@wesleywillis There is a way to order rules in pfBlocker settings, but what I find easier and clearer is for any of those type of blocks where I need to allow some, create the pfB list as Alias Native. That just creates the alias without any rules. You can then use the alias in whatever rules, NAT forward, etc.
If the webserver, the one used by pfBlockerNG, had a certificate that says it marketplace.google;.com, then that page would have been trusted by your browser.
Or, you have not that certificate. Actually, from all the DNSBL you have listed in the DNSBL feeds, you have none.
Conclusion : Yes, it's true, even the sites that serve add pages and such, use all https these days.
This web server page stating that you visited a page blocked by DNSBL works well for plain http sites. These do not exist any more.
@gertjan Makes perfect sense, thank you for the clarification.
I haven't had to use any patches as of yet, I usually just work around the problem or the problem doesn't effect me so I let it be, but this was an annoying problem that required me to disable mail notifications, which means potential issues may get ignored until they are noticed.
That in itself can be a problem.
Thank you everyone for your help, greatly appreciated!
I guess I thought I had it enabled but I had to un-check "Check to disable MaxMind CSV updates"
After that did updates, ran cron and reloaded just to be sure it was all loaded and it's good to go!
ok, that's weird. No I'm using the standard pfBlockerNG 2.1.4_26 on pfSense 21.05.2-RELEASE. I'll try switching the list action and see if that makes any difference.
Your problem is that you are using an old unsupported version of pfBlockerNG. The maintainer of pfBlockerNG, @BBcan177, does not recommend the use of that old version. The -devel version has been in use for 2 to 3 years now and is very stable and the only version currently being updated.
Make sure that the box is checked to save your current settings and then uninstall your current version of pfBlockerNG 22.214.171.124 and then install the -devel version 3.1.0_1. This should take care of the issues you are seeing, if not, post back to the forum and someone will help you.
After looking into this, it seems to be a "localnet" that I have in the: firewall > pfblockerng > IP > IPv4 > "localnet" (which is a custom list) > there's where the screwed up process seems to be. It points to "Custom DST Ports" and at one point in the FW's lifespan I couldn't add a custom IPv4 "allow list" without making this dumb alias with destination ports. It is so annoying because at one point, the white list was the white list. After some update you had to further carve out your destination ports. It used to be simple. Now, checking the other firewalls, they all have this setup but for some reason I get errors. On the working firewall I have an alias: pfB_localnet_v4. That looks "built in" to PFbNG. On the non-working one, that alias doesn't exist. I think somewhere in here is where the problem is but I'm not sure how to work it out yet. I had to create that "Web_Ports" alias at one point because the system would not simply allow me to make an IPv4 allow list that was simple, I had to specify the destination ports via a port alias (lame)
Empty destination port alias 'Web_Ports' for rule 'pfB_localnet_v4 auto rule' @ 2022-02-12 11:51:40
Empty destination port alias 'Web_Ports' for rule 'pfB_eits_whitelist_v4 auto rule' @ 2022-02-12 11:51:41
Empty destination port alias 'Web_Ports' for rule 'pfB_localnet_v4 auto rule' @ 2022-02-12 11:51:42
Empty destination port alias 'Web_Ports' for rule 'pfB_eits_whitelist_v4 auto rule' @ 2022-02-12 11:51:43
Empty destination port alias 'Web_Ports' for rule 'pfB_localnet_v4 auto rule' @ 2022-02-12 11:51:44
Empty destination port alias 'Web_Ports' for rule 'pfB_eits_whitelist_v4 auto rule' @ 2022-02-12 11:51:45
Thanks for the response, I am on the latest version of pfSense.
Screenshot 2022-02-05 174431.png
How do I get onto the development version if that is the best and it is "stable" in that I won't be having to have my router reset while I'm traveling for work?
You will just install it from the Packages Repo (under SYSTEM > PACKAGE MANAGER in the menu).
I am not a pfBlockerNG user, so I can't say exactly what settings will migrate over from pfBlockerNG to pfBlockerNG-devel. You might want to read up on all the posts in this sub-forum about pfBlockerNG-devel before installing it.
I believe the best procedure would be to delete pfBlockerNG and then install pfBlockerNG-devel. You should not lose the pfBlockerNG settings that way. But there are so many changes in features in pfBlockerNG-devel that you might consider a fresh install from scratch the better approach.
@dma_pf@SteveITS@BBcan177 Thank you guys, so it all starts with the problem I have where the 'source' field doesn't behave as expected and is not linked to any list - I think in that respect I finally found the bug (and a workaround) - for me this applies to all formats (so far I tested 'Auto', GeoIP and ASN). So as described before, whenever I try to add a new custom list (Firewall-->pfBlockerNG-->IP-->IPv4), the 'source' field is broken and only act as plain text
Screenshot 2022-02-04 at 21.34.07.png
So I discovered that if I try and save it at this state before completing it (so in this example I left Name / Description / header empty), I will get the same page but with an error - in this new page the 'Source' field works just fine
Screenshot 2022-02-04 at 21.34.41.png
So I can now create my aliases in this way.
As for the second problem (Logs - logs file box always remains empty regardless file type / file selection), So far I can say this is browser related - I work on a Mac, using Safari, in Chrome this works fine (although from some reason it worked once today for me in Safari but I so far did not figured out why it is inconsistent and if it is because of some settings or the browser itself).
"If you register an account, then you will not have to pass the security check when downloading list files."
Some other feeds that also require registration give you a token that you can then put into the URL of the feed to be able to download the lists. I don't know if iblocklist does that or not. But you might try registering and see if the provide that for you. My guess is thy might as their website explicitly says that their lists can be used with pfsense.
But I also wanted to install pfBlockerNG to complete the protection, for example block all access from abroad.
Sorry, I don't use Squid so I can't speak to what you are seeing related to it's widget. But I did want to comment on your quote above. If you are thinking of using pfblocker to block things from coming into your WAN from abroad that is not the right approach. The WAN has a default rule that already blocks all unsolicited traffic on the WAN from entering.
Do you know if I can make it even more specific and allow only specific states in the US?
No I don't. But the OpenVPN protocol is pretty robust. By design it does not respond to port scans so people shouldn't even know that port is open. And if someone was to try to access the tunnel they woulds still have to authenticate with the correct credentials which would be extremely unlikely.
Stress and tiredness had gotten the best of me but this is resolved. Wildcarding .snapchat.com in DNSBL whitelist did in fact resolve the issue.
I have a raspberry pi running pi-hole and was able to see what queries were being made when the app loaded. From there I was able to confirm the requests being made and since pi-hole blocks out a few analytics, wildcarding in DNSBL did not seem like a horrible thing.
Hope the steps above and the initial post helps someone else and keeps their SO from complaining :)
The document that I referenced in a prior post here was written by @BBcan177 , the maintainer of pfBlockerNG. The example he gave there was his attempt at explaining what IP Reputation does using one of the block lists that is included in pfBlocker.
Is related to DHCP Leases. So probably delete that file, or clear it out? In future, this section of code can iterate each line instead of loading the whole file into memory,
Thanks for the pointer, will look into that!
So probably delete that file, or clear it out?
Don't know if that will help so much, as the customers running that are medium sized corps with A LOT of clients so even when I delete that now, they will get bigger and accumulate over time again. But I'll check if that will us buy some time for when you probably have an update ready that will parse that file a bit smoother ;)
Is the DHCP lease file related to you parsing of the filter log to display what IP/host triggered a warning/block/rule/DNS call etc?