@sfigueroa My advice. That screenshot i would assume is for your WAN facing.
By default, pfsense blocks all inbound attempts. So you blocking the world may not make sense if you are not hosting services behind your firewall.
If you are hosting services behind your firewall, then you are better off only whitelisting / passing just the countries you need instead of blacklisting the ones you dont.

@Rogerthat said in Help understanding DNSBL alerts:

so I am just confused as to why my device would be sending these requests when I connect to the LAN interface, if I am not actually trying to reach those domains?

Not you as a person.
But, for example, if you are using a Windows PC or modern handheld device as a smartphone, hundreds of tasks running right now are communication with something somewhere on the Internet.
"Doing there things".
These processes uses host names that have to be resolved first.
That are the host names you saw in your Unified log.
If you want to know what is actually going on, that you should take a look at every process on your system, and checking with whatever means you have to see what it is doing.

@Rogerthat said in Help understanding DNSBL alerts:

Will unchecking the box you pictured above, stop it from doing that?

That option will keep already lookup up host name up to date in the unbound DNS resolver cache.
If a domain xxxx.tld is in the cache, that is because your LAN device has asked for it.

@periko oh wow i never knew this existed. Going to try this out now. Specifically the command for pfblocker dnsbl.

seems that most of the .sh scripts arent working in 23.05.1

The way im testing is grabbing the script and running it from the shell on pfsense. I get either Command not found or Illegal variable name.

Are you running the latest pfsense version?

edit 1: cancel everything i said. This is working great. Just went into the bash shell to test and my goodness this is great.

Old topic but I noticed some problems.

If I use rsync I get an error:

rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.net dnsbl1 [ dnsblOne_v4 ] Downloading update . RSYNC Failed... [ pfB_UCEPROTECTNetwork_v4 - dnsblOne_v4 ] Download FAIL [ 08/5/23 10:14:49 ] Cannot Resolve Host: DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download. The Following List has been REMOVED [ dnsblOne_v4 ]

Something is not working as intended, at least I can resolve rsync-mirrors.uceprotect.net without a problem on pfSense.

If I am switching to the WGET-lists, on my two pfSense boxes I get different sized tables. One has 22,402 records, the other has 12,288 records.
If I download the list with the browser, I get roughly 80,000 records.

So my guess is, this format is still not compatible with pfBlocker?

But what is up with the first problem I mentioned with rsync?

@ctarbet pfsense is a stateful firewall. states are created by SYN packets.. If there is no state to allow traffic, then it would be blocked.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets

Solved with Restart and Reinstall package

Thankyou

I found a way to do this using a "pre" script which fetches the file itself, a "post" script example would still be welcome.

@viragomann thanks a bunch, will have a look when I get home.

@AWilson60 Great, glad it's working. Sorry I could not follow up any sooner but great advice from @johnpoz . Lots of help on this forum.

@iTestAndroid said in pfBlocker hidden whitelists:

"/var/db/pfblockerng/pfbdnsblsuppression.txt"

is created with what you've entered here :
Firewall > pfBlockerNG > DNSBL
at the bottom, you have a "DNSBL Whitelist", deploy it and the info shown there creates "/var/db/pfblockerng/pfbdnsblsuppression.txt".

When I empty :

e3bd17b2-6a1f-446a-bcbc-dab9f69f50c1-image.png

the file will be nearly empty (just one line).

Where does "yandex" etc comes from ?
Well ... ask 😊
SSH into your box (or console), option 8.
Goto /usr/local/pkg/pfblockerng:

grep -R 'yandex' *

or

grep -R 'adservices' *

These files come with pfblockerng when you install it.
You'll find pfb_py_hsts.txt.

What I know : this file contains sites that are known to use "hsts" (wikipedia hsts please).

Anyway .....
I've emptied my 'master' DNSBL whitelist and now :

0a78e557-30ef-4e9d-aeab-6dcfbc346030-image.png

as you can see, "Whitelist" only contains "localhost.localdomain"

@luisenrique I can agree to one degree of extent but otherwise dis-agree. The internal download link pointing to the .tar.gz list file itself that leaves download failure errors as well as any IP addresses that remain in these files if used (squidguard uses them but not sure pfBlocker does though) these all should be removed to eliminate errors and false-positives if they were rendered.
As to remove ShallaList's contributions altogether would basically be literally the same thing as to say "when Bill Gates dies, lets just simply delete Microsoft Windows entirely worldwide and FORGET the project ever existed." The download link yes is dead, and ANY ip address list will become deprecated in time if not updated as individual IP addresses become to be re-purposed. The domain lists on the other-hand of millions of categorized bad domains is still 99% valid world-wide, regardless if in ShallaList or other DNS blacklists, whether its a "static" list or update-able as an "online" feed, and IF and when any of these are found to be outdated domain names or ones that are found to be needed/non-malicious by Network Admin managing their OWN networks, any and each can easily be whitelisted at the Admin level to allow access for their own network users.
If we dis-own any/all open-source community contributors contributions in the endlessly growing IT world at that point of a contributor simply "moving on with their life" or when one passes away, we as a whole worldwide would be in fact still be sitting in the IT industry and Internet itself of 1980 with literally one ISP, your government, and with literally one PC manufacturer also, your government.

@jlauzer said in Installation of pfBlockerNG breaks NAT Port Forwading Rules:

Thank you!!

You're welcome!

@provels said in pfBng Widget error, 3.2.0_5 (not devel):

Thanks again.

You're welcome!

@revilzs It has to at least be big enough to hold the data. Extra space won't hurt.

enabled De-Duplication

One note on this...if you use pfBlocker to create overlapping deny rules the deduplication works across rules, so may remove an entry from additional rules. If that's the case for you, disable it, or use Alias Native and create your own rules.

@bgroper you should be fine. @SteveITS and @johnpoz are correct.

Just for context, I've had 2FA (yubikey) enabled since March and have had no problem. The API used in pfBlocker is authorized via a license key you create on the website.

@droidus you can kill off specific states in the state table

@ghost666 How is your RAM...have enough?

@leakin said in pfBlockerNG - macOS wifi blocks, iPadOS passes?:

using the same wifi connection on an iPad, ads are not blocked...

any ideas?

Yes, most likely you didn't restrict and force all clients to use pfSense as DNS. Confirm that your iPad is configured to use pfSense for DNS. If you were using say YouTube app on your iPad, it's almost impossible to block ads as the ads server(s) are built-in.
take a look at these:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
https://docs.netgate.com/pfsense/en/latest/services/dns/index.html

Believe it or not, I simply rebooted the first pfSense machine (the one that manifested the "not active" pfBlocker CARP VIP after every hourly or manual forced pfB update) and lo and behold, now it actually works. The all time classic IT Crowd quote from Gary "Have you tried turning it off and on again" worked once again! I am baffled.

@Gertjan
This was almost 15 hours after the install. It's not done it again, pfBlocker is on a once daily update, so hopefully it doesn't do it again.

@SteveITS
The "new-rules-not-applied" article you linked led me to Status > Filter Reload where I saw a loading error of pfB and adjusted a setting in the Advanced>NAT tab which fixed the problem.
Thank you for this quick response.

@michmoor oh damn, im so sorry. forget what i say... im going back to school! shame on me

@areckethennu It's probably a bad thing to reply to myself, but I reported this to the Phishing Army list OP and he said he'd fix it shortly. So, hopefully, things will resolve themselves soon.

@SteveITS said in DNSBL just Work when DNS Resolver Enable:

“UnKnown” is not a functional problem, you can ignore it.

While technically true - If I get an unknown for the dns I am using - it points to badly managed dns... Why would there not be a PTR for everything on your network ;)

If your going to setup forward zones, you might as well setup the reverse zones for the IP ranges you use on your network. pfsense makes it easy because you put in the host override, the ptr is auto there for that host, etc.

@SteveITS Got it! Thank you!!

Geo41.png
GeoIP4.png
Geo5-fwrule.png
GeoIP6-status.png

@Yet_learningPFSense said in I want to block the IP addresses assigned by ISPs to general households.:

I have noticed some IP addresses belonging to providers in Korea and Africa (confirmed using whois, such as *.telecom) which appear somewhat suspicious to me.

Where did you notice them? The net is a noisy place - you will see noise from all over the planet hitting your wan IP.. So? They are dropped by default.

If you have some port forwards open, just allow the IPs you want to allow. For example, my plex server the only thing that can talk to it are IPs from the US, and currently Morocco (since have family currently living there).. And the list of known IPs that plex uses to validate your server is available to the public.. And the known IPs that monitor if my plex is working, and notifies me if its down.

Simple enough to do in pfblocker - because you can create lists based upon country (geoip data) or other Ips you want to allow - uptime robot and statuscake for example doing the monitoring provide lists of IPs they use.

Or did you notice your devices connecting outbound to these weird IPs? in other countries?

@SteveITS Hmmm I see what you mean, I'll have to see if I can duplicate this. My setup right now though is to use block lists and then I use alias lists for any allowances I am making, so I think that avoids dedup issues.

@Bartballon hello let me try to help, how is the PfSense configuration set to resolve is it going to WAN 8.8.8.8 or 1.1.1.1 or the domain controller? Do you have a host override for a proxy also?

Also I found
"If unbound does not start correctly after entering custom options, add server: on a line at the top of the custom options text area."

Ref:
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html

I found another post on this with a working version of what you want to do, user was asking how to make it resolve faster. Maybe this will help?

https://forum.netgate.com/topic/144091/ad-domain-controller-as-local-dns-forwarding-to-pfsense/10

https://forum.netgate.com/topic/140346/forward-dns-queries-to-active-directory-dns-server/9

@SteveITS I've tried with two different ISP, nothing happened bro.

a90b0839-aefc-4aa9-9dc2-16ce235bb115-image.png

@Gertjan
Thanks for your help :-)

For repair -> pfSense-upgrade -d -c

As soon as I post that it goes back down..

@SteveITS
Setting the State to OFF just disables the feed but it does not delete it. I'm trying to find a way to delete the feed.

It looks as though there is a bug in pfB. Time to call in the big gun, BBCan177.