@BBcan177:

@HeatmiserNYC:

Hey BBCan,
Ran into some strangeness over the last few days. Why would I only be getting this in my logs? It appears that nothing else is resolving….

If your referring to the "unknown" msg, then that is normal for HTTPS alerts, the browser fails to load the DNSBL webserver (as expected) and as such only a portion of the alert can be logged. Hover over the key icon.

Did something change in with the logging? I'm fairly certain I never saw those messages on a regular basis. It was always source/destination of visited websites…..

If you manually add IPs to a customlist, you need to check the "Update custom list" checkbox, then goto the Update tab, and Force Update. Otherwise the Customlist is updated as per the "Frequency" setting of the Alias.

The next version will be more intuitive to know when the Customlist has changed…

@BBcan177:

Did you enable the "TLD" option? Without TLD, only the listed domain/sub-domain is blocked…

So without TLD:

example.com will be blocked
    sub.example.com will not be blocked

With TLD:

All sub-domains are blocked.

Thanks!  I figured I was missing something simple  ::)  the search result link was going through because it had a "www." on the front.  Enabling TLD fixed it.

@BBcan177:

The next version of the package will have a "Feeds Management" Tab, that lists the recommended IPv4/IPv6/DNSBL feeds… So this will be easier to manage... Also when Feeds change, those changes will be visible in the Feeds Tab...

This sounds like a fantastic feature. Can't wait to play with it!

You can use the pfBlockerNG Log Tab.

Goto "Original IP Files", then view the contents of the original Feed.

Goto "Deny" or "Permit" or "Match" (Depending on how you configured the Alias), and view the parsed IP file contents.

Or goto the shell, and view the files from the subfolders in  /var/db/pfblockerng/

Those people should be sent to North-Korea, BB  :-*

(Having said that: it could also be possible people hit the wrong button by accident - and never bothered to inform you about it. I think I've read somewhere in the past board mods can reset your count to 0).

SAME ISSUE here..

i blocked youtube via win10 machines via the host file…

Thank you for your fast reply, and good information.

I forgot to mention, since you are hardening your system to defend against active attackers, securing your DNS queries is a very important piece of that. Unbound is a very secure resolver so I would recommend taking some time to familiarize yourself with it and optimizing and hardening its settings. By using Unbound, hardening it and only sending queries out through a VPN you are probably effectively impervious to DNS attacks from the massive majority of hacking. Check out this article and here are some suggestions for settings. https://calomel.org/unbound_dns.html

Enable DNSSEC Support (this is authentication for your DNS queries to avoid spoofing attacks, kind of like SHA)

NO Forwarding Mode
NO DHCP Registration
NO Static DHCP
Hide Identity
Hide Version
Prefetch Support
Prefetch DNS Key Support
Harden DNSSEC Data

You might be interested in the Unwanted Reply Threshold, but I've never used it and know nothing about it

Experimental Bit 0x20 Support

Which rules are you referring to?

You can try to use the "Adv. In/out" rule settings to create a pfB rule. The customlist at the bottom of the alias settings can be used to add IPs. Entering "0.0.0.0/0" for "any".

Alternatively, use "Alias type" rules and configure the pfB rules as required.

In the Ipv4/6 tabs, you can set the State setting to "Flex" which will lower the ssl requirements. Click on the blue infoblock icons for further details.

Yeah TLD + More lists + Force Google Safe Search & Block other search engines, block TOR, block VPNs, and you'll still have leaks in your ship.

Like you said, it's an impossible feat to actually block porn unless you whitelist the internet.

But you can do a really good job of avoiding it unless it is overtly searched for. That's about the best you can search for without going to extremes.

@Nic12:

Ok, it seems that I misunderstood some basic principles of pfBlockerNG.
"Advanced Outbound Firewall Rule Settings" and "Floating rules" misled me.
Sorry for the newbie questions… ???

Please, read the description there:

Configure settings for Firewall Rules when any DNSBL Feed contain IP Addresses

I'm using pfBNG & DNSBL on 2.4.0 BETA with Unbound and it works great.

@Wolf666:

I don't see it available on 2.4 repository.

Thanks, I sent the devs a message!

Thanks BBcan177.  I was confused, I thought the "Terminated - Easylists cannot be used" message was referring to the easylists provided by default in pfblocker.  I removed the incompatible lists and the message went away.

@micropone:

using my WAn (comcast) pfb DNSBLIP has many ip address in it… have no clue how the ip addresses got there..

In DNSBL, you added the "DNSBL IP" option that collects any IP address that's found in a DNSBL Feed and adds it to a block firewall rule.  All DNSBL Domains are blocked via DNS Resolver (Unbound).

I don't recommend to use the Firehole Level 1 for Outbound. That list contains Bogon IP Addresses…

The pkg doesn't have that option. You could create another pfSense Box and use the XMLRPC Sync tab to copy the settings.

The next version of the pkg will have a Feed Management Tab that will have auto-import capabilities…

There is an Red url in the GeoIP tabs :

@ :

GeoIP data by MaxMind Inc. - GeoLite2
Click here for IMPORTANT info –> What new in GeoIP2

Country, Registered Country, and Represented Country

We now distinguish between several types of country data. The country is the country where the IP address is located. The registered_country is the country in which the IP is registered. These two may differ in some cases.

Finally, we also include a represented_country key for some records. This is used when the IP address belongs to something like a military base. The represented_country is the country that the base represents. This can be useful for managing content licensing, among other uses.