Is your OpenVPN a "Server" or "Client" configuration? Do you want both "Inbound" and "Outbound" auto-rules to be created?
I have a fix that will add "Outbound" auto-rules for a OpenVPN "Server" config, and add both "In/Outbound" auto-rules for a "Client" configuration….
Typically, with OpenVPN, you assign an interface in the Interface tab, and it will show in the pfBlockerNG In/Outbound Interface options. The checkbox option, is for some corner-cases where there is no interface assigned and there is no Interface listed in the drop-down menu.
My OpenVPN is a server configuration (think "road warrior" setup with mobile clients connecting). So my use case is that I want to apply the same PFBlockerNG outbound rules I use for local clients to road warrior clients connected through the VPN for ad-blocking and content blocking purposes. So it sounds like your fix would address my problem.
Confirmed that the DNSBL VIP will not be accessible when Pfsense is in bridge mode even when the Bridge logical interface is used for DNSBL listening. It works fine in Layer 3 mode and DNSBL alerts are visible.
Once I re-enable it I will report back as to whether or not the service restarts under those conditions.
So I got around to enabling DNSBL, and I think I have it working. ;D The DNSBL service does indeed remain running now after a CRON or forced update. I did have to add a rule to pass traffic to the DNSBL VIP as you instructed… THANK YOU for that.
I do have a question: what should I see in my browser if I navigate to the VIP? All I see is a blank page, but the title bar tells me it is resolved... is that normal? See attached.
I would like you to take a look at a sample of the top of my firewall rules (I am a default block guy), and tell me if you see any issues. I wan't sure about my NAT redirect for DNS (as I asked above), so I left it.
Thanks. That would seem the sensible way to go, particularly as someone has very kindly already done a pull request for it.
I couldn't see an option for the RAM disk backup/restore in pfBlockerNG itself, so I'm assuming it's always enabled. If you have the time, I could see a benefit to implementing the DNSBL backup too if only because it seems anomalous to have some of the settings backed up but not all.
Thanks for developing pfBlockerNG by the way - it really is a useful and well-used package for pfSense.
When I setup PFB it auto created rules.
The list action was set to "Deny" by change that to "Alias Deny" and deleting and recreating the rules manually.
This fixed the sorting order issue where the rules would move in priority.
I also see the logic doktornotor shared.
Rather thank blocking 4,225,000,000 port combinations and 3,706,452,992 public IP addresses causing much computational overhead.
It is better rather to make selective entries to PFB specific openings and let pfSense do that inherently and not globally blocking everything using PFB because pf already does all that.
Thank you everyone for your help I really appreciate your support.
Now I do not have an absurd WTF setup. (:
+1, this solved it for me as well. My issue was I wanted to block the same IP's on LAN and WAN, but I needed the order to be different on the interfaces as I needed passthrough rules on the LAN, which obviously didn't work. Only drawback I seem to be getting due to this approach is that Alerts in the pfblockerNG now is empty so it is challenging to know which block list actually initiated a block. edit Duh, forgot to mark "log this".
I have many more lists besides this "http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz" I deleted them all the way you explained and run a force-update and a force-reload and disabled the suppression option but still filling up my system log with "kernel: pfr_update_stats: assertion failed".
In regards to what your explaining, there should be no difference in how the package is working in pfSense 2.2.6 or 2.3.
If you wanted to start fresh with the package… goto the pfBlockerNG: General Tab, and unclick "Enable pfBlockerNG" and "Keep Settings"… then hit "Save"… This will remove the database and files but leave the configuration intact... Re-click both checkboxes and "Save"…. Follow that with a "Force Update". You can then review the pfblockerng.log in the Update Tab window.
Depending on how you defined the pfBlockerNG Cron task, its typically defined to run "Every hour". You can goto the "Update Tab" tab, and click the "View" button before the Cron task is scheduled to run, and you will see in Realtime what is occurring…
If there are specifics, copy/paste those into this thread, or send me a PM and I can help guide you further...
BTW… I'm the dev of the package and the last time I looked... I do this all for FREE and on my own time... What have you done...
And from those of us who do listen… whom you have helped... Thank you SO MUCH!
I won't say its perfect (and I don't think you would either), but with a little tweaking here and there, random updates to block or allow lists, it works damn well. I'm amazed at the numbers that build in the dash widget.
In this case I wasn't concerned about the sigma list because I thought you meant by being unreliable it generated false positives, not corruption. We proved it wasn't the IPs in the list that were the problem, so I dismissed sigmalist as the problem. I didn't expect corruption to join the party. I guess it's good you discovered it because this could potentially happen with any other list, not just sigma.
That was very good sleuthing! When I extracted the file on windows the smallest network in the list was a /10.
Can I add a bug/feature report somewhere to add corruption checking on compressed lists?
The country file is in the alias native so I can customize the order. see image i sent you. I''m assuming this is okay.
EDIT: What about the sigma block showing up as a goodCountries alias in the log? Is this resolved because of the corruption or is this caused because of the way I'm using aliases? (or is there a 3rd option?)
EDIT2: I couldn't stand that /3 got by me so I re-added them to pfSense and you're right. (should I be surprised I got a different result on windows?) . Wish I sorted by network size to begin with!
EDIT3: Dug in some more to see whats up with the Alerts tab. I'm not sure how this works but based on how slow the page loads, I'm guessing that the block list information isn't stored in a logfile but instead the blocked IP is matched to a list dynamically so depending on how that works, I'm guessing a corrupt list could cause the log to malfunction. It seems to be working fine as of now. I looked through a few pages and looks like I would expect.
I'm sorry to make you not happy. I'm here just want a fix, not a workaround:
Is 192.168.1.100 a part of LAN net? YES
Is my firewall rule defined wrong: Allowing OPT access all interfaces except LAN? NO
Should 192.168.1.100 be blocked by the rule: YES, BUT its not blocking anymore.
Again, I'm sorry made you feel so angry. but thats the issue I'm having. The rule was working perfectly until I installed your package, so of course, I need to ask you about this first, if you think its not your package issue, then I will ask pfSense teams.
When you install the package, it downloads the latest MaxMind GeoIP files. Those are updated the first Tuesday of each month. You will need to download those files as required. In the General tab, click the checkbox to disable the cron download of the MaxMind files.
MaxMind files are saved in: /usr/pbi/pfblockerng-amd64/share/GeoIP (amd64 or i386) (You will need to extract these files into that folder)
Thanks for the reply. So this is what i tried nothing makes sense anymore :-\
Tried OpenDNS and it was working blocking the typical facebook then i went to navigate whatsapp.com also gets blocked but I connect my iphone immediately it connects to whatsapp. So failed miserably
Then tried DNSBL when I did the Enable Domain/AS check it and added the list from the site you sent me and nothing :( but whats odd it shows that it gets blocked on the logs of the firewall I have no clue what is whatsapp servers doing.
EDIT: BAM just blocked it it was using some IPs from amazon finally…. the whatsapp.txt has been updated I will keep it updated. I wonder how long until they update it :(
Hmmm, when on .ro. (read-only) access to the filesystem seems a failure and when on .rw. it looks OK, but then dnsbl.log is reporting writing problems ? Besides in both cases I see double entries about download reports.
So what is in general the supposed state (ro or rw) for using pfBNG ?
Yes, you can ignore those warning during a re-installation.
During a re-install, all of the pfBlockerNG Aliases are removed and re-added at the end of the pkg installation. Since you manually added pfBlockerNG (alias) Firewall rules, there is a small window of time, where the pfBlockerNG alias does not exist, and you will get those warnings. I don't have a workaround for that unfortunately.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.