If I read the thread so far correctly, you are in a position that you have added DNS blackholes for facebook.com and google.com, but are unhappy that the domain fbcdn.net and traffic to facebook's IP space are not blocked when you expected them to be.

The behaviour you're seeing is correct for the configuration you have so far, if you want other domains blocked (like fbcdn.net) then you need to block them in your list as you have done for the other domains.  Many other domains for both facebook and google will also not be blocked (for example youtube.com even though it is part of google).

Even when you block the DNS request pfSense will not stop traffic going to IP addresses directly (for example pinging 31.13.70.7 would still work).  To block traffic entirely you would need to add their domain/AS numbers to IP4 & IP6 lists (Google are AS15169 and facebook are AS32934) and tick the 'domain/AS' box.  I can't remember if you need to include AS prefix as part of the number or not, I'm sure someone will be able to confirm that for you.

Did you enable the "DNSBL Permit Rule" option?  If not, enable that and select all of the LAN Subnets in the select box that need to access the DNSBL VIP. This will create a floating permit rule which will allow those other subnets.

Floating rules are processed first, followed by the other Interface Rules. Rules are also processed Top to Bottom.

You don't need those two other NAT Port forward rules.

@bartkowski:

Or the RAW format https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw/396eb85f00418569cd5e82f71b9d96275163d970/MS-2

Best to use the RAW format. Keep in mind that you need to remove the last part of the Gist URL or you will not download any further commits to the Gist.

Here is the URL that can be used in the package:
https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw

Thank you for the link and explanation.

You can add this to the IPv4 and v6 tabs as required and it should pull in the respective IP addresses. It will pull all the IPs into one alias. The domain names will not be parsed tho.

When you click on the suppression icon, pfBlockerNG will Whitelist the domain and it's CNAMEs.  8)

I you do the suppression directly in the DNSBL Whitelist, you have to find the CNAMEs and add them to the list.  ;)

Thanks.  That might have something to do with it.  I think the log entries that refer to the number of entries added/deleted refer to the alias files?  Even if the permit file is deleted upon saving the config, it wasn't clear to me that the corresponding entries would be removed from the alias file until the force update was run.  Therefore I would have expected the log nevertheless to show the number of entries being deleted.

I've excerpted the relevant log entries below.  In this example, I disabled Switzerland and enabled Japan in one step, saved, then ran force update.  You can see that there is no reference to deleted entries, and the "last updated list summary" still refers to Switzerland (though it's been properly removed from the other sections).

Thanks.

**Saving configuration [ 05/12/17 10:13:15 ] ... [ Removing List(s) : InboundPermCH ] Archiving Aliastable folder Archiving selected pfBlockerNG files. **Saving configuration [ 05/12/17 10:15:38 ] ... UPDATE PROCESS START [ 05/12/17 10:15:55 ] ... ===[  IPv4 Process  ]================================================= ... [ InboundPermGB ] Reload [ 05/12/17 10:18:32 ] . completed .. [ InboundPermJP ] Downloading update [ 05/12/17 10:18:35 ] .. completed .. ... ===[  Aliastables / Rules  ]========================================== No changes to Firewall rules, skipping Filter Reload ... Updating: pfB_iBlockList 64 addresses added.11 addresses deleted. Updating: pfB_Inbound_permit 4583 addresses added. Archiving Aliastable folder Archiving selected pfBlockerNG files. ===[ FINAL Processing ]=====================================   [ Original IP count  ]  [ 490720 ]   [ Final IP Count  ]  [ 432383 ] ===[ Permit List IP Counts ]=========================   22599 total   18016 /var/db/pfblockerng/permit/InboundPermGB.txt     4583 /var/db/pfblockerng/permit/InboundPermJP.txt ... ====================[ Last Updated List Summary ]============== ... May 12 00:17 InboundPermGB May 12 00:17 InboundPermCH May 12 10:18 InboundPermJP =============================================================== .. Alias table IP Counts -----------------------------   545732 total ...   22599 /var/db/aliastables/pfB_Inbound_permit.txt ... UPDATE PROCESS ENDED [ 05/12/17 10:20:18 ]

If it can help, you need to select the List action "Alias Permit" to prevent auto rule creation - I had the same issue as above.

The pfSense Max Table entries is a table setting for all aliastables in total…

grep -c ^ /var/db/aliastables/*.txt

And it usually needs about 30% more…

Yes I understand this however, I'm going to be turning on "both" not just "inbound" on the FW.  I'm easing my way into blocking country outbound SO I need to enabled GEO IP Block.

I haven't quite figured out what was going on BUT it's possible this was a SNORT issue or perhaps a DNS resolution issue at the time.

This might be a non-issue.  I've turned pfbng back on, have cleaned a few things up and it seems like all is well.

Thanks for your feedback.

There aren't many IPv6 Feeds:

https://www.spamhaus.org/drop/dropv6.txt
https://www.myip.ms/files/blacklist/csf/latest_blacklist.txt

Choose one of the following (recommend the first one):
https://www.stopforumspam.com/downloads/listed_ip_30_ipv6.zip
https://www.stopforumspam.com/downloads/listed_ip_1_ipv6.zip
https://www.stopforumspam.com/downloads/listed_ip_7_ipv6.zip
https://www.stopforumspam.com/downloads/listed_ip_90_ipv6.zip
https://www.stopforumspam.com/downloads/listed_ip_180_ipv6.zip
https://www.stopforumspam.com/downloads/listed_ip_365_ipv6.zip

Note: v2.1.1_8 has an issue with IPv6 lists, use "Alias Type" settings until the next release.

Hey, so I ran into this a while ago… Went through and white listed all sorts of domains that amazon wanted me to let through. I honestly think it's an issue with their app.  If you keep white listing, you'll eventually find that they are serving ads from 3rd party sites as well. It ends up being a pretty big rabbit hole.

Unfortunately i ended up giving up, i just go to amazon in Chrome with all the sites still blocked, and have no issues. I think the Amazon app doesn't know how to deal with not being able to get to a site. Where Chrome just moves on...

When you add a new Feed, it will download the feed and wait for the next Cron task. Each DNSBL Group has an "Update Frequency" setting where you can configure the update settings.

If you want to force a download of a particular feed:

Goto Logs Tab > Log/File Type > "DNSBL Files" > open Feed > Click on "Delete Icon" > Force Update OR From shell: rm /var/db/pfblockerng/dnsbl/ <insert name="" of="" feed="" header="" here=""> .txt</insert>

Run the following command to see which feed contains that IP:

grep "8.8.8.8" /var/db/pfblockerng/deny/*

If you enable the suppression feature, it will add a "+" icon in the Alerts tab which can be used to suppress this IP. This IP shouldn't be listed in any feed, so once you find out which feed listed that IP, you may want to report it to the feed maintainer.

@moscato359:

Do you prune your IP lists over time?

Sometimes old IPs get released, and handed to someone else.

Most lists only keep the last 30 days at longest.

I only remove IP address if I am contacted by the current owner of the IP address and our interactions convince me that the IP address is not likely to send out spam in the future.

The bulk of the IP addresses in SpamList fall into one of two categories:

1.  Machines at hosting providers who don't care if their clients use their systems to send out spam.  Even if the current customer gives up and stops paying to use those IP addresses to send out spam, it is likely that in the future some other customer will pick them up and start sending out spam.

2.  Compromised machines that are being used to send out spam.  Even if the machine is cleaned up, most people who are compromised once will be compromised again repeatedly.  So it is likely their IP address will send out spam in the future.

The first command returned nothing but the second one returned the following at least a hundred times.

/var/db/aliastables/pfB_BlockListMalware.txt:127.0.0.1

I checked my malware lists and this one seems to be the problem.

http://www.malwaredomainlist.com/hostslist/hosts.txt

I deleted it, forced a reload and it continued to show the loopback address listed in the malware block list.  So, I disabled the entire list, forced a reload, re-enabled it, forced another reload and, while I'm not entirely sure it's still using the malware blocklist, at least it's not returning the loopback address when I enter the command anymore.

I might try rebooting my router, just to see if that sorts everything out.

Either way, thanks for the help.

@BBcan177:

@LIGISTX:

You are awesome. Thanks!

Anytime… Thanks for using my package  8)

Now I just need to figure out snort  :-X

As I stated in my reply above, you cannot use these EasyList feeds by adding them to the DNSBL Feeds tab. They will not parse properly.

The only EasyList feeds that are usable in DNSBL are hardcoded in the EasyList tab. Only certain portions of the EasyList/EasyPrivacy are useable in a DNSBL filter. See the categories in the EasyList tab to see which categories are usable.

The next version of pfBlockerNG will have all of the EasyList Language Feeds included.

set DNSBL IP Firewall Rule Settings>List Action>Deny outbounded instead of both
and remove any PIA DNS server ip from Services>DHCP Server>LAN

for firewall rules, follow PIA pfsense guide, (go to end of page) https://www.privateinternetaccess.com/pages/client-support/pfsense

@mugabemkomo:

The only errors I get is:
unbound 22943:0 error: cannot chdir to directory: (No such file or directory)

This "error" has been present for ages. It doesn't cause any problem as far as I know.