Ok - done. Good so far, but if I see it happening again, I'll report back

@mhab12 said in Blocking all but the whitelist.:

https://forum.netgate.com/post/774687

Using a "dot" in Squid is the same for Unbound. Create a "local-zone" with ".", and then define all the "local-data" entries that you want to allow. Any local-data not defined will return nxdomain.

From the Unbound docs link posted previously:

local-zone: <zone> <type>

**static** If there is a match from local data, the query is answered. Otherwise, the query is answered with nodata or nxdomain. For a negative answer a SOA is included in the answer if present as local-data for the zone apex domain.

@slimaxpower said in string offset error:

So after an update and reboot I am getting curl error 28 on quite a few dnsbl feeds when updating or cron.
youtube was being blocked, but not google or gmail etc.

Something is blocking the Feed download. Review the Alerts/Reports tab to see what it could be.

You can check if DNSBL is blocking the domain with a ping command and if it replies with the DNSBL VIP. Or check the "Deny" Table to see if its being blocked by an IP Block.

@bbcan177 Yes, I did restart both services. But the issue solved itself: I've looked after a few hours again and now the log and stats are filled.

Strange, I have no idea why it took a while ...

@newyork10023 said in pfBlockerNG rule element modification and ordering:

To begin, pfBlockerNG_devel 2.2.1_2 is awesome. Wow. Thanks.

Thanks!

Certain feeds are naughty. For example, adding RFC 1918 (Private Address Space), Multicast addresses, etc., etc., etc., is just BAD. Blocking possibly necessary system addresses, including multicast addresses, etc., is just NASTY. Adding a WhiteList is not going to fix this issue. These rule elements need to be culled from the list(s), and I mean permanently.

By chance are you using Firehol Level1? That feed contains bogons and should not be used for Outbound blocking. You can also enable "Suppression" which will remove local/loopback addresss.

A couple of feature suggestions for automatic rule insertion: use rule Separators to bind automatic rule insertion to specific places in the rules. (Indeed, one of my pet peeves is that automatic rules re-arrange Separator organization in seemingly random ways.). Another suggestion would be that automatic rule insertion should not re-arrange rule ordering AT ALL (after their initial placement). Subsequent rule updates should update rules IN PLACE. I like the possibility that Separators could be used to bind automatic rule insertion. But, disabling all automatic rule insertion needs to be an option for DNSBL.

Firewall rule separators will be very difficult to implement with pfBlockerNG and auto rules...

DNSBL will block domains, it cannot block based on a URL as it is a DNS based blocker.

Thanks,
You gave me the direction I needed. I thought the Geo-IP tab was just a way to create rule in the IPv4 and v6 tab. I didn't realize it also kept rules independently. So solved
Again, thanks

Check the IPs with this shell command to see what MaxMind is listing as the GeoIP ISOcode (Change the x.x.x.x - to the IP your looking at):

geoiplookup x.x.x.x

You also need to ensure that you have the blocking rules on the appropriate outbound Interfaces.

It may be wishful thinking but my SG-3100 is running much better with lower CPU and RAM utilization across the board now that I'm using the -devel version.

Perfect! Thanks 🙂

@pfadmin said in Sync doubles virt. IP 10.10.10.1:

Hi,

I sync to 2nd pfsense in my lan so the pfdnsbl config is the same on the 2nd DNS. But the virtuell IP 10.10.10.1 is synced too so it ends with two 10.10.10.1 in my network. Am I wrong?

There is a "BETA" option in the pfBlockerNG-Devel 2.2.1 package to allow for HA setups.

In the DNSBL tab, there is an option called "VIP Address Type" which is defaulted to "IP Alias"... Since you have a HA setup, you could beta test the "carp" option which should fix this issue.... I have done limited testing with this option and as such is marked as "BETA"... but would appreciate any feedback.

I see 2.2.1 devel is now listed in my available packages. Running latest stable.

There is a Sync Tab that enable you to XMLRPC Sync to other hosts.
Another option is to copy/paste pfblockerNG settings from a config.xml to the other pfsense config.xml

@RonpfS thanks for the reply. I have the exact same NAT as yours, but still cannot browse the VIP.

@ar15usr said in No IP Alias/Group defined from Feed?:

Should I change them all?

No, those are normal when nothing is defined / configured for these entries.

Run a "Force Reload - DNSBL" and check the pfblockerng.log for more details.

@deividuska said in Site Blocking Using pfblocker DNSBL Unblock device:

@ronpfs

Hi
So what are my options in pfBlockerNG? DNSBL EasyList?

If I follow, you have one device that you do not want ad blocking on. If true, manually set the DNS on that device to the server you want. It will bypass DNSBL.