@BBcan177

Excellent, with fix 3.2.0_20 crash has been solved ! Thanks so much for all your support !

Updated pfBlocker devel from 3.2.0_19 to 3.2.0_20 ..all good (on x86 qemu), GEOIP / ASN entrys etc. all working well, Thank you for the Update! 😊

@jrey Thanks for reply.

I have not registered for, and am not inclined to register for an IPInfo token as I am not intentionally trying to do anything with ASN features.

Isn't enabling ASN Reporting going to create more notifications, not remove the one I'm trying to get rid of?

Thanks

lists are working fine now....

i just updated from pfBlocker devel v.3.2.0_17 to pfBlocker devel v.3.2.0_19

@rle well not understanding what problem your wanting to solve then.. Via dns your not going to be able to resolve trivy-server, the only way to resolve that is via it device talking to itself, ie its own name - or via a broadcast, or something like mdns which would be trivy-server.local and the device itself answering.

In what scenario would asking for trivy-server of dns work, since it is not a valid dns query - so how would you allow it or not allow it in pfblocker in the first place.

@Antibiotic

6d334907-5940-4713-8648-83a23ed2c3d7-image.png

was made for you ...

@smolka_J said in Custom Client Lists in pfBlockerNG:

I'm waiting for pfSense's move to the Linux kernel that's coming down the road ...

Im sorry, what ?

@mzeid said in Custom block list for specific subnet ?:

pfblockerng block different lists for specific subnet

While adding a new DNSBL feed here Firewal > lpfBlockerNG > DNSBL > DNSBL you can not select "use feeds only on interface LAN & LAN2" or "use feed only on interface LAN2 only", DNSBL feeds (filtering) apply to all interfaces.
That is, this is valid when the "Python mode" is used.
A feature request ?

Btw : the above is 'very AFAIK, of course.
For a school I would probably consider using a Pi-hole also

As the DNSB Python filtering script is (I guess) aware of the requester IP, thus the network, thus the interface, it could be capable of 'per interface' filtering.

In the past, before we were using pfBlockerng, and used handcrafted 'unbound' config rules, here :

d451e5e1-6886-42ee-b577-9ea9f9d427c8-image.png

we were able to set up DNSBL files 'per interface' (per network).
This meant that this one was our guide line.

@mzeid said in Custom block list for specific subnet ?:

bypassing one of the IP addresses

That's the policy group setting :

e41d7108-7cd8-424e-acd9-d3b82e996bd6-image.png

and from now on, this devices will bypass DNSBL filtering

Btw :

@mzeid said in Custom block list for specific subnet ?:

teacher's computer

I'm pretty sure the teacher doesn't mind he can't visit these sites neither ^^

@johnpoz I get back here tmrw ... it's late already in my timezone.
Thanks so far!

edit: currently sick since monday ... I'll get back here asap

Hi
I have a similar problem. I have had PfSense for many years with no issues with PfblockerNG, recently I upgraded to latest version of PfBlockerNG 3.2.10. I lost full internet access for my single LAN. Turn off the pfblocker and reboot the firewall through GUI or console, Internet connectivity is back on. After trying to troubleshoot for a while, finally gave up and did a fresh install, problem is still the same.
Another odd thing noticed in 3.2.10 version of pfblockerng is that the geoip to block and edit which countries to block, edit button was missing. Not sure if others have this issue or is this a bug in this release.

Any ideas on what is causing the pfblockerng to break internet connectivity. I have a simple design:

WAN interface, DHCP LAN interface, DHCP Class C addresses Pfsense current stable version 24.03 rel1 PfblockerNG 3.2.10 (currently not installed on a fresh install). Want to install and back with blocking ranges of IPs based on location/country

I have another test PC that I can install the pfblockerng and test out the internet connectivity, hoping you can provide a tip to solve this issue.

@tman222 Yes, disabling the "States Removal" for the particular list(s) is what I did as a workaround. I looked for the code responsible when I made the post and recall pfblockerng is behaving as described in my first post. That is, if an IP address in a list is found in states, and "States Removal" is enabled, regardless of the "List Action", the state is removed. I retired my investigation since.

@SteveITS A little snooping (thanks for tip), I may have found the culprit. Now to see if I can fix it. The logs told me what was happening.
CINS_army_v4,lb02.groups.io,Unknown,null,+
CINS_army_v4,lb02.groups.io,Unknown,null,-

I unchecked/shut off the CINS_army feed and did a reload. That appears to have solved the issue. I'm just concerned why it was blocked recently. I don't stay up on some of this stuff, but even my work environment didn't block groups.io (and they block a lot).

@smolka_J No tweaking , i don't like that.

@johnpoz Thank you for the detailed and quick reply! I'm still looking at it to ensure I understand.
@ahking19 I did understand your message, and I created the firewall rules myself, as opposed to auto. Thank you.

@Beerman Some form of fix will be but may be in a different area or dependency package that pfBlockerNG uses. That line wasn't present in 3.2.0_8 and earlier versions of the pfblockerng.inc so I'm assuming something had changed in the magic database file(s) that's used to determine mime types. I have a similar error on feed PRI4_v4 - CCT_IP_v4 https://cybercrime-tracker.net/fuckerz.php that is coming up invalid Mime Type application/javascript, while the same feed is working fine on my CE VMs on pfBlockerNG 3.2.0_8. Tried adding a line with 'application/javascript' but that didn't do anything for it specifically

They had an earlier post about the upcoming changes as well which kinda explains it better:
https://blog.snort.org/2024/08/upcoming-changes-to-snortorg-sample-ip.html

My plus Offers me upgrade to 3.2.0.10 Is that safe? Or should I stay on 3.2.0.9

@michmoor said in pfblocker - speed up search:

I cant speak for @Gertjan but

just looking at the various screen captures provided the return expectation of @Gertjan is at least 500 results. That means on whatever search you are doing please return the most recent 500 that match. For alerts in particular if all (4) sections of the report have the same return value limit and you are searching you are telling each section to return 500 results. Could generate a lot of reading and then looking up related "stuff" to do that on top.

Screen Shot 2024-09-20 at 6.15.34 PM.png

if you are looking for DNSBL set that field to 50 to start, set the other 3 to 0
Screen Shot 2024-09-20 at 6.43.57 PM.png

for the alerts report Unified setting and DNS Reply setting will have no impact
this is how the 6 return value settings line up to the 3 reports.

Screen Shot 2024-09-20 at 6.46.14 PM.png

Sorry the IP Permit and IP Match both go to Alerts, made the green lines too wide and the overlapped. Honest there are 4 green lines there... 😊