@gertjan said in Updating to pfBlockerNG-devel 3.1.0_1 from 3.1.0 blocks DNS requests:

I've already seen posts about feeds that have their own IP in the list

Yep, I had this happen all off a sudden I got notifications that lists couldn't be updated, it's because the lists were blocked by other lists lol.

And now pfBlockerNG doesn't even log IP addresses that it blocks for me. I think the developer has pretty much given up on the project.

@viktor_g :

Ok, nice.
A bit of a hammer approach, though.

I still wonder why unbound refuses a simple TERM signal, send initially, just a couple of lines above.

@szympro My use of pfBlocker has been for it to download feeds, and I use Alias Native for it to load the feed into a firewall table/alias for use in rules. Typically, for geo IP lists.

I see the "Whois" option does say "Convert a Domain name into its respective IP addresses" but I don't know how "whois" would do that...whois normally looks up the registrant or perhaps DNS servers for a domain. Perhaps @BBcan177 can explain further.

I guess if you can duplicate it you can report it as a bug. It just seems an odd feature to have if it already exists in pfSense, and oddly named...sounds more like "DNS lookup" than "whois."

@mohdikramsaif

45538466-c3ab-4f90-b758-a2f14f6e70ad-image.png

What is your pfBlockerng version ??

This is the latest version :

5b0c6455-e2b8-4604-a52f-4098f262ace5-image.png

Your questions :

The DNSBL feeds activated will "block" the access to the listed sites. (not only websites). Add "web.whatsapp.com" and all other whatsapp.com related domains to a list and you're ok. There was a whatsapp forum post no so long in the past. Keep in mind that whatsapp == facebook so you might have to block entire "AS". pfBlockerng had possibilities to include exclude certain LAN devces. See the very old forum posts about how to do so.
The newer (from yesterday) pfBlockerng-devel uses a simpler approach :

a85a8af5-b7ac-46c1-95d6-5aa9eefe388a-image.png

@mohdikramsaif said in pfblockerng:

Kindly share your suggestion

Have a look (abuse the search button) most of not all questions are already answered on the pfblockerng support forum.

@dma_pf

thanks for the suggestion. With openDNS I cannot make filters for specific internal network segments. The OpenDNS category restrictions will block some categories the grown ups need to access.

@dma_pf i'm running the latest version of both.

@user12345 said in pfBlockerNG won't complete cron update/reload of DNSBL feeds:

If you do an uninstall of non-devel version with keep settings checked and install the devel will it pull the settings and feeds over or trash those?

It's been a long time since I upgraded to the devel version so my memory is a bit foggy. But in general, if you're going to uninstall pfblocker and want to save the settings in the current configuration you need to check this setting in Pfblocker/General:

645d71a7-ecd6-44b6-9a8e-407637743220-image.png

Now, whether or not those saved settings load right back into the devel version I just can't remember for sure. But if you decide to try it, make sure that you do a complete backup of your whole system - Diagnostics/Backup & Restore. That way you could always roll back to where you where if the setting don't apply correctly.

@scop said in pfBlockerng-devel Certificate Error:

I would like to know if it is possible to redirect to another website like google (if the link is in HTTPS) or just show a message that he can't access to this web site instead of certificate error like in HTTP ?

There is not a way to do this. When a browser goes to an encrypted HTTPS site the first thing the browser is doing is verifying that the response is coming back from the server it intended to communicate with. It does this by verifying the security certificate of the server it communicates with. If the certificate matches the server it loads the page, if not, it will not load the page and will display the HTTPS (ERR_SSL_PROTOCOL_ERROR).

Because of that, if pfblocker attempts to serve up a an error page (classic MITM) the browser will not be able to verify the the page from pfblocker matches the security certificate of the intended server and the browser will block it.

@quasaur Cut it off

@gertjan Thanks for the feedback, good information and insights. I will see how I get on :)

By shut down automaticaly I meant, that it looked like this:

Bildschirmfoto_2021-12-26_18-15-06.png

But as I noticed now, that was, because I forgot to do a Reload after changing to Python Mode.

I now was able to get pfBlockerNG-devel runing as it should in the virtualbox, so everything is good so far.

@nogbadthebad

I made this text file on my ftp server
f4df1815-5ae8-445c-bfec-8c87254e489d-image.png

Then i made a entry like this:
595dc8d3-df02-4e00-9299-40e7b31c3d60-image.png

Finalize with:
e7991d88-fd37-46a2-855a-96d0639add15-image.png

Seems to work:
7cf3a590-f16b-4cc9-b67e-e14864fe469b-image.png

dnsbl.png

category filtering not working when I enter custom domain it works, could you please help me do block things category wise

@fireodo Thanks!

You've made my day 👍 😀

41ce1e68-1e71-41ca-b54d-ecfc5b3740a6-grafik.png

Fine sunday!

@Gertjan @fireodo Great community support!

That error message indicates the GUI code attempted to iterate an empty array variable without verifying the variable is actually defined as an array. My first guess, since the error is from the alerts log, is that the alerts log file is empty and the code is not properly initializing the array when an empty alerts file is encountered.

This is a problem that needs to be addressed by the pfBlockerNG-devel package maintainer. It should also get a bug report created at the Redmine Site here: https://redmine.pfsense.org/projects/pfsense.

@p_bear I don’t know who to blame but if a 3rd party browser works but Safari does not it seems that Netgate is not to blame. It would be nice to know why it does not work so we have something useful to complain to Apple about.

It used to work, I forget if it first broke when Yosemite was released?

@jegr

Read pfBlockerNG IP Reputation
It has a good ending.

The 'Reputation' tab is not available by default.
"Things" need to happen so it can be presented.

Thanks all. I am going to try it with what I have and then see how it goes.

@ghostshell said in Blocked Page:

https://www.reddit.com/r/pfBlockerNG/comments/lnczld/is_dnsbl_webserver_for_ssl_https_connections/

I don't understand what has been said there.
pfBlockerNG-devel logging isn't the issue here. The internal unbound (python, or not) or Lighttpd logs are not available to our browsers.
Our browser see what the web server @10.10.10.10:443 is replying after a page request.
It doesn't understand the answer.

What I think ** what is happening :
Our browser caches web server certificates, as HSTS has become wide spread.
So, our browsers knows what type of cert it should get back from web server. Because it caches certificates, for days, weeks, or even months (so naughty you, you've visited this site already ones without pfBlockerNG ;) - the cert was loaded and cached ).
Many encryption types exist, and the self generated (self signed) cert from the web server of pfBlockerNG cert does not have the right 'format'. If it had the right format, the host name would have been verified (and the date and many more aspects) and then a more understandable error would have been shown.

This issue can not be resolved. Our browsers could show more comprehensible message, true, but it all boils down to :
You wanted to visit a.tld but b.tld replied.
That's a MITM situation and that's a no-go

** Firefox is open source. So the source code will show the exact conditions of the error.

@pulsartiger

pfBlockerNG -devel???? ,on the current version? 3.1.0 should be no problem if you upgrade

if Keep settings is checked, also takes settings, lists, etc. with it when upgrading

BTW:

be careful, since you are switching to new FreeBSD version and the pfBlockerNG - devel has got a lot of new features in the near past...

I have to say you waited a long time for the update, 2.6 is almost here 😉

I think I have found a very easy way to bypass unbound.

In general setup/DNS Resolution Behavior I changed it to use remote DNS servers and ignore local DNS. And in DNS Server Settings I added my local BIND DNS ip addresses.

In client ip address assignment, I still give pfSense IP address for dns, however pfSense just ignores unbound and uses my local dns for resolutions. It’s still utilizing the DNSBL and IP blocklists as they are defined in the firewall floating rules by pfblockerng.

Resolutions now are much faster. Hope this keeps working as I just could not stand unbound resolution performance issues.

@gertjan
Thks

@jdeloach

if this list is blocking something that you want access to, just don't use this list

You misunderstood the troubles we report here. Yes of course if it’s a list that is dedicated to block public dns and you want to reach them, we can advice you not to use this list 🙃
But here we re talking about a “not normal” blocking. Like when they block GitHub or, worse, their own website which is stopping us to follow your advice … to report to them. 😉

When it reaches a so low level of conscientiousness you can’t justify that saying it’s done by folks for free. It’s insulting for all the others who do the same, for free, but seriously.

But as @BBcan177 said, he has to include a list in his plugging but he can’t keep vetting every list every time. It would be a full time job. That’s why we report. Since you say you use others lists, if you know good lists don’t hesitate to suggest some. Maybe he can swap in the list included in the package. He cannot be aware of every existing lists.

@keyser
Ok thanks a lot . I simply disable « hide IP » and add are blocked by Pfblocker . Best regards .

@ttblum said in Microsoft hosted site being blocked by Oceania Alias:

updated with Microsoft's current IP space?

for what office365?

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

@gertjan

Thank you. Adjusted as recommended and no further problems. Reminds of the DOS days when you had to define the number of file handles.

Never crossed my mind that there was the same thing for tables.

@johnpoz said in Permit United States only for specific port on WAN interface:

@ciscox its set to alias - which is shown on that first summary sort of page

setalias.jpg

What the heck, I didn't know about this. This is going to make things much easier now :)

Thank you very much :)

@jdeloach Such great advise and so quick.
I followed you suggestions and have switched to pfBlockerNG-devel, 3.1.0
Everything is working perfectly now.

Thank you, so appreciate your fine assistance.

@jimfreeze said in pfBlockerNG 2.1.4_26 borked Netgate 6100:

I assumed the unstable one would be the devel version

Yes that is logical. A couple years ago, give or take, I saw the maintainer had posted to use -devel. Either in early 2019 or 2020 we had to switch because we couldn't get the MaxMind key to work on the non-devel one. So all our clients have it. Short version is, most people who don't frequent the forum probably use the non-devel, and most people here probably use -devel.

Now, I have not run into DHCP not working or routing breaking, but there is a known issue with the -devel install stopping the DNS Resolver. As I understand it, it has to do with how the package installation happens so Netgate has to fix it.

@heliop100 said in pfBlockerNG not showing alerts after pfSense 2.5.2 update.:

I change the rules to block all south america and north america countries but are not blocking anything.

What rules ? Placed on what interfaces ?