@jdeloach Such great advise and so quick.
I followed you suggestions and have switched to pfBlockerNG-devel, 3.1.0
Everything is working perfectly now.

Thank you, so appreciate your fine assistance.

@jimfreeze said in pfBlockerNG 2.1.4_26 borked Netgate 6100:

I assumed the unstable one would be the devel version

Yes that is logical. A couple years ago, give or take, I saw the maintainer had posted to use -devel. Either in early 2019 or 2020 we had to switch because we couldn't get the MaxMind key to work on the non-devel one. So all our clients have it. Short version is, most people who don't frequent the forum probably use the non-devel, and most people here probably use -devel.

Now, I have not run into DHCP not working or routing breaking, but there is a known issue with the -devel install stopping the DNS Resolver. As I understand it, it has to do with how the package installation happens so Netgate has to fix it.

@heliop100 said in pfBlockerNG not showing alerts after pfSense 2.5.2 update.:

I change the rules to block all south america and north america countries but are not blocking anything.

What rules ? Placed on what interfaces ?

@mariog I run Monterey, 7 y.o. iPad w/ 15.1, iPhone X w/ 15.1
My devices are set to hide IP from trackers. I am not using ipV6, not sure if that matters.
My devices use Quad 9 for dns (via pfSense). I do not use dnssec. pfBlocker is at 3.1.0 and DNSBL runs in unbound python mode.

I get a few ads, but rarely. I mostly get popup's complaining that I'm blocking ad's. If I do see ad's I figure it is because I do not have a lot of feeds defined in DNSBL. Not always, but on occasion I do notice a bit of latency in Safari on iPad or Mac (rarely use iPhone at home, screen is too small to be useful). If 10 sec or so goes by w/o a page load I do a refresh and that usually brings a page up. I have not noticed if ad's are on the page when this happens but now I will pay attention.

I just clicked around a site I never go to and did not see any ads and all the pages loaded very quickly. That site was cnn so I imagine it's loaded with ads.

I don't know if this is helpful or not, I'm not that knowledgable about this topic.

v1.1 - writes date/time at the top of the outfile.

fetch -o /tmp/PIA.json "https://serverlist.piaservers.net/vpninfo/servers/v6";jq -r '.regions[].servers.ovpntcp[].ip,.regions[].servers.ovpnudp[].ip' /tmp/PIA.json | sort -n | uniq | iprange > /var/db/pfblockerng/PIA_v4.txt;setenv PIAdate `date "+%Y-%m-%dT%H:%M:%S"`;sed -i '' -e "1s/^/#$PIAdate\n/g" /var/db/pfblockerng/PIA_v4.txt

@manishdixitajm said in Attackers_delivering_fake_DomainBlock (1635762191):

I am sure pfng blocker is blocking

So why asking :

The error is "Attackers_delivering_fake_DomainBlock (1635762191)". Even when i am passing this traffic its still not work.

If you block something, it's blocked = no access.

Btw : it's not an error. Just a log line telling you a firewall rule was 'hit' by a packet and it matched : the rule was applied = blocking.
By default, pfSense blocks nothing. You as a admin with your rules - with pfBlockerNG, are able to block.

@manishdixitajm said in Attackers_delivering_fake_DomainBlock (1635762191):

telnet on 443

Really ? telnet ? On a TLS port ?
Let me guess : only rubbish came back ;)

Trying to ping "zerion.io" and telnet on 443 , its giving blocking error in "System logs" tab.

So, you can't connect ?

i am able to login that website and also ping is working.

So you can connect ?

What is it ?

^ exactly - this is what I would do.. And what I do do for my use of geoip based rules.. But I don't block with them - I allow with them. Only allow the countries my users are in for plex, etc..

Hi @BBcan177, hope you are doing well. I know you have a lot going on, but my employer is willing to pay for this feature. How much do you think a fair price for this would be?!

PS: Can you please delete this thread. It seems a bug with the pfblockerNG 2.1.4_26. The new v3 seems all good

@gertjan Thanks - I appreciate your help.

2021-10-26_11-13-50.png

https://phishing.army/download/phishing_army_blocklist_extended.txt -- that's the Phishing_Army list that's showing up in the DNSBL log.

In the phishing_army26OCT2021101209UTC.txt version of the list, it has ..

edgekey.net on line 8,328 www-key-com.test.edgekey.net on line 38,876

--note that anything to do with apple.com.edgekey.net is not present in the list.

After a reload with ".edgekey.net" in the DNSBL whitelist, all references to edgekey.net are gone from the list -- phishing_army-postprocess.txt . The DNSBL log displays no more entries for the domains shown in the OP. The DNSBL whitelist entry was effective at removing the both root domain and the subdomain.

It feels correct to say that a DNSBL whitelist entry with subdomains does not whitelist every parent domain in the string. IE, ".apple.com.edgekey.net" does not remove "edgekey.net" and "com.edgekey.net" and "apple.com.edgekey.net" ad naseum. I suppose that if ".apple.com.edgekey.net" is not defined in the source list it can't be removed, and besides, the whitelisting of every parent domain in a string would lead to ..... well, it's leading me to another question. 👍

>>> If I have a list that includes only "edgekey.net" ... and I must whitelist ".apple.com.edgekey.net" ... and I have to whitelist ".edgekey.net" to make it work --- how do I avoid the collateral whitelisting of every other subdomain under "edgekey.net"?

Thank you again --

@androgen

If there is a demand for it, well, yeah, I guess so.

@timtrace

Have a look at the GEOIP files /var/unbound/usr/local/share/GeoIP/

The first big number is probably the number of IPs in the attributed IP range.
The second the number of IP listed.

@gertjan I agree. Seems that way to me also. Thanks for the debug code I was struggling with finding a way to display this data since I'm a novice at this. Just having fun learning.

@lowhanger

To see what cron does : install the pfSense cron package.

"Hourly" will trigger the pfBlockerNG main update function.
If a feed is set to daily, then it will upgrade daily, not every hour.

The other way arround will not work :
If you set a feed to update every 5 minutes (if that was possible) and the main cron delay is 1 hout, then the "5 minute" won't work.

Btw : updating every hour a feeds is not needed : check for yoruself : feeds are not updated every hour. Probably not for days ..... More frequent updating can be considered as abusive, and some feed hosts might blacklist your request.

@ciscox Yea that's where we differ, you're using auto-rules where pfBlocker will create the firewall rules for you. I cannot do that as I need to have some outbound only, some in and out etc, so I'm letting it create the aliases and I've created my own firewall rules using those aliases.

I think this might be the difference as if it doesn't create the firewall rules automatically, it may also not be creating ip_block.log.

I reckon that's the issue.

@andyrh said in Block youtube ADs with PiHole blacklist:

For me it broke YouTube. Videos that start with an add never play. Had to remove the list.
😧

Same for me. The DoH lists seem to be working fine, though.

@stewart Depends how big the tables are. Our notes from a while back on pfBlocker say to use "minimum 2 million."

If it's a PHP memory allocation error that's something else.