To overcome an IP blocked event, you have two choices:

Suppression - This is limited to only /32 and /24 blocked events.

Add the IP to a Permit Alias, that will permit the IP outbound, before the Block rules take effect.

@RonpfS:

You are using pfsense DNS Resolver ?
And you PCs are using pfsense for DNS service ?
Maybe post the logs after a Force Reload DNSBL ?

If my settings are correct I should be using the DNS Resolver.

Most all of my connected device are setup with static settings. For each they use the pfSense's interface gateway address for the DNS address. For example, the PC I have been using for testing pfSense has an IP of 192.168.10.10, Gateway is 192.168.10.1 and the DNS is also 192.168.10.1.

@tagit446:

@RonpfS:

You select the Interfaces where devices use pfsense/DNSBL for DNS services resolution. This will create NAT rules to forward Web request to the VIP.

Please elaborate as I use it on all interfaces (I thought?) but this option only allows you to choose one from the drop down.

Yeah, I wasn't on the DNSBL tab at the time. So you select one of the LAN interfaces then  ;)

@tagit446:

Have to admit this one confuses me due to the VPN.

I don't have VPNs here.

most domain names ended up TLD if you enabled TLD.

For example : 6634248.fls.doubleclick.net

grep 6634248.doubleclick.net /var/unbound/pfb_dnsbl.conf

grep fls.doubleclick.net /var/unbound/pfb_dnsbl.conf

grep doubleclick.net /var/unbound/pfb_dnsbl.conf

local-data: "www.doubleclick.net.my 60 IN A 10.10.10.1"
local-zone: "doubleclick.net" redirect local-data: "doubleclick.net 60 IN A 10.10.10.1"

If you put 6634248.fls.doubleclick.net in Custom whitelist, it won't whitelist it as any request for  *.doubleclick.net will give the VIP adress.

So if you want whitelist to all subdomain *.doubleclick.net, you had *.doubleclick.net to the Custom whitelist.

If you want to only whitelist 6634248.fls.doubleclick.net then you have to put doubleclick.net in the TLD Exclusion List. Do a Force Reload DNSBL, now instead of collapsing all doubleclick.net domain names into *.doubleclick.net, it will just collect all doubleclick.net domain names as they are listed in the tables. This could increase the number of Domain in DNSBL by hundreds.

After the Force Reload DNSBL, you can then whitelist any doubleclick.net domain from the Alerts Tab or with Custom Whitelist.

When you are done whitelisting domains, I recommend to run Force Reload DNSBL to settle things. Sometimes whitelisting temporary vanishes at Cron Update if the table containing the whitelisted domain names isn't downloaded, then magically return at next Cron update that download the table)

Got it working via select unbound in DNSBL feed when creating backlist. Also restart pfsense.

Thanks,
Sub

Ram Disks aren't really recommended for packages, as they store the package data in the /var folder which with RAM Disks is all lost on a reboot….

So when you do reboot, you will need to run a Force Reload - ALL to get everything working again.

@BBcan177:

You can still use an internal DNS server. You just have to make sure that the internal DNS server has its external forwarders set to only pfSense. To utilize DNSBL, you will need to use Unbound and not the DNSMasq forwarder in pfSense.

That's what I thought, thank you!

@BBcan177:

This has been addressed in the upcoming release.

Also Malc0de shouldn't have added Github. They don't seem to have a contact. So hard to remove those False positives upstream. You can either suppress or whitelist it.

Thanks for letting me know.

Season greetings and cheers Qinn

btw looking forward to v2.2x ;)

Thank you BBcan177. I clarified my post a bit, although you answered my questions. So I will modify my configuration as suggested by you:
@BBcan177:

You can define your own GeoIP aliastables by going to the IPv4/6 Tab and in the Source field, add the full path of the GeoIP ISO code.

I have to find that GeoIP ISO code list because a copy pasted table won't be updated.
@BBcan177:

So instead of adding the rules on the NAT rule, create the rules in the Floating Tab or on each individual Interface.

This will hopefully solve this inconsistency:
@ui5-5e:

NAT or rather the corresponding FW rule takes it all (custom port, protocol, block, pass). Thus neither the PfBlockerNG general settings permit/deny etc. nor the PfBlockerNG advance inbound settings (protocol, port-alias) has any impact, as long as they are used in NAT (source) definition.

I thankfully use Pfsense and PfBlockerNG since years  :)

Click on the ( i ) infoblock in the IPv4 tab in the "List Action" setting… This will explain how to use "Alias type" rules... All the rules that you are showing are "Auto" type rules..... You need to use either "Alias Deny", "Alias Permit", "Alias Match" or "Alias Native".

Found the issue.

I don't know how it happened (I must have did it somehow)  But in the alexa whitelist setting settings, none of the TLD Inclusions were selected.  I re selected the defaults, and now everything seems to be working.

Thanks for pointing me in the right direction BBcan177

@sias:

I found a guide to setup domain blocking that talked about putting domains in the TLD Blacklist. I tried doing that and forcing the update but it still doesnt block. Is this the right way of doing domain blocking or is there another method?

The TLD Blacklist is used to Blacklist a whole TLD like "cn" or "ru" etc…

Follow the guide here to use DNSBL:
https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943

There are many ways to do that… But i would recommend to create a Permit Inbound rules instead. This way your not going to fill the logs will all of the IPs that were blocked hitting that rule… So less noise, means you can review the logs for real events that need attention :)

Its always better to try to limit down the allowed IPs to as small of a range as possible... There are still a lot of IPs in North America... But its still better than leaving it wide open...

@lpallard:

Seems to be fixed now, I added the top domain to the Custom Whitelist but instead of adding the domain manually like

".githubusercontent.com"

I clicked on the + sign on the alert page, and the following domains were added:

.githubusercontent.com
.github.map.fastly.net # CNAME for (raw.githubusercontent.com)

I think the problem was that ".github.map.fastly.net" needed to be added as well. Now its working.

Yes Whitelisting from the Alerts tab is the best, as it will automatically whitelist any CNAMES…

You can still whitelist manually, but you should check for CNAMES... You could use a command as follows to find them:

drill example.com @8.8.8.8

@Riftcore34:

yea I did try Forwarding mode but pfblocker did not work with it on and resolver off :)

Unbound can be used in "Forwarder" or "Resolver" mode…  So don't get that mixed up with DNSMasq which is a "Forwarder" only... :)

@RonpfS:

@lordbob75:

I don't believe there will be, but could deleting that cause any problems?

Well I don't know, maybe at some point you did some tests and now it's not needed.
Removing them already solved the email problem ;)  ;D

Fairly sure I messed with some IP lists at some point, but never noticed the new rule or whatever.  Still don't know a whole lot about networking and firewalls so I don't always recognize things like this.

Alerts have definitely gone away at this point, thank you so much for helping me nail that down.

@BBcan177:

Can you try the following patch?
https://forum.pfsense.org/index.php?topic=110515.60

I tried the patch, it worked for a few days.  But now the ui hangs when connecting. Seems like there is a memory leak somewhere or something.

bmeeks put a great guide together, a little dated but still a good thread…(thanks bmeeks!)
https://forum.pfsense.org/index.php?topic=61018.0

This is a more recent thread:
https://doc.pfsense.org/index.php/Setup_Snort_Package

This will get you going...

My suggestions would be:

When you setup the interfaces resist the temptation to "Block Offenders" at the start...you can use it as a IDS then move to IPS. It will block a lot! Use the "Snort VRT IPS Policy Selection" to start depending on your needs...i.e. Balanced/Connectivity/Security Use "Service_Watchdog" package as well in case it stops...

I think any of the IDS/IPS packages use hardware resources...so make sure your setup is strong enough...not hard to setup! Requires some attention to get going...quite a few false positives to start that block traffic(hence start with IDS to start).

Good luck...