@ronpfs said in pfBlockerNG-devel v3.0.0_9:

@fireodo I am with Unbound Python mode, so I can't verify the difference in file between mode.

But this may be normal,

Hmmm, if I deactivate the DNS over HTTPS/TLS Blocking the Whitelist is reduced to 3 (in the pfblocker Widget - and also in the pfbdnsblsuppression.txt)

@teamits said in If i use pfBlockerNG will that take first hit before Suricata?:

@cool_corona I reread your post and I understand your point. I guess I don't particularly care "who" is port scanning if they can't get in. I just assume "outside is bad." :) (also I missed that you weren't the OP, from the emailed notification)

As I understand you, uour usage case is that someone scanning 10000 ports would get blocked before they get to the one open port, vs. if there was only one port open the LAN instance of Suricata wouldn't detect that as a port scan. It would trigger only if they sent a packet that would be forwarded by the one open port and blocked by the LAN instance. In that case the LAN instance is double scanning the packets, so I'm not sure there is as much benefit of scanning there? The LAN alerts might still be more useful for finding the LAN IP of outgoing traffic.

Possibly, a way to reduce the double scanning would be to have only rules for port scanning enabled on WAN?

Exactly the way I am doing it :)

@tac57 https://www.reddit.com/r/pfBlockerNG/comments/ldzsh3/can_no_longer_whitelist_ips_bug_or_user_error/

@srig Hi! The only domain I whitelisted for the Ikea gateway to work was webhook.logentries.com.
But now I got rid of the Ikea gateway. I hate it when a device will not work when you block all the telemetry and "phone-home" domains.

So I have multiple subnets, as follows:

VLAN30 (10.27.200.0/24) - LAN (Servers, no DHCP)
VLAN202 (10.27.202.0/24) - IoT
VLAN204 (10.27.204.0/24) - DHCP (Clients, non-server devices)

All my devices that are not servers connect to VLAN204, except my AppleTV and any IoT devices (including IP Cameras), these are on VLAN202.

I have an ANY* rule from VLAN30 and VLAN204 to all other VLANS. VLAN202 can only talk out of the WAN interface and are blocked from communicating with VLAN30, but can talk to VLAN204, with the exception of DHCP, DNS, and mDNS, those can talk to VLAN30. I have pfBlocker Outbound rules set for VLAN30, 202, and 204, and Inbound for WAN. I have no NAT to the IoT network. I also don't use this firhol, which is most likely a huge difference.

So, one thing is that since my iPhone, on VLAN204 can talk to my Phillips Hue on VLAN202, and vice versa, and I have mDNS reflection enabled, I think that is the key. The Homekit hub is only needed when the client device (iPhone) cannot directly talk to the IoT device, it then routes through iCloud.

I'm not sure where you are applying the alias to, I will try to duplicate you setup if possible and see if I break things (the wife would be happy for sure).

@j24 I added a NAT rule that redirects the DNS requests from the VLAN to a known DNS e.g. 8.8.8.8. It's not the best solution I hope someone can help us separate pfBlocker from the other VLANs.

@chrisling said in pfblocker not working over OpenVPN:

I have the following setup:
ISP modem --> Netgear wifi router R7000 --> pfSense WAN --> LAN (homelab) | OPT1 (home wireless network)
The top layer R7000 is taking the (mostly static) public IP address assigned by my ISP, and then the pfSense WAN is on a RFC1918 compliance network space, i.e. 192.168.0.0/24, same local network with R7000.
I am running some web services demos from time to time on my homelab (pfSense LAN) so I do need to open some ports like 80, 8080, 443, etc. on LAN subnet.

You have a router after router set-up.
Tis means that NAT rules on pfSense have to be repeated on the upstream Netgate router.
Doing so will permit you to add as many routers as you want before your pfSense, but you have sync the NAT rules on all the routers.

I'm sure Lawrence (I'll ask) did said somewhere :
For home setups, by far, prefer a "something" as a modem device connected to your pfSense. Do not keep a router after router setup ** It works, but is tedious to maintain. And you have to understand that you have to build the chain of NAT rules in all your outer devices. Pretty ok if you want to amuse yourself. Not if you can't make these NAT rules "with your eyes closed".

Also : you have a router before your router, so incoming WAN traffic on pfSense can only be traffic that is using ports 80 and any port you've NATted on your upstream Netgear. if you don't want that "Asian" IP's visit your site, you could use the pfBlockerNG blocking rules on your WAN interface (or on the floating tab, and make them work on WAN).

In that case, put your web server NAT rules and your VPN rule after the WAN floating rules .... (but I don't know if floating rules take precedence here.... to be checked).

@chrisling said in pfblocker not working over OpenVPN:

I don't know much about how effective GeoIP is these days, as I'm also new to the game and just trying things out.

I won't say its worthless. it might work.
False positives might exist. Can't tell.

I have a dedicated server somewhere in France, in a big data centre.
It's a simple setup : a power cord, a mother board with the usal stuff, a hard disk, and a Ethernet connector. No screen, no keyboard - I never saw my own server as I don't have physical access to it (you pay but have no visit rights ...).
I use a classic OS : Debian. A classic web server : Apache2. 6 IPv4 and a couple of domains. Some web sites (company and private). A mail server for my domains. The classic DNS domain name server bind. As said : as vanilla as it gets.
No firewall.
Everybody on planet earth can visit my server.
This works just fine since last century (21 years now ...).

Important to know is that my server is being (physically) maintained, 24/24 and 7/7.
And the data centre owner, one of the biggest in the world, uses special routers that can detect and negate DDOS hassle. Something you can never do @home. Worse ; you host a server @home and you get DOSSsed ? Your ISP pulls the plug - or throws YOU out.

My dedicated web server has a 1 Gbyte / sec connection guaranteed, so for a couple of simple Wordpress sites it's doing close to nothing. If needed, it can do much more.
And it's protected for the - what i think - the real dangers.
"Asian" IP's are not the real danger (IMHO). I tend to say :"they" made you believe that.
Russian ? => lol. They are not interested in me. I've no valuable data on my server, like loads of mail addresses, or credit card info, or forums loaded with Kevins and other trolools.
Start Youtube, and do some, as they call it now : fact checking. Take an afternoon to see who hacks who with what, and what the hacker did to the victim when he found out - the hacker was using what ? Never use one Youtube video as the truth : see it as a person's opinion. Add them all up, divide by the number of them and try to found the common central point. Now you're aligned to a point that might be true. Now apply the what if phase, and keep this phase up until the end (take this literally).
Stay away from the adds. They make you think you can buy security. You can't. You have to make it yourself. Its more a state of mind, I guess.

Example :
You and I are today capable of writing a FY letter, and put it in an envelop, addresses it, put a stamp on it and send it by old fashioned mail to some guy.
The guy receives your letter and can not see where it came from.
Even if he calls in a boat load of laboratories and experts. It's as simple as that.
So : yes, Europeans and Amercans will say that the hackers are Russian, Chinese or Tjech. They - the last 3 - are saying its us. And later - if you find out - that is was the son of the jealous neighbour with some stupid hack-script (the kid learned how to type 'make').
Remember the movie from the eighties where the kid typed : "can you play a game" on a terminal ?
Years later, the reality was worse. NORAD wasn't playing - it was a 'ordinary' training simulation. But the missile launch facility agents (in the US) went into isolation mode, opened their red books, and prepared themselves for the final phase.
Because some one (at NORAD ?) forgot to shut down the simulation.

What I want to say, in short : It's the human factor. Its the fault of everybody,start by me (you, etc).

@chrisling said in pfblocker not working over OpenVPN:

i.e. unchecking the floating rules, so that they will be on both my LAN and OPT1 networks such that I can block all and just have the top and bottom line rules on WAN?

Yep. This will populate more rules pfB over all your interfaces, but helps you somewhat to get a nice overview. You can see what happens where when. As soon as everything is set up and tested on your pfSense, you can take advantage of the real strong point of pfSense : let it running by itself so you can do other things ;)
(but keep in mind : pfSense is a giant baby : keep an eye on it, as it is maintained by this stupid guy, like me - and now you ^^).

edit : .... wow, sorry, being to the point doesn't always work out for me.
But hey, I'm only human ;)

@elmnts Yes, I'll certainly re-install when the next version appears, or soon after, probably on a day when I'm at home by myself, and I've got a few hours to do some testing without danger of upsetting my partner's television viewing or internet use!

As I said, it isn't really urgent because I'm not running an environment where there is a particularly high risk of a user going somewhere they shouldn't or being hijacked, but it is nice to know the protection is there, particularly when life gets back to normal and we have visits from the younger family members who are all over social media!

@bbcan177
That was the reason, I had System > Advanced > Protocol set to HTTPs on the first system and to HTTP on the second.

I changed to HTTPs on the second system, ran a PfBlockerNG update and aliases URLs changed to HTTPs too ;-)

Many thanks !

@bbcan177 I get that it's a complicated process, but what is being taxed? Is it all loaded in RAM and it's the RAM speed limiting it? I have the same problem with Quickbooks in every install we've done. It's runs slow but nothing we see is being overly taxed. If I were to build a new system and upgrade from the APU2 units, what would need to be sped up to alleviate the issue?

@viktor_g thanks, but no , that was not it, it was a post that handle cases where maxmind did not work,
it include edit some conf file on pfsense + running some PHP files, to rebuild the DB

@johnpoz done and seems to be working.... thanks

@bbcan177 said in pfBlockerNG & Squid transparent proxy:

localhost

It was already in localhost. pfBlockerNG works with both pfBlockerNG & Squid running. However, Squid 'transparent' proxy is not working. If I can configure proxy settings in my browser then I can see Squid proxy is getting the URL request & virus scanner running. I suspect transparent proxy is conflicting with pbBlockerNG

@talaverde
HA is a complex animal, some interfaces use CARP VIPs and packages use the XMLRPC to sync. XMLRPC has issues where you can use a dedicated user and some vendors(Snort/Cisco) did not think you could do that so they force you to use root/admin to sync your data.

@bbcan177 Thank you, thank you, thank you!!! The "Suppression" option was disabled and enabling fixed the problem. The 192.168.1.1 IP is now begin removed from the URLhaus blacklist.

I think I also now understand the ALIAS solution. I would need to convert ALL pfB lists to aliases and completely forgo the auto rules. This seems to be good practice in general and I may consider this.

Finally, I do plan on updating to the devel version eventually, probably when I update to pfSense 2.5.0 in the future. This will take some time and I need to make sure I carve the time out from my schedule to address the issue. Right now, I am too busy at work and need the internet to just work for my video conferences.

@mcury
I am just adding each Vlan to the "Outbound Firewall Rules" under the IP tab in pfBlockerNG.

Then Each Vlan has this rule towards the top before the block firewall/Internal rules

7475b17a-506b-4c43-b709-0b0650b33fc0-image.png

@teamits I did not. It halted during boot and led me to a "#" prompt

@bbcan177 Confirmed. It was the 6 hours time difference.

@bbcan177 said in pfBlockerNG v3.0.0_6 update:

Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LAN IPs

Thank god for this new functionality, thank god! (well, thank bbcan177!!!)
Sure looking forward to the CIDR notation

It appears to be working now that the cache is cleared, thanks.

@bbcan177 work perfect

Thank you @BBcan177 for confirming your (eventual) plan and @Gertjan for the graphic picture. :-)

@griffo @ronpfs in my case things have gotten more interesting. I can see a restart before each outage. So this suggests

an unplanned reboot happening about once a week pfblockerng or unbound does not start up correctly upon restart

#2 is fixed by re-starting pfblockerng but #1 will need more digging. It's easy to see if this is happening by checking NTP logs (search for "Starting") or system logs.

The reboot is interesting. In all three cases LAN was fine, WAN was knocked out by the restart, CPU temps are very good, and in at least two of the cases I was making network adjustments through the unifi UI for my access points at the time that things went down. Possibly coincidence.

@amrogers3 The easy way to learn how to do thing is to use the Alerts tab '+' icon, it will offer choices for whitelisting according to the blocked type (DNSBL, TLD, Regex, etc). You can then review the DNSBL Whitelist to see what pfBlockerNG did.

If you find blocked IPs in the Alerts tab, then you can whitelist or suppress them with the '+' icon.

@bbcan177
Thanks! Everything is working.

Using a large alias on many NAT or firewall rules can slow down the web GUI as it downloads the alias hint/tooltip multiple times. In one case for similar connections to multiple servers, we changed the NAT rules to allow any source IP, turned off the linked firewall rule, and created one firewall rule to allow "from the alias" to all of the servers on that same port, so there is only one rule using the alias instead of many.

@miiwaukee

Figured it out. Had an incorrect Outbound NAT Entry that was set to IPv6 instead of IPv4. Issue resolved!

@provels said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

What would happen to those of us using the resolver and talking to the roots?

Hello everyone...

Okay (hmmm, how should I start, OK I already know), I’ll post a new and great evidence on this theme (Win10 _20H2 vs. DoH) in 2021, so I am not doing it now, ...because I want to (sorry,....I would like to)..... and I would like to wish a beautiful Christmas and a pleasant New Year holiday to everyone, but then comes the dread in 2021....HOHOHO..HAHAHA, like bird flu H1N1 - Winflu 20H2 - HIHIHI

-it wasn't a good joke, though it looks a bit similar.....✋ (so, "give me five")
(I am using roaring emoticons 😉 , not like others :)

of course only for those who like to control their own DNS stuff -

I look forward to seeing everyone, if you are interested in the future... and theDNS theme

BTW (preliminary):
the encouraging test environments: (4 colleagues, 4 separate locations (in EU), 4 external pfSense installations - same Win image - 20H2)

2020-12-22_17h03_37.jpg

+++edit:
MY new year "vow" WILL BE that I wont be createing less colorful posts and 😂

+++edit2:
anyway, I use windows everyday (to my stuff)
well, that's a joke (so I got upset)

@sebm said in pfBlockerNG-devel v3.0.0_7:

While in Firefox, the first file I select never gets loaded,

Using Firefox 84.0 - no adds, when I visit :

1d1ebd34-dbd6-4ec3-af08-bb59b1496741-image.png

Now, I'm invited to make my selection, using the second "Log/file selection" pull-down list
When done, the file is shown right away.
Looks fine to me now.

@bbcan177

Yeah I saw that, but nothing clear about the free version. Maybe we just have to wait.
Anyway thank you @BBcan177

@bbcan177 said in Some download FAIL alerts:

Yes that is what I said in that reddit post.

Yup, I understood. I said that too above. (free for private use)
Yes, it works with a minor bug, the download sometimes doesn't start, but if I know well they are working on it.

@bbcan177 oops.. I cleared it and it’s all good. Thanks. 👍👍