@zaber01 I run both Squid for the antivirus only as well as pfBlockerNG; however, I do not use Squid's proxy server. I believe that's where you had the conflict. Your wanting to block sites is the purpose of install pfBlockerNG, specifically to prevent clients from accessing potential harmful sites.
I would suggest spending sometime in this section of the forum learning more...we all had to do this.

@szepeviktor said in Need blocklist for amazonaws.com and stretchoid.com:

https://ip-ranges.amazonaws.com/ip-ranges.json

Well done! Thank you!

@johnpoz said in Multicast address log spam:

But floating rules are evaluated before interface rules, as long as you mark them "quick" so my guess is when you created the floating you didn't mark "quick" on it..

Yes, you're right. Thanks for the tip.

Yeah, I added a couple of feeds and nothing showed up as they do on the new install.

Maybe I'll have a look at the config files to see if there is something obvious which looks broken. But a faster solution is probably just to wipe it, reinstall and go through the wizard again, and then modify from there.

I had some minor configuration/customization which reduced the chatter from outside hits so only open ports where reported on. Easy to recreate.

I may have been a little unclear in my post, it was on whim to see if someone encountered something similar.

Brgs,

I contacted ET and they told me that there was a problem with that file so they took it down for a bit to fix it. They also said that even though they were acquired by Proofpoint a while back they have no plans to change the they they do things.

DNSBL working great so far... have deployed many boxes for customers... looking forward for whats to come... would be very nice to have features like schedules for rules in pfBlocker/DNSBL and specially regex filtering like we had in squid... im willing to contrib in any ways possible with these... totally worth a patron membership now.

What's important is the effect of the block list causing the firewall to block "itself" inadvertently (ie: inbound/outbound connections on a port for a required service, such as remote administrative access being blocked at the branch site, by "itself"), while trying to maximize efficiency - shunning undesirable traffic, first. Yes, one might argue to place the administrative service -prior- to the block lists, but why expose any service to sources that are considered "bad" for one reason or another? Would think that most folks would like the advantage of knowing that blocked addresses are simply rejected in total to reduce superfluous traffic. However that obviously backfires if an address ends up on a list. If pfBlocker logically allows the firewall to "block itself", the protection becomes equal to the risk of not blocking those addresses. External interface with logical rule ordering:

Block RFC-1918 Block Bogon Block from <lists> Block to <lists> All other rules

As a temporary 'hack' added the following shell script to remove anything that matches for the specific IP Address, but does little if for some reason the network were to end up in a list. This was added to the cron jobs by tacking on " && /bin/sh <script-name>" so that at conclusion of each update, any interface IP addresses would be removed. Not the "best" solution, but a "gross" temporary means. It still unfortunately means that until the processing by pfBlocker is completed - some services could be interrupted (vs performing exclusion prior to pushing the new table data in which would protect legitimate connections). With pfBlocker set to a cron interval of 1 hour - this means that any connection exceeding 1 hour would be 'clipped'. Script:

#!/bin/sh

export SCRIPTNAME="echo $0|sed -e's/^.*.\///'"
for IP in ifconfig -a | grep 'inet '|sed -e's/^.*.inet //'| sed -e's/ .*//'|grep -v '127.0.0.1'|sort -u
do
for TABLE in pfctl -s Tables | grep '^pfB'|sort -u
do
export CHECK="pfctl -t ${TABLE} -T show | grep ${IP}"
if [ "x${CHECK}" != "x" ]; then
pfctl -t ${TABLE} -T delete ${IP} >/dev/null 2>&1 3>&1
logger -t ${SCRIPTNAME} " : ${TABLE} : ${IP}"
fi
done
done

The point still remains that if by way of DHCP IP address changes or unexpected entry to a list - production services could be blocked inadvertently. The complexity (programmatically) could be a bit daunting based on what's available for efficient and fast processing of v4 and v6 addressing. Using something in 10.0.0.0/8 as crude example:

Interface IP Address: 10.57.93.84
Network in block list: 10.56.0.0/15
Would need to translate to: 10.56.0.0/16,10.57.0.0/18, 10.57.64.0/20,... 10.57.93.0, ... 10.57.93.83, 10.57.93.85, ... 10.57.93.255, 10.57.94.0/23, 10.57.96.0/22, ...

Noting that 10.57.93.84 being removed from list as it occurs on an interface. This would increase table sizes where its network centric. It also adds overhead to the process as each leading octet would need to be vetted (ability to ignore processing where lead octet doesn't match any of the leading octets for interfaces present).

Notionally, maintaining all of the other "blocks" while excluding (at a minimum) interface address and potentially interface network(s). Otherwise, you'd end up either losing a significant protection or having to use overrides that nullify the advantages.

Assertion being that if an IP Address ends up in a list - you don't want communication with that IP Address. Unfortunately, when the IP address on one of the firewall's interfaces ends up in a list.... After realizing what happens, it becomes a palm-to-forehead moment that could result in a less than enjoyable discussion.

Granted, one might hope to think that any given address static or dynamic that they use wouldn't end up on a list, but its possible. Interestingly enough, the dynamic IP Address was evidently already on a list for a type of service that is specifically denied outbound in the firewall (making it all the more agitating).

@jdeloach Sounds exactly what is needed! Thank you!

That did not solve the issue. Then I tried your 2nd suggestion and it seems to have worked. No issues so far. Thanks a lot for the quick help.

@Stewart said in dnsbl Crashing:

Congratulations. I've seen plenty of instances where c-icap, Squid, SquidGuard, Snort, etc. have crashed. Many times it's because of lack of space, usually because a log file (often Snort or Suricata) gets out of control and fills the entire SSD.

And how does using the watchdog to restart them makes any sense in that cases? If disk is full the service dies. That's normal. It's just like @Gertjan says: simply restarting with a "dumb" service checker doesn't do any good. I've tested the package myself and simply found no use case at all. All points where one could use it have underlying problems as cause that you have to fix yourself (or by correcting settings etc. etc.) so simply hitting restart after restart doesn't do any good to them.

But besides that, with Surricata and probably other memory eaters, 4GB seem a bit on the very low side when running DNSBL mode with pfBNG. Do you have other memory intensive settings activated in pfBNG?

@Elliott32224 so it turns out it didn't fix my issue actually. Lol AliExpress apparently uses a plethora of sources for images on their site/app... I may have to figure something else out in order to get it to work lol

I think I know what is going on. One of my other block lists already included this lists IP addresses (via an ASN list), so they must be interefering due to the deduplication list. After disabling dedupe and forcing a reload I can see the list as it should be.

Sorry for bringing up such an old post, but the recommendations @BBcan177 mentioned worked for me. In my case, I had to make sure the two ports used for HTTP and HTTPS traffic didn't overlap with any other rules I had already defined.

It appears that the site you were visiting has been blocked by the DNSBL. You'll need to create another DNSBL list and add the sites you were visiting that you know to be safe...be sure to set group order to primary and disable logging as shown below. Then add the sites to the DNSBL Custom_List. Then, force reload pfBlockerNG.

Screen Shot 2019-11-21 at 11.30.20 PM.png

Screen Shot 2019-11-21 at 11.30.52 PM.png

I can tell there are many of you dying to know what happened with this. </sarcasm> I rebooted the whole firewall. Botta bing botta boom. Both are blocked now. That didn't cross my mind to do that because you wouldn't think that'd be necessary for such a problem, but...isn't that actually always the answer?

@mh13 said in Can I block IPs of my DNS-based lists?:

Automatically?

That's the feature we're waiting on you to develop.

@BBcan177

Thanks for your help. It's error was resolved.

I'm using Safari.
At least, to view Youtube.

I'll try to block outbound DNS not using the resolver on pfSense and disable DoH on Firefox.

@BBcan177
I see. I was hoping there would be a way that I was just ignorant of. Thank you for taking the time to review this.

If anyone else has a suggestion beyond manually resolving these domains externally and manually updating the lists, please let us know!