@smolka_J

Well all I did for now removed all TLD entries and added it into DNSBL whitelist and DNSBL custom list to block for now. It does not take much time as it was in previous. Yellow triangle is gone as well.

@kiekar

Right, that is a reason to use some (GEO) IP blocking for incoming connection on WAN.

@provels They changed the method a couple versions ago. It isn't really documented as such but that's a feature of tmpfs. (I suggested that doc change but it was declined because it could use all the allocated RAM)

https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html#operating-system
Changed: Convert RAM disks to tmpfs #12145

edit: https://www.reddit.com/r/linuxquestions/comments/fjxiv2/does_tmpfs_ramdisk_use_up_allocated_ram_even_when/

I've filed a bug report with a potential patch:
https://redmine.pfsense.org/issues/14409

@nollipfsense

Hello and thank you for your reply.

The access is from outside via an IP address to an internal client. (Nat)

@emikaadeo Had the impression you created the post on Reddit. Whenever there is a design implementation and one ask why, one should immediately ask oneself, why not. I see no issue(s) with how it's done. If I were those maintainers, I would directly ask BBcan177 instead of publicly claiming it's wack as well as share how they would do it differently...simple respect, isn't it?

@johnpoz Of course, it is just a "test" :) hahaha. I am also testing cbs,nbc, and other main stream media.

@bigsy said in Failure when starting pfb_dnsbl service:

@cmcdonald Working for me now on 23.05-RC (lighttpd: 1.4.69 -> 1.4.69_1). Many thanks!

Same here.

@spyderturbo007 Can you post one update attempt from your pfblockerng.log log file? (pfB/Logs tab)

I went through and re-organized my list, strengthened the character sets on a few hundred lines to combine and eliminate others and added a few, de-duplicated what was left, so far no errors on either box. All was gathered from through the communities, slightly tweaked, and here for any whom want to use, test, or improve upon. pfSene pfBlockerng regex list 5-4-23.txt

I hoped there was a configuration setting in pfblocker to disable reverse lookups and repeat lookups, but it has been a while since I posted to the forums and there have been no replies, so I assume there is not.

I created a workaround because I enjoy tinkering, but, unless you have my same use case, there is no reason to take this route. Please just stick with PFBlocker.

That said, I uninstalled pfblocker and did the following...

[1] get the priority 1 threat lists
[2] normalize the output and put it on a webserver
[3] use a pfsense firewall alias and fetch it as a URL table [gui]
[4] update this to hourly on pfsense cron [cli]
[5] change the file time hourly [cli]
[6] create firewall rules to block using this alias [gui]

NOTE: I used a debian linux machine for steps 1-2 (because I already had it generating other URL lists and it was just easier to do it there). Steps 3-6 are done on the pfsense.

I had fun doing it and I learned a few things about how pfsense works in the process. If you want the details of how I did it in case you need to do something similar, then read on. Otherwise, this forum post is probably done.

Cheers

[STEP 1] script 1 (feedlist-fetch.sh)

#!/bin/bash # start in the right place cd /home/donutjustice/PFSENSE-scripts/quietblocker/ # get the lists curl -s https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt > ips-feodo.txt curl -s https://sslbl.abuse.ch/blacklist/sslipblacklist.txt > ips-sslbl.txt curl -s https://cinsarmy.com/list/ci-badguys.txt > ips-cinsarmy.txt curl -s https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt > ips-ET-emerging.txt curl -s https://rules.emergingthreats.net/blockrules/compromised-ips.txt > ips-ET-compromised.txt curl -s https://isc.sans.edu/block.txt > ips-isc-block.txt curl -s https://www.spamhaus.org/drop/drop.txt > ips-spamhaus-drop.txt curl -s https://www.spamhaus.org/drop/edrop.txt > ips-spamhaus-edrop.txt curl -L -s https://talosintelligence.com/documents/ip-blacklist > ips-talos.txt

[STEP 2] script 2 (quietblocker.sh)

#!/bin/bash # # threat feed data cleanup # copy to web server # # grab data from all the lists cd /home/donutjustice/PFSENSE-scripts/quietblocker/ `/home/donutjustice/PFSENSE-scripts/quietblocker/feedlist-fetch.sh` sleep 35 # cleanup the output cat ips-cinsarmy.txt > BUILD.txt cat ips-ET-compromised.txt >> BUILD.txt cat ips-talos.txt >> BUILD.txt grep -v \# ips-ET-emerging.txt >> BUILD.txt grep -v \# ips-feodo.txt >> BUILD.txt grep -v \# ips-sslbl.txt >> BUILD.txt grep -v '^;' ips-spamhaus-drop.txt | cut -d\; -f1 >> BUILD.txt grep -v '^;' ips-spamhaus-edrop.txt| cut -d\; -f1 >> BUILD.txt grep -v \# ips-isc-block.txt | awk -F '\t' '{ print $1 "/24" }' >> BUILD.txt # move it to the local webserver cat BUILD.txt | sort -u > /var/www/html/quietblocker/quietblocker.html

This script is run hourly on the debian box. It runs 5 minutes before pfsense grabs the URL to ensure the threatlist is fresh.

The local crontab looks like this:

25 * * * * /home/donutjustice/PFSENSE-scripts/quietblocker/quietblocker.sh

[STEP 3] In the gui set pfsense firewall alias to fetch the URL. I named mine "quietblocker" (relevant in step 5 where this becomes quietblocker.txt. If you name yours something different, just make sure it matches in step 5.) and the URL looks like this

http://10.1.1.100/quietblocker/quietblocker.html /1

[STEP 4] ssh to pfsense and edit /etc/crontab

EDIT the "urltables" line from a 12 to a *. It should look like this

30 * * * * root /usr/bin/nice -n20 /etc/rc.update_urltables

[STEP 5] keep editing /etc/crontab (just like step 4)

ADD a new crontab line (I suggest below the urltables). It should look like this.

35 * * * * root /usr/bin/touch -t 1001011230 /var/db/aliastables/quietblocker.txt

This step is necessary because the urltables script checks the timestamp on the file and won't update anything less than 1 day old. This just changes the date, so it is always old enough. I preferred this method to monkeying with the urltables script.

[STEP 6] Now create firewall rules to meet your needs using this firewall alias.

@nickyw To control where rules are created, on Firewall/pfBlockerNG/IP under Inbound Firewall Rules (or Outbound) select both WAN interfaces.

re: Alias Native, on Firewall/pfBlockerNG/IP/IPv4 open your entry and for Action choose Alias Native. That will create an alias but create no rules. Then you can create whatever rules you want in any order using that alias.

@johnpoz Where do i find a list for YT etc?

@nogbadthebad

Interesting, yes that would allow me to use all Mulvad's IP's to go through the firewall, thanks.

I did a feature request here: https://redmine.pfsense.org/issues/14324

Pierre

@lohphat Very cool.

@netboy Another observation...

I connect my iphone to wifi 172 subnet.

Type https://www.cnn.com get "your connection is not private"...

Turn off wifi and use the data plan that comes with my phone

Connect to https://www.cnn.com connects like a charm

I am going to assume this has something to do with my pfsense router....100%

Now I connect my iphone to wifi 192 subnet and it works like a charm..

Remember I have made ZERO changes to my router

I am happy to troubleshoot if somebody can help me

I "disabled" pfblockerNG and I get the same symptoms...So it appears it has to do with pfsense rather than pfblockerNG? Not sure

SOLVED!! Nothing to do with pfsense.....I had a wifi repeater for 172 network...(nokia router in bridge mode) - rebooted it and everything worked fine......

Close this thread please

@katinatez Thanks. That worked well.

Ejrv_PPNv4_v4 upload.jpg

I now have a text file with all the IP addresses in it "Ejrv_VPNv4_v4.orig" which I renamed "Ejrv_VPNv4_v4.txt". I assume not I should be able to reload this in topfBlocker if required. Ejrv_VPNv4_v4.txt

@katinatez said in XBox Live Domains to be whitelisted?:

My question is which domains should I whitelist?

Only xbox users
and who use also pfSense
and who use pfBlockerng
and who use the list you use

see what you see : blocked domains.

So, its very possible your are the only one.

Easy solution ; use another dnsbl ;) edit : Maybe WindowsSpyBlocker isn't good for you, as you want not to block what WindowsSpyBlocker proposes to block.

Next best solution : connection only your xbox to pfSense.
Do what you do with the xbox.
And while doing so, keep an eye on the Firewall > pfBlockerNG > Alerts page.

These is ( for me ) a section with :

594eeab7-2caf-40e5-a2cb-0ba4efa6d433-image.png

and half way down :

2338604a-5917-4953-927e-787114e280eb-image.png

now do what admin do : whitelist what is needed.
Click on

56c9ba2e-ff04-46ee-83d2-063d46e4d1c6-image.png

and do whitelist - and do this for dnsbl that xbox needs to contact.

@jrey

pfBlockerng main page :

dcb17243-a367-4b36-89de-d58344499187-image.png

Related cron setting :

7080e3aa-61cc-4e30-b90b-c4cca04ac992-image.png

But wait :

5eca5f3f-81bc-4c86-b48a-ca25651934da-image.png

So, I guess, I've set to 'every day' at 8h15

The cron settings are now (after a force reload ! - see bottom of the page) :

589793b6-c3d3-48b8-8c00-78fd6a386b9c-image.png

where is the "8" ? for 8 o'clock 'AM' ? (bug ?)

Anyway.

Note that

/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron

will execute

syslog(LOG_NOTICE, '[pfBlockerNG] Starting cron process.'); pfblockerng_sync_cron();

and the function pfblockerng_sync_cron(); will do a

// Call log mgmt function // If Update GUI 'Manual view' is selected. Last output will be missed. So sleep for 5 secs. sleep(5); pfb_log_mgmt();

at the end.

My dns_reply.log was reduced, while testing, to a mere 20000 (my setting) and it grows rapidly, because I see hundreds of lines per minute.

@rcoleman-netgate here is a PCAP. I believe the delay to be the Request By the Computer asking who 130.140.1.1 is and the Computer IP is 130.140.1.78 I believe this hand shake when 20 Chrome books are opened at the same time may be the delay. please let me know what you think.

18:17:12.757414 IP 130.140.1.78.45893 > 130.140.1.1.53: UDP, length 33
18:17:12.800455 ARP, Request who-has 130.140.1.1 tell 130.140.1.78, length 46
18:17:12.800459 ARP, Reply 130.140.1.1 is-at 90:ec:77:2e:23:66, length 28
18:17:12.894371 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 117
18:17:13.145360 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 117
18:17:13.216904 IP 130.140.1.78.50345 > 130.140.1.1.53: UDP, length 34
18:17:13.223810 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 33
18:17:13.224656 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176
18:17:13.264188 IP 103.41.69.203.443 > 130.140.1.21.56272: tcp 31
18:17:13.369452 IP 130.140.1.21.56272 > 103.41.69.203.443: tcp 0
18:17:13.396245 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 117
18:17:13.464245 IP6 :: > ff02::1:ff44:b751: ICMP6, neighbor solicitation, who has fe80::98f3:cdff:fe44:b751, length 32
18:17:13.504526 IP 130.140.1.78.39790 > 130.140.1.1.53: UDP, length 32
18:17:13.568218 IP6 :: > ff02::1:ff82:f129: ICMP6, neighbor solicitation, who has fe80::681e:6ff:fe82:f129, length 32
18:17:13.597080 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 105
18:17:13.636389 34:60:f9:3e:4c:09 > ff:ff:ff:ff:ff:ff, RRCP-0x25 reply
18:17:13.725156 IP 130.140.1.78.41801 > 130.140.1.1.53: UDP, length 33
18:17:13.772959 IP 130.140.1.78.8735 > 130.140.1.1.53: UDP, length 33
18:17:14.227125 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176
18:17:14.228747 IP 130.140.1.78.55421 > 130.140.1.1.53: UDP, length 34
18:17:14.516916 IP 130.140.1.78.26674 > 130.140.1.1.53: UDP, length 32
18:17:14.735840 IP 130.140.1.78.20216 > 130.140.1.1.53: UDP, length 33
18:17:14.815218 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 105
18:17:15.228837 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176
18:17:15.406804 IP 192.168.2.15.5060 > 69.84.152.140.5060: UDP, length 496
18:17:15.496426 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 157
18:17:15.496446 IP 69.84.152.140.5060 > 192.168.2.15.5060: UDP, length 601
18:17:15.590042 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 33
18:17:15.636337 34:60:f9:3e:4c:09 > ff:ff:ff:ff:ff:ff, RRCP-0x25 reply
18:17:15.648896 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 157
18:17:15.652443 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 34
18:17:15.781370 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 33
18:17:15.795484 IP 130.140.1.78.12841 > 130.140.1.1.53: UDP, length 33
18:17:15.840301 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 25
18:17:15.937358 IP 130.140.1.78.44996 > 142.250.111.188.5228: tcp 26
18:17:16.023659 IP 130.140.1.78.56339 > 130.140.1.1.53: UDP, length 53
18:17:16.037245 IP 130.140.1.78.55934 > 130.140.1.1.53: UDP, length 43
18:17:16.039043 IP 130.140.1.78.5619 > 130.140.1.1.53: UDP, length 34
18:17:16.045365 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 33
18:17:16.066272 IP 130.140.1.78.39005 > 130.140.1.1.53: UDP, length 35
18:17:16.066488 IP 130.140.1.78.20031 > 130.140.1.1.53: UDP, length 47
18:17:16.112145 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 25
18:17:16.201394 IP 130.140.1.78.44996 > 142.250.111.188.5228: tcp 26
18:17:16.222290 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 40
18:17:16.223315 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 40
18:17:16.223971 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 46
18:17:16.224550 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 45
18:17:16.225050 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 34
18:17:16.225395 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 33
18:17:16.225744 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 44
18:17:16.229370 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176
18:17:16.251355 IP 130.140.1.78.14830 > 130.140.1.1.53: UDP, length 34
18:17:16.271198 IP 130.140.1.39.5353 > 224.0.0.251.5353: UDP, length 1436
18:17:16.271623 IP6 fe80::217:c8ff:fe84:30.5353 > ff02::fb.5353: UDP, length 1436
18:17:16.276728 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 60
18:17:16.277288 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 61
18:17:16.278096 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 71
18:17:16.278943 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 71
18:17:16.317286 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 3

@mpfrench said in Is it Possible to Run the DNSBL UT1_Adult on a Netgate 1100?:

@Gertjan found that UT1_Adult did not block pornhub.com and the list has 4.5M entries.

Correct. The first time I tried, using dnsbl at the end of (huge) list didi resolve to the real IP, not 0.0.0.0 ( I don't forward to 10.10.10.1 = internal pfB web server as https can't be redirected so the browser error will get shown ).
I saw that the complete pfBlockerNG reload / force all didn't terminated with a " UPDATE PROCESS ENDED", it just stopped somewhere in the middle, leaving the process in a undefined state.

Several days later, I redid the test, it took close to 10 minutes to finish, but it did finish this time. Now, it blocked dnsbl from the UT1 list.

Again : using a 4100 with 4 Mbytes of ram.

I share your conclusion.

@chrislynch said in Frequent DNS timeouts:

I had special DHCP static leases for specific devices that handed out those DNS servers instead of the firewall, and they still had DNS timeouts.

These devices 'talk' directly to "1.1.1.1, 1.0.0.1, or even Googles DNS (8.8.8.8, 8.8.8.1)" which means it's some TCP and mostly UDP traffic to these IPs using port destination 53.
pfSense does nothing with this traffic except 'routing it'.

IMHO : That's for sure an uplink issue.

@bbcan177 It is already set to localhost according to web interface which is default. I'm not sure where else to look. Here's the pfb_dnsbl_lighty.conf is that helps.

#pfBlockerNG DNSBL Lighttpd configuration file

server.tag = "pfBlockerNG DNSBL"
server.bind = "10.10.10.1"
server.port = "80"
server.event-handler = "freebsd-kqueue"
server.network-backend = "freebsd-sendfile"
server.dir-listing = "disable"
server.document-root = "/usr/local/www/pfblockerng/www/"
server.max-request-size = "1"
server.pid-file = "/var/run/dnsbl.pid"
server.use-ipv6 = "enable"
server.modules = ( "mod_auth", "mod_fastcgi", "mod_rewrite", "mod_openssl" )
index-file.names = ( "index.php" )
mimetype.assign = ( ".html" => "text/html", ".gif" => "image/gif" )
url.access-deny = ( "~", ".inc" )
fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) )

$HTTP["scheme"] == "http" {
url.rewrite-once = ( ".*" => "/index.php" )
}

$HTTP["remoteip"] =~ ".*" {

$SERVER["socket"] == "10.10.10.1:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.dh-file = "/etc/dh-parameters.4096" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2") } $SERVER["socket"] == "[::10.10.10.1]:80" { # } $SERVER["socket"] == "[::10.10.10.1]:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.dh-file = "/etc/dh-parameters.4096" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2") } $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "/index.php" ) }

}

@motivio said in Rest DNSBL Block Stats:

Hi,
How can I rest the "DNSBL Block Stats" of the pfBlockerNG?
Thanks!

There are two ways you can do this.

Go to Firewall / pfBlockerNG and then click on Logs tab. In dropdown menu under Log/File selection select dnsbl.log and click on a trash can to remove.

2750dc31-42f8-4348-991d-87bccd753836-image.png

Go to Diagnostics / Command Prompt and type this into Execute Shell Command field: rm -rf /var/log/pfblockerng/dnsbl.log

Click on yellow execute button and thats it.

880a2ea4-af7f-47f1-861e-13b3206be784-image.png

Hmm, still no other reports of that.

The trace makes it look like there's a rogue character in an IP address there somewhere. Since it's only you seeing it do you have some custom lists maybe?

@mpfrench said in Redesign pfBlockerNG to Run DNSBLs Using Unbound in Both Resolver and Forwarder Modes:

and the browser shows the "Try again Charlie" screen.

They won't. They'll understand.
They have Google. They will do what you would do.
.... 5 minutes later ....
They stop using 'your network', and take another one, like a SIM 4G/5G data card from their phone.
Case 'solved'.

I say this because " I've been there - seen it - thought I needed to do something with a tool ".
All you can do is explaining, and showing the right example.
It has been written somewhere : everybody has the right to dig its own hole, and then fall into it.
I bought a rope, so I can help, if asked or needed ;)

I think i found the answer to my own question.
It seems that i will not need PFBlockerNG to perform GEOIP blocking since it can be done via some rules set at cloudflare Require specific countries.

@provels said in pfblocker not blocking weather channel app on iOS:

It's probably getting the ad from other than weather.com.

Let's hope so ;)
If it was getting the add from weather.com, there's no way to block the add, except blocking the "weather.com" all together.

"weather.com" could even supply a "IP list" into it's weather info, bypassing any DNS needs.
So now you have to look for these IP addresses.
These will always be "some" from a bigger unknown add server pool.

The cleanest and simplest solution would be : ditch the weather app.
Next best : get the "$" version.

If you have some time left : with some packet capturing, DNS hunting etc you will find the list of host names, and or "add" IP servers.
This will be an ongoing job as publicity host names and or IP addresses constantly change, as the add companies know that people are looking them up to put them on 'lists' 😊

@gertjan said in Problem installing SCANNER list:

Using pfBlockerNG-devel 3.2.0_3 on pfSense 23.01-RELEASE (amd64)

When you copy paste both URLs into a browser, you get a XML file ?

Thank you for the reply.
I am on the same version.
Yes the xml file would be visible.
I also tried adding /?xml at the end of the URL, this didnt work either.

It turns out I was having other issues as well. pfSense was not returning available package lists. Snort would not update rules either. So I made a backup, factory reset and applied specific restorations. I decided to manually reinstall Snort and pfBlockNG. This fixed the issue I was having.

@mpfrench I think you'll need to edit the config.inc file after each pfSense upgrade. They are probably trying to be as safe as possible. It all depends on what is being read in to memory...I use pfBlocker but smaller lists so don't have a problem. I've been told not to run a RAM disk on 3100s either but as long as the logging volume is low the RAM usage is low so it's all relative.

@johnpoz said in How to block a Domain and it's subdomains being accessed via IP address (without DNS-Filter):

They use the 1e100.net for their PTR for every one of their IPs.. This is a "reverse" lookup, again not something you should be concerned with.. You should be concerned with blocking the forward fqdn your device/user is trying to go too.

Yes, thank you, I read the article from the link. 😊

I'm not really worried about it either. But I hate it when a system tries to escape my control by cooking its own soup. It's just a principle that triggers me and I enjoy trying to find a solution. Besides, you always learn quite a lot in the process.

I looked at what Chrome does on startup using mitmproxy and if I saw it correctly, Chrome doesn't actually do DoH/DoT queries. Presumably some IPs are actually hardcoded.

The easiest thing to do is probably to uninstall Chrome. 😇 😂

Update...
Did a factory reset of the device and reloaded the package.
Working OK now.