Security through obscurity.. (if you believe that..) Use a different port number. That will keep some of it down.

@bbcan177 I am already using pfBlockerNG-devel, and i read yesterday about this bug with unbound reported after @RonpfS told me. Pfblocker is doing his job from what i saw,i was just curios about the ram behavior. Thanks both for the help .

@ronpfs said in Does it really matter????: A SSD could improve processing, but a decent HD should be ok. Many thanks that's all I needed to know really. bless you, my friend, and have a happy xmass and new year ;)

Won't this option work from my previous post: DNSBL is hardcoded to only use Unbound. However, you can still use Bind but would have to set Binds Outbound Forwarder to point to the pfSense Resolver so that DNSBL could be utilized. Sure, I've succesfully tried to use unbound as bind's forwarder to allow DNSBL. The downside of this solution is the poor dns performance and the overall complexity of the setup. The advantages of a setup using pfBlockerNG and bind are: an autoritative dns server to host local zones DNSBL features in place per view (which can be similiar as defining DNSBL per Interface) the functionalities from bind itsself few dependencies I found a very nice way to put all the zones from pfBlockerNG into bind using RPZ feature. (http://www.zytrax.com/books/dns/ch9/rpz.html) This way I've added ~300.000 blocklist zones into several views with very low memory footprint :) I'll update the script into my github repo.

@dragoangel I still don't see this related to the package. It sounds like something is incorrectly configured for the gateways... Check the pfblockerng.log, resolver.log, system.log for more clues to see if you can narrow it down. Best to post this question to the applicable Forum for more traction.

@expert_az https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

@razaqad said in disable dnsbl from cron: Im a noobie to pfSense. Can someone tell me an example script to fulfill the purpose which i can call with cron to start and stop pfBlocker at specified times. There is no example. Its a custom script that might take some time to code and test. This is something that I want to add to the package at some point, but maybe for next year.

I am really not experienced in this, but looking at the pcap files I see the DNSBL Webserver ends the connection with DST: HTTP/1.1 200 OK DST: Cache-Control: private, no-store, no-cache, must-revalidate, max-age=0 I guess it does not store any data on pfsense, otherwise the pfsense box would run out of storage in minutes. I can say that this has no effect on the firewall itself (other than the processing power), however, it could actually saturate the local bandwidth because I've seen that one device uploading around 300MB in a couple of minutes. Of course I can set up limiters, but why not prevent that client from uploading in the first place? So, is there a way to allow clients to perform only GET request from the DNSBL webserver? since they shouldn't be uploading anything really (again, I am really not experienced and I even don't know if this is a valid approach). The VIP address is configured to listen to a LAN interface. Other than that, the pfBlockerNG is working great and it's awesome. Thanks!

@jmiller said in How to restrict custom websites with PfBlockerNG-Devel?: You're referring to the domains people are visiting that are generating the tagged ads not the ads etc. lists right? Because I used the wizard and took all the default settings and no matter what site my users go to it generates the Certificate error. The sight is still reachable but boy do I hear the bitching about all the cert errors and I've been trying to stop that. Thx in advance for any input and keep up the great work. Excellent package for Pfsense!! Its usually some google domains... but probably just a handful of them at the moment... and yes the domains.

I solved by deleting the relevant rules. (pfB_Top_v4')

@bbcan177 If I have multiple Vlans configured and I want different rules for different Vlans, How do I do it? How do I create aliases using DNS blacklist atleast via pfblockerNG?

@qwerty123 said in Global Logging option: In pfblocker, I see a "global logging" option in the settings. I was wondering what this option does. Ideally, I'd like to move the alerts from the reports tab (specifically, dnsbl but ideally both) into the firewall logs, so I can see where it's getting blocked. If this is not an option, the other idea I had was trying to get it to send the logs to syslog. The "Global Logging" option is used to globally enable Firewall Rule Logging (When using Auto rules). Alternatively, you would enable/disable logging in each IP Alias independently. All IP/DNSBL Logs are saved to the Alerts Tab. Its best to use that tab instead of the pfSense Firwewall log. DNSBL logs are not visible in the Firewall logs anyways. Also recommend to move to pfBlockerNG-devel.

pfBlockerNG already has all of this functionality... Check out pfBlockerNG-devel.

@bhjitsense This just defines what interface to bind the DNSBL Webserver to. You can just use LAN. If you have VLANs, then select the DNSBL Permit Rule option and select the Interfaces that should be allowed to hit the DNSBL webserver address. This will create a Floating Permit rule with those settings.

@kiekar Just create a new Whitelist for the WAN. You can add the IPs to the customlist at the bottom. With pfBlockerNG-devel you can add IPs to the whitelist automatically by clicking on the "+" icon. You can use the Adv. Inbound Rule settings, to only allow these specific whitelist IPs to access the mail server LAN IP and its open ports.

https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

The TOP1M feed can be used to whitelist the most popular Domain names to avoid false positives. So it is used to remove popular domains from your blocklist. If you inspect pfblockerNG.log you will see that in action: [ Phish_OpenPhish ] Downloading update11/24/18 11:20:07 | .11/24/18 11:20:07 | . 200 OK11/24/18 11:20:07 | . TOP1M Whitelist: risechma.weebly.com|tw.screener.finance.yahoo.net| ---------------------------------------------------------------------- Orig. Unique # Dups # White # TOP1M Final ---------------------------------------------------------------------- 1846 742 211 0 2 529 ---------------------------------------------------------------------- 11/24/18 11:20:11 | IPv4 count=13 11/24/18 11:20:11 | In this case it removed 2 domain names from the blocklist.

@atlan Not at the moment; however, when the Unbound Resolver python integration is added, we will be able to do regex blocking amongst many other new features. I have been waiting for the devs to add the python integration so that the package could easily integrate with the Resolver without unnecessary backend workarounds.

Do you have VLANs? If so, make sure that the devices on the vlan can ping and browse to the DNSBL VIP address. There is a "Permit Firewall Rule Option" in the DNSBL Tab which can be used to create a Floating Permit firewall rule to allow your vlan segments to hit the DNSBL VIP address, otherwise the VLANs could timeout when trying to connect to the DNSBL Webserver.

@talaverde said in Still having classic problem of blocked URLs with 'unknown' feed: Even after a completely fresh reinstall, I keep getting unwanted URLs on the DNSBL block list with 'unknown' feed. Here are some examples: wsapi.skype.com static.asm.skype.com consumer.entitlement.skype.com in.appcenter.ms All of these domains above have a CNAME. Is it possible that these CNAMES are in your Blocklists? drill @8.8.8.8 wsapi.skype.com wsapi.skype.com. 2995 IN CNAME client-ws.gateway.messenger.geo.msnmessenger.msn.com.akadns.net. client-ws.gateway.messenger.geo.msnmessenger.msn.com.akadns.net. 59 IN CNAME eus-wsapi.cloudapp.net. eus-wsapi.cloudapp.net. 58 IN A 13.92.27.116 drill @8.8.8.8 static.asm.skype.com static.asm.skype.com. 1657 IN CNAME static-asm-skype.trafficmanager.net. static-asm-skype.trafficmanager.net. 299 IN CNAME nus1-authgw.cloudapp.net. nus1-authgw.cloudapp.net. 52 IN A 40.77.16.143 drill @8.8.8.8 consumer.entitlement.skype.com consumer.entitlement.skype.com. 1969 IN CNAME sconsentit9.trafficmanager.net. sconsentit9.trafficmanager.net. 299 IN CNAME sconsentit903.cloudapp.net. sconsentit903.cloudapp.net. 8 IN A 40.122.44.183 drill @8.8.8.8 in.appcenter.ms in.appcenter.ms. 732 IN CNAME in-secondary-prod-east-us2.prod.avalanch.es. in-secondary-prod-east-us2.prod.avalanch.es. 129 IN CNAME 0e6fa46e-9c94-4256-b449-4f54c1f1e69f.cloudapp.net. 0e6fa46e-9c94-4256-b449-4f54c1f1e69f.cloudapp.net. 47 IN A 13.68.31.193 drill @8.8.8.8 download.windowsupdate.com download.windowsupdate.com. 1303 IN CNAME 2-01-3cf7-0009.cdx.cedexis.net. 2-01-3cf7-0009.cdx.cedexis.net. 239 IN CNAME b1ns.au-msedge.net. b1ns.au-msedge.net. 27 IN CNAME b1ns.c-0001.c-msedge.net. b1ns.c-0001.c-msedge.net. 27 IN CNAME c-0001.c-msedge.net. c-0001.c-msedge.net. 27 IN A 13.107.4.50 grep -r -l "wsapi.skype.com" /var/db/pfblockerng/* When I run this command, these files show up /var/db/pfblockerng/dnsbl_cache.sqlite /var/db/pfblockerng/pfbalexawhitelist.txt /var/db/pfblockerng/top-1m.csv Even if I delete those files and run a reload update, they still show up. They won't go away. I figure out how to keep these from being blocked or show up on the list. it seems like every .skype.com subdomain is being blocked. I've added skype.com, .skype.com and even the subdomains themselves to my whitelist. Still, no difference. Any thoughts? What is dnsbl_cache.sqlite? Is that just a log? The dnsbl_cache.sqlite is a database to show the last blocked event. You don't need to delete that file. And definitely don't need to delete the TOP1M Database (Whitelist). You need to grep for DNSBL events as: grep "example.com" /var/db/pfblockerng/dnsbl/*