bmeeks put a great guide together, a little dated but still a good thread…(thanks bmeeks!)
https://forum.pfsense.org/index.php?topic=61018.0

This is a more recent thread:
https://doc.pfsense.org/index.php/Setup_Snort_Package

This will get you going...

My suggestions would be:

When you setup the interfaces resist the temptation to "Block Offenders" at the start...you can use it as a IDS then move to IPS. It will block a lot! Use the "Snort VRT IPS Policy Selection" to start depending on your needs...i.e. Balanced/Connectivity/Security Use "Service_Watchdog" package as well in case it stops...

I think any of the IDS/IPS packages use hardware resources...so make sure your setup is strong enough...not hard to setup! Requires some attention to get going...quite a few false positives to start that block traffic(hence start with IDS to start).

Good luck...

Try to reinstall pfblockerNG.

If the error persist, then you may have to reinstall pfsense as curl_init is a basic pfsense curl function.
You may probably be able to recover without reinstalling, check the Installation and upgrade forum https://forum.pfsense.org/index.php?board=4.0.

Like firehole … https://forum.pfsense.org/index.php?topic=135257.0

Yes that was exactly the issue. So i turn that list OFF.

Thnx

Beats me. You applied the changes to the FW Rules ?
Enable logging on the rule and see what's happening in Firewall logs.
Also check the LAN rules

I had to reboot after the restore and that fixed it.

thanks

@BBcan177:

@J24:

Looking for a few insights on how to interpret the columns and data in this pfBlockerNG dashboard widget.  Thanks!

Top Header shows the last time the MaxMind GeoIP was updated.

Green check shows pfBlockerNG is enabled with 772 IP entries
Green check shows that DNSBL is enabled with 3,012 domain entries.

The "Alias column" is the name of the IP/DNSBL group that is configured in the IPv4/6/GeoIP/DNSBL tabs
The "Count" is the Number of entries in each Alias/Group.
The "Packet" is the Number of events processed by each Alias/Group.
The "Updated" is the last timestamp where the Alias was updated.
The Green up arrow shows that Rules are enabled for the Alias (IPv4/6 only)
The Black down arrow shows that there are no Firewall rules associated (IPv4/6 only)
The Number in parenthesis is the Number of firewall rules associated (IPv4/6 only)

Thank you!

I had bad luck with iBlock lists….here is a recent link with some better lists:

https://forum.pfsense.org/index.php?topic=135257.0

Assuming you have set it up correctly, take a look at the alert tab in pfBlocker to see what alerts and lists are being triggered.

Good luck,
V

@BBcan177:

You can use Unbound in Resolver mode or in Forwarder mode…. Still recommended to use Resolver mode so that you use the Root dns servers... but that's up to you to decide....  Also keep in mind that not all Forwarders support DNSSEC.

Thanks for this info. The resolver mode was often noticeably slow on some lookups - maybe there is some other config option I have screwed up?

Will do.
Thanks!

No, I'm not using the traffic shaper.

@motific:

I have had a look at this feed a while back. It is pretty poor IMHO and I wouldn’t recommend it, if they included the suggested changes it would be even worse.  One of the worst things is that it just arbitrarily blocks random chunks of Microsoft services (including ones you may have whitelisted) by blocking some of the intermediate CNAME domains (like a-msedge.net)  Not to mention that some of them are not tracking servers but provide other services (like the weather for the live tile.)

Quite a lot of the lists blocking Microsoft tracking are similarly bad,  I have to assume that they don’t test very well if at all.  Recently I’ve had to pull the Phishtank feed (supposedly a list of phishing domains), the last straw was when they added login.live.com (which is quite a useful one if you actually use pretty much any Microsoft services at all!)

I’m not bad at tracking down the DNS responses to find the issues but for a relative novice to find a whitelisted domain suddenly blocked and showing as whitelisted in pfB it would be infuriating.

I have always been hesitant to recommend these types of Feeds… So unless there is more feedback, I will just hold until more people chime in....

@RonpfS:

When you disable pfBlockerNG, it removes the aliases and FW rules it created (auto-rule).
In your case of Alias type table, you have to disable the pfb_ FW rules before disabling pfBlockerNG.

I'm assuming this can be scripted in some way, as I have far too many to do on an individual basis…

Found it, in the [filter][rule][0][disabled] array, when using pfSsh.php

EDIT: i tried to disable a rule to see a change in the [filter][rule][0][disabled] variable, and interestingly enough it didn't change from being empty, i would have expected to be set to "yes". am i missing somthing?

Not sure of a "perfect setting"? But I suspect the "faster" your hardware and the more RAM the quicker it will run…you don't need software as it is a pfSense package.

What I have discovered is what can make pfBlocker the best is the quality of your lists be them IPv4 or DNSBL lists.

https://forum.pfsense.org/index.php?topic=125996.0
https://forum.pfsense.org/index.php?topic=120253.0

OK, I got it… thanks for clarifying that for me.

What does the

Status / System Logs / System / General

Status / System Logs / System / DNS Resolver

Status / System Logs / Firewall

shows ?

@BBcan177:

Anything that is blocked is reported to the Alerts Tab… So that is where I saw it being blocking by an IBlock ADs feed... You might not have that Feed enabled? But could be in another feed....

The "Auto" rules won't work for everyone.... There are some common boiler plate options, and if they don't fit your network design, then you need to use "Alias Type" rules and manually create the rules as required.

Click on the blue infoblock icons in the IPv4 tab on how to do that...

Suppressing the IPs (Only for /32 or /24 blocks) is the best choice.... so that you don't need the permit rule. But if you require the Permit whitelist, then you need to find a rule order option that puts the permit above the block... or use Alias type rules...

There is a trick where you can edit all the pre-defined pfBlockerNG rule "descriptions", and change the prefix to "pfb_" lowercase.

Then Disable the package.
Edit all of the IPv4/6/GeoIP aliases to be "Alias type"
Then re-enable the package…

This way the rules are created by the package initially so that you don't need to manually create them all... Any rules that start with "pfB_" are managed by the package on each cron or Force command.

Thanks, I did as you said. Replacing all the pfB_ with pfb_ in the descriptions. However, when I went to re-enable DNSBL, I don't see rules for it (including the floating one). I might of forgot to lowercase the rules associated with DNSBL…

How would I get back the rules for DNSBL including the floating rule for the VIP? Enabling/Disabling DNSBL has no effect.

Also after this modification when I disable pfB I get tons of notifications, am I doing something wrong here?

Follow up:

Works like a charm!

For the lists: Deny on both inbound and outbound, and logging enabled.
Advanced inbound: UDP/TCP and a port definition alias which contains my open WAN ports. Also added the most common ports and ranges which UPNP opens for devices on the inside.

Result is a very tidy firewall and alert log with kept logging for all outbound traffic trying to connect to nasty stuff and logging for anything trying to reach my open WAN ports.

So, mission complete.
Brgs,

You can create "Alias type" aliases which will just create the IP table of IPs… Then you can manually create your firewall rules associating the applicable aliastable.

You could also try to use the "Adv. In/Out" settings to fine tune the rules.

Thank you for clean answer. About not same feeds, yes it only mistake of copy-paste, this list was not alias native, but I asked about alias native in clarifying question.  :)