Run the following command from the shell to re-download/re-build the MaxMind DB:

php /usr/local/www/pfblockerng/pfblockerng.php dc

Follow that with a "Force Reload - ALL".

My boss wants to allow facebook, and this info helps a lot.

I've set up the IP4 rule in pfBlockerNG as presented earlier (thanks), but I'm not getting all pictures though.

I do have a couple of questions:

1)  Are my changes supposed to be taking effect when I force update?  or only when I reboot?  (I seem to get different results at times)
2)  Should I permit Outbound only?  or Both?
3)  Should I allow the IP6 range for facebook?  see  (http://bgp.he.net/search?search%5Bsearch%5D=facebook&commit=Search for list)

I have tried all the above, but still missing a lot of pictures.

facebook does work fine when i disable pfBlockerNG.

P.S.  I've also turned on Alexa 1k whitelist…perhaps bumping that up would help?  But at what cost?

On my P4 386 system, Cron update takes 20-40 minutes to complete,
DNS reload of the 92MB pfb_dnsbl.conf takes 4-5 minutes.

2016-12-07 02:27:16 Daemon.Info 1.2.3.4 Dec  7 02:27:19 unbound: [66112:0] info: service stopped (unbound 1.5.10). 2016-12-07 02:31:23 Daemon.Info 1.2.3.4 Dec  7 02:31:26 unbound: [66112:0] info: start of service (unbound 1.5.10). ```During the reload, DNS fails, so it's not a bad idea to run cron update off-hours. As for the Maxmind database, once it is rebuilt, there is no need to run``` php /usr/local/www/pfblockerng/pfblockerng.php dc ```until something breaks or a new MaxMind database is released and for some reason the cron MaxMind update failed.

Thanks for the heads up!

Hey BBcan177,

you made my day!
This solved the issue:

@BBcan177:

Alternatively, you can try to manually run the MaxMind update process from the shell:

php /usr/local/www/pfblockerng/pfblockerng.php dc

Thanks a lot! And thanks for this helpful package!!!

Thanks

Good on the prod boxes. Whatever it is- it's just on initial sync. After that I can seem to make changes, etc. without issue and just let CRON do its job.

SOLVED. Thanks

@BBcan177:

See the following:
https://forum.pfsense.org/index.php?topic=102470.msg671811#msg671811

Will give it a go, thanks.

2.3.3 snapshots, browser being mostly Chrome. Why's unbound compiled without python, no idea.

@Mr.:

Thank you BB  :-*

Is it very difficult to have pfBlockerNG generate a human understandable error like 'feed is DOA'?

I just need to write a fully automated system to read the thoughts of each admin and configure/monitor/tweak ….  <grin>  :P :P

If I find a decent solution to improve this error, I will for sure add it to the code.... code name Jingle …</grin>

Hi,

I don't have your environment to test, but I do have some changes to the Lighttpd web server configuration to listen on 10.10.10.1 (For DNS requests made from pfSense itself) and log those blocked domains… Not sure if this will help your situation or not?

Save to  [  /var/unbound/pfb_dnsbl_lighty.conf  ]

# #pfBlockerNG Lighttpd DNSBL configuration file # server.bind                    = "0.0.0.0" server.port                    = "8081" server.event-handler            = "freebsd-kqueue" server.network-backend          = "freebsd-sendfile" server.dir-listing              = "disable" server.document-root            = "/usr/local/www/pfblockerng/www/" server.errorlog                = "/var/log/pfblockerng/dnsbl_error.log" server.pid-file                = "/var/run/dnsbl.pid" server.modules                  = ( "mod_access", "mod_fastcgi", "mod_rewrite" ) server.indexfiles              = ( "index.php" ) mimetype.assign                = ( ".html" => "text/html", ".gif" => "image/gif" ) url.access-deny                = ( "~", ".inc" ) fastcgi.server                  = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) ) debug.log-condition-handling    = "enable" $HTTP["host"] =~ ".*" {         url.rewrite-once = ( ".*" => "index.php" ) } $SERVER["socket"] == "10.10.10.1:80" {         $HTTP["host"] =~ ".*" {                 url.rewrite-once = ( ".*" => "index.php" )         } } $SERVER["socket"] == "0.0.0.0:8443" {         ssl.engine              = "enable"         ssl.pemfile            = "/var/unbound/dnsbl_cert.pem"         ssl.use-sslv2          = "disable"         ssl.use-sslv3          = "disable"         ssl.honor-cipher-order  = "enable"         ssl.cipher-list        = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"         $HTTP["host"] =~ ".*" {                 url.rewrite-once = ( ".*" => "index.php" )         } } $SERVER["socket"] == "10.10.10.1:443" {         ssl.engine              = "enable"         ssl.pemfile            = "/var/unbound/dnsbl_cert.pem"         ssl.use-sslv2          = "disable"         ssl.use-sslv3          = "disable"         ssl.honor-cipher-order  = "enable"         ssl.cipher-list        = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"         $HTTP["host"] =~ ".*" {                 url.rewrite-once = ( ".*" => "index.php" )         } }

then:

/usr/local/etc/rc.d/dnsbl.sh restart

Note: The NAT address of 127.0.0.1, is defined here:

/usr/local/pkg/pfblockerng/pfblockerng.inc

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L791

Hi.

Stop the fw filter, via shell ( menú, option 8 ) Shell):```

pfctl -d

Reconfigure your pfBlockerNG or whatever you need. … and enable the fw filter again

pfctl -e

Regards.

Either will work… Up to you whats an easier method to manage...

I haven't tested these myself, but you could try these for Proxy blocking …

http://tools.rosinstrument.com/proxy/l100.xml
http://tools.rosinstrument.com/proxy/plab100.xml
http://www.xroxy.com/proxyrss.xml
http://www.sslproxies.org/
http://www.socks-proxy.net/
http://www.proxz.com/proxylists.xml
http://www.proxylists.net/proxylists.xml
http://txt.proxyspy.net/proxy.txt
http://www.proxyrss.com/proxylists/all.gz

I just found the problem!

For LAN I have firewall rules that allow/pass some ports and, at the end, a deny all rule. Apparently with this setum (i.e. no default allow rule) for DNSBL to work properly two rules need to be added:
on LAN, pass source any, destination 127.0.0.1 port 8081
on LAN, pass source any, destination 127.0.0.1 port 8443

In fact, before this rules DNSBL was working…kind of, the browser was timing out to each blocked blockec dns/ip.

Hopefully this will help others newbe to pfBlockNG.

I take this as an opportunity to thank BBcan177 for the outstanding work!

SenseRider

You should not need to do anything manually. It will install dependencies automatically.

Post the whole output from the install attempt that failed.

Hi.

ok, i see now. Do not edit floating rule (sorry  :) )
Set to "Permit Inbound" in pfBlockerNG to AUstralia, both its not necessay.
As you already have the rule of nat port forwarding, I suppose it was automatically created (along with the nat) one rule in the lan to allow access from wan to the port tcp3389 at the rdp server, and at wan,the pfBlockerNG floating rule permit traffic from AUstralia. An the default (last rule) rule at wan, block the rest.

Regards

Do you have suppression enabled?

https://forum.pfsense.org/index.php?topic=105977.msg592741#msg592741

Yep, tried it both ways plus placing DNS server addresses in the OPEN VPN override bit  (using openvpn as main interface so all traffic is thru the VPN)  and anywhere else I can find to put them but its ignored.

Seems to be a problem with DNS resolver or my inability to find how to set up DNS on the system