@steveits We created the new key with your instructions. We also changed after the key, the field: MaxMind CSV Updates. Cleared: Check to disable MaxMind CSV updates. And after updating, the download directory /usr/local/share/GeoIP/cc/ populated with files and can select the countries. Problem solved, thank you Steve!

@johnpoz said in MaxMind configuration to update list GeoIP:

create the alias with the feeds you want to use

John is correct, just wanted to note for you that this is accomplished via "Alias Native" which creates an alias without a deny rule.

@MG85

Here is my regex.
It's more test-of-proof sample for me. I remember finding it somewhere on Reddit.

^(.+[_.-])?adse?rv(er?|ice)?s?[0-9]*[_.-] #Regex RGX1 ^(.+[_.-])?telemetry[_.-] #Regex RGX2 ^ad([sxv]?[0-9]*|system)[_.-]([^.[:space:]]+\.){1,}|[_.-]ad([sxv]?[0-9]*|system)[_.-] #test RGX3 ^adim(age|g)s?[0-9]*[_.-] #Regex RGX4 ^adtrack(er|ing)?[0-9]*[_.-] #Regex RGX5 ^advert(s|is(ing|ements?))?[0-9]*[_.-] #Regex RGX6 ^aff(iliat(es?|ion))?[_.-] #Regex RGX7 ^analytics?[_.-] #Regex RGX8 ^banners?[_.-] #Regex RGX9 ^beacons?[0-9]*[_.-] #Regex RGX10 ^count(ers?)?[0-9]*[_.-] #Regex RGX11 ^mads\. #Regex RGX12 ^pixels?[-.] #Regex RGX13 ^stat(s|istics)?[0-9]*[_.-] #Regex RGX14

Keep in mind : the ending
"Space # text string" needs to be unique.

@code4food23 said in Recommended staple IPv4, IPv6, DNSBL lists:

why not use both? and how can tell if they show up in rulesets

There's no point in scanning for DROP packets in Snort if they were blocked by the firewall. Category emerging-drop.rules is the Spamhaus DROP list. Click the category name to open the file and it usually has a note explaining what it is.

Alright, thanks for the help, @keyser!

@gertjan said in 'Catch 22' with fresh install, pfBlockerNG 3.0.0.16 and Python enabled:

A solution was posted https://redmine.pfsense.org/issues/12274.

The 'patch' should be installed with the pfSense patch package.

Thank you! Done.

Can't really test it, as I have to re install pfSense, something I've never had to to (for the last 10 years), I just upgraded .....

Lucky You! 😀

Regards,
fireodo

@tomtheone said in pfblockerng ssl interception:

My goal would be to prevent the SSL warning

You can't. I can't. An the day some one manages to do so, we can all power down our pfSense and do other thing, as the final judgement day had arrived.

See here why you can't - the browser will always show an error.

True, browsers could show a more "friendlier" message.

And true, with a proxy solution, you could make all involved browser (all your local LAN devices) trust the cert of the DNSBL pfBlokcerNG web server. But that means you control every device involved and in that case you could simply tell every user involved : "If a site doesn't seem to show up, don't worry - you didn't want to look at it anyway".

Btw : all this isn't related to pfSense, as pfSense doesn't care about encryption protocols etc. https, or TLS. It's about how and why web servers and web browsers allow secured connections.
Install Youtube, ask for some "TLS" videos' and a couple of instances later you will become aware of how it all works.

@focheur91300 Unfortunately I can’t. I’m on a SG-2100 with a 8Gb eMMC that would be worn out in a year by using python mode, so I’m using Unbound Mode like you.

But there are several posts here on how to configure python mode, and it’s very easy.

Doesn't have to be on floating, but that would be one way to put it before a rule on interface. It needs to be above the rule your using for pfblocker.

@naveen7355 said in pfBlockerNG-devel net:

https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw

Why would you show that one ?
Of course it works.

You should test the urls in YOUR setup - not mine.

@naveen7355 said in pfBlockerNG-devel net:

its updated now but still website is not blocking

?+?+?

And again, You do not mention details about your setup.
Neither that you tried to visit hosts that are blocked (== list in the DNSBL feeds).

What about this test :

dc519cea-556e-453c-85e3-43e29270a59e-image.png

From any of these 3 lists, take some domain names listed in these feeds (again : do not use my example feeds I use, use YOUR DNSBL lists) and test them in your browser.
The counters should start to increment.
The Firewallpf > BlockerNG > Alerts should show that that domain name was blocked and reference the feed you got it from.

@yorke

PfBlockerNG hooks into unbound, being a resolver.
All it sees are DNS requests, going and coming from some DNS servers.