use some command fix php error. ,,, ssh to pfsense cd /usr/local/lib/php/ ln -s 20170718/ 20131226 That is not a fix, it just messes up things more. https://forum.netgate.com/topic/135895/package-update-triggers-only-half-2-4-4-update
• A

  pfBlockerNG-devel 2.2.5_17: IP Alerts list (Deny) not showing alerts
  • Aritus

  7
  0
  Votes
  7
  Posts
  283
  Views

  

  @aritus On my box I have selected WAN for Inbound, and LAN for Outbound.
• A

  pfBlockerNG-devel 2.2.5_17 + 2.4.4 (Uncaught Fatal Error)
  • aograin

  2
  0
  Votes
  2
  Posts
  179
  Views

  A

  Ok, to anyone else running into this issue you need to ensure the "Keep Settings" is unchecked in the General Tab and then uninstall the package. Once that is done reinstall the package and it should work.
• Z

  Is Hiding DNSBL Alerts without Whitlisting Possible?
  • zskwrel

  5
  0
  Votes
  5
  Posts
  172
  Views

  Z

  Oh, I see what you mean now! Thanks again.
• 

  pfBlockerNG and 1.1.1.1 - possible solution.
  • dragoangel

  8
  0
  Votes
  8
  Posts
  241
  Views

  

  @BBcan177 P.S. after your post I launch update to devel version, and all goes smooth like a charm - need only to launch cron update from pfBlockerNG menu (i'm not use easylists), new menus, autocomplite for GeoIP, ASNs and other functions is awesome!
• Q

  PRIX
  • Qinn

  1
  0
  Votes
  1
  Posts
  298
  Views

  No one has replied

• P

  pfBlockerNG - 2.2.5_16 pfb_filter
  • Prometheus23

  17
  0
  Votes
  17
  Posts
  880
  Views

  

  Thanks
• W

  Advice - Allowing client to bypass pfblocker-ng
  • wesfox

  3
  0
  Votes
  3
  Posts
  197
  Views

  W

  @ronpfs said in Advice - Allowing client to bypass pfblocker-ng: There is one post here https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips That worked :) Thank you very much. For newbies like myself.. a little hint .. the custom option is at the end under DNS resolver.
• 

  Whitelisting From Alerts Page Not Working
  • ToTalChaos1010

  15
  0
  Votes
  15
  Posts
  364
  Views

  M

  Thanks, works perfectly now.
• S

  DNS over TLS - 2.4.3 to 2.4.4
  • smerm07

  4
  0
  Votes
  4
  Posts
  536
  Views

  

  No, you do not.
• V

  DNSBL (DEV) Stopped working after 2.4.4 upgrade
  • vito

  5
  0
  Votes
  5
  Posts
  279
  Views

  V

  I was able to get DNS resolver errors above corrected with this post https://forum.netgate.com/topic/106011/solved-pfblockerng-reloading-unbound-fails/11 After the above, resting Resolver settings (just clearing all setting then adding back the same settings) and a reboot it appears to be working again. Thanks for the help!
• C

  GeoIP and NAT
  • cgeo

  8
  0
  Votes
  8
  Posts
  169
  Views

  G

  @cgeo said in GeoIP and NAT: But my point remains. Shouldn't this be visible in the firewall logs ? You have the source IP alias already in the NAT rule, so it will not process the port redirect from IPs not covered in that alias. As such the firewall simply sees a connection from your LAN to your WAN address, this is allowed by the default LAN-to-any rule (if it still exists in your config), and so it wont be logged. With this config you simply try to connect to pfSense on a port that is likely not in use.
• 

  2.4.4 upgrade messed pfBNG (beta)?!
  • chudak

  4
  0
  Votes
  4
  Posts
  351
  Views

  B

  @bbcan177 Thanks BBcan177. This fixed it for me
• 

  maxmind.com blocked by QuidSup Trackers
  • Pucho

  3
  0
  Votes
  3
  Posts
  122
  Views

  

  Great, thanks! Completely overlooked it. I'll have a look at threat look up thing. I won't hesitate in the future to open a GitHub issue with the maintainers if after some investigation it turns out to be a false positive.
• V

  pfBlockerNG - Devel Feedback/Question - IPv4 lists no showing(yet blocks are happening)
  • Velcro

  4
  0
  Votes
  4
  Posts
  237
  Views

  

  With all the changes in PHP7, a commit was added to the installer code that created some empty XML tags. <config></config> This will be fixed in the next version which should be out soon. However, you can follow these steps below to fix this issue now: First make a backup of the config.xml from the: pfSense Diagnostics > Backup & Restore Tab: Then paste the following PHP code which will cleanup the empty XML tags into: pfSense > Diagnostics > Command Prompt > Execute PHP Commands: $upgrade_type = array('pfblockernglistsv4', 'pfblockernglistsv6', 'pfblockerngdnsblsettings', 'pfblockerngafrica', 'pfblockerngantarctica', 'pfblockerngasia', 'pfblockerngeurope', 'pfblockerngnorthamerica', 'pfblockerngoceania', 'pfblockerngsouthamerica', 'pfblockerngtopspammers', 'pfblockerngproxyandsatellite'); foreach ($upgrade_type as $type) { if (is_array($config['installedpackages'][$type]['config'])) { if (empty($config['installedpackages'][$type]['config'][0])) { unset($config['installedpackages'][$type]['config'][0]); print "\n| Removed | {$type} | Empty XML Tag"; } } } write_config('pfBlockerNG - Fix empty XML tags'); Then hit the Execute button for the code to run.
• R

  pfBlockerNG-devel TLD
  • reg1982

  3
  0
  Votes
  3
  Posts
  213
  Views

  R

  @BBcan177 so I have "Mem: 5293M Active, 734M Inact, 3236K Laundry, 1055M Wired, 742M Buf, 764M Free Swap: 3881M Total, 94M Used, 3787M Free, 2% Inuse" This is a Qotom mini pc with one sodium memory slot. 8 gig was the max I could get. It seems to idle around 81% not sure if that will go up as more users are on my network. I am just wondering if it's hits 100% for some periods of time if this will cause issues. I remove squid as well and it went down to about 71% but I like squid for the built in virus scanner. I don't really need the proxy as I have a fast fiber internet connection but it's part of the package... If it stays at near 100% I will need try what you suggested with TLDs cn or ru... etc Thanks for the tips
• H

  pfBlockerNG firewall filter service stopped
  • harison

  2
  0
  Votes
  2
  Posts
  311
  Views

  G

  @harison said in pfBlockerNG firewall filter service stopped: What do think? thank I think you need glasses: https://forum.netgate.com/topic/136069/pfblockerng-2-2-5_16-pfb_filter
• S

  2.1.4_10 on pfSense 2.4.4 - pfBlockerNG Alerts Error
  • strigona

  4
  0
  Votes
  4
  Posts
  371
  Views

  S

  Thanks for the follow up!
• N

  Missing /usr/local/lib/php/20131226/
  • neopaws

  6
  0
  Votes
  6
  Posts
  208
  Views

  

  @reg1982 I posted to you in another thread... pls try those steps...