Just pfBlockerNG.  Deleted all lists manually, did a force update to clear everything, uninstalled the package, rebooted the machine and installed pfBlocker from scratch and re configured from a blank slate.

Not sure what preciusely that fixed, other then to know that it is now working as expected, again.

If Avast uses a CDN, it might be hit or miss with a TLD domain in the whitelist… Try your google FU and see if you can find the whole list of IPs that are used for the update process, or send Avast Support a request for those IP ranges.... Then add those IPs to the Whitelist....

To bypass DNSBL, you can configure the LAN devices to use a different DNS server and that should solve this issue for you. Could also run the DNS Forwarder (dnsmasq) on a different port….

Ah! So basically configure this at the device level. Android for example: https://support.opendns.com/hc/en-us/articles/228009007-Android-Configuration-instructions-for-OpenDNS

Thats a duplicable solution indeed. Thanks!

@Mr.:

BB: isn't the not-reporting-no-logging a bug?

Feature … :)

Someone needs to find a way to bypass those human validation measures in these sites to get the list to download...

Quoting the MaxMind doc:

Country, Registered Country, and Represented Country

We now distinguish between several types of country data. The country is the country where the IP address is located. The registered_country is the country in which the IP is registered. These two may differ in some cases.

Finally, we also include a represented_country key for some records. This is used when the IP address belongs to something like a military base. The represented_country is the country that the base represents. This can be useful for managing content licensing, among other uses.

@BBcan177:

No that is to increase the "State Table"…

System / Advanced / Firewall&NAT  -  Firewall Maximum Table Entries

too

BBCan177's fix above worked for me.
Let me take this opportunity to thank BBCan for his work on the pfblockerNG package - very impressive work fella!

@tonymorella:

@Mr.:

@RonpfS:

For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.

I'm trying to figure out the sentence to google for that actually gives relevant results so I can figure out what to do, Ron  ;D

I mean: how can I be sure/test my Windows, Linux and Android stuff do what you wrote above? Is it simply a case of DHCP an IP to all clients (including static P's), or is there more to be done (like disabling services on the clients, for example (?)).

Thank you for any tips  :P

Setup rules to redirect all DNS request to the local DNS

Firewall > NAT > Port Forward> Edit

Interface LAN

Protocal TCP/UDP

Click Invert match select LAN Address

Destination port range From Port DNS and to Port DNS

Redirect target IP 127.0.0.1

Redirect target port DNS

NAT reflection Use system default

Filter rule association Create new associated filter rule

Create rule that allows TCP/UDP from LAN net to  LAN address on port 53

Create rule that allows TCP/UDP from This Firewall to Any on port 53

For example, if a device has 8.8.8.8 setup as its DNS server this rule says anything that is not the LAN address for the request to 127.0.0.1 from port 53 to port 53

Tony

I am lost on last 2. Is the 2nd last one created under Firewall rules-lan
and the last one is firewall  rules-floating,

Thanks for sharing,
regards,
boatingdude

Did you see the DNSBL Feeds that i posted in the DNSBL sticky thread?

Hello

Thanks, tonymorella :)  ( the last space was my mistake )

Regards.

@jvamos:

I have been receiving reports of people having websites down. I could not replicate the problem.

I had the user recreate the issue and noticed he was clicking on the suggested sites at the top under the Google ad network. Same page but with an ad server in between. I corrected user behavior but couldn't help think this would be an issue in larger offices.

Anyone have a good workaround?

Josh

Yep notice this all the time. If the point is to block the ads, then user behavior is the way to go. If you want to allow, good ads add them to the whitelist or create a allow for the Google ASNs.

@johnpoz:

Curious would anyone else like to see slimmed down version of pfblocker?

I really don't want it creating auto firewall rules for me, no offense at your coding stills or anything.  I just do not like the idea of auto rules in any sense of the word.  But I do love the ability to easy pick IP blocks of specific countries to use in an alias.. You made that brain dead easy - would love to see package that does just that..

To answer: no. I think BB is, to put it in popular sitcom-TV terms: ""like" OMG".

Because BB probably (I haven't asked, so just guessing) has a Blueprint of '"The Ultimate Firewall Blocking Tool Set", and in such an ultimate tool set you want as many different tools.

Ah.  Thanks.  I think what I did will work.

This module never ceases to amaze.

Everything is starting to come together. This makes perfect sense! Exactly what I was looking for. At first I had no idea what you were saying but it was that I never fully read to understand these settings on these pages. Sorry to waste your time and thank you!

That did the trick, thanks for your help!

@BBcan177:

Click the blue Infoblock Icon in the DNSBL Feeds Tab when editing a "Group"….

The "DNSBL Settings" infoblock has this text:

Note:  AdBlock Easylists cannot be used in this Tab.

Yes yes im not using ADBlock EasyList… also as you said mentioned there Easylist cannot be used


BBcan177, exactly what I thought….

Thanks for demonstrating, and showing pfblockerNG works very well once more!

so;
If I allow inbound GeoIp rule for only US IPs then by default all other are denied?  True?.

but either way it looking like pfblocker is working. ( 100% again)
I'm now seeing the Geoip rules listed in the dashboard ( did not see any listed when using 2.1.1.2 )
no crash errors yet.
not seeing any allowed inbound from china or anywhere else
over 500 packets denied and Count > 3,000,000

Again Thanks,
I'll need to look at a reverse rule ( allow inbound US only) but I know just enough about firewalls to be dangerous or screw up the works so that no one get in our out.